Self Decrypting Archives
Fri Jun 20 16:49:02 2003
Must be nice to have the power to tell vendors to take a hike. Most have
been cooperative. That's good. But a few (Usually companies owned by
doctors, btw), don't know, don't want to know, and don't care what the #$()
regulations are, they're going to do it the way they #&@) well please. And
if we lose a few geeks a week to the federal penitentiary, it's not their
problem. (HIPAA's not THAT bad yet, but, it is growing teeth SOON)
Unfortunately, the administration that COULD tell the vendors what to do,
WON'T and we, the mere mortals CAN'T. So we cheat. We send an SDA (or use
David Shaw's technique which isn't TOO bad). It covers our #$&) and keeps
From: Joseph Bruni [mailto:firstname.lastname@example.org]
Sent: Friday, June 20, 2003 1:23 AM
To: Steve Butler
Subject: Re: Self Decrypting Archives
I think it was hospitality which is notoriously full of Luddites. The
vendors (airlines mostly) that I work with also like to generate
separate keys for each partner. I suspect that they just don't grok
what a public key really is. At my company we mandate either (1) SSH2
or (2) OpenPGP. If they don't play, we tell them to take a hike
regardless of the "sensitivity" of the information.
Once an interface has been put into place, it's all too easy for
marketing people to add more and more information until you've crossed
the line into violating the EU Privacy Directive and/or the US Safe
Harbor policy. It the interface is already secure, the marketing people
can have their way with it.
I feel your pain regarding the EOLN conversion. It seems like the
vendors who are using Windows are the least helpful. They always expect
us Unix people to do their EOLN conversion.
On Thursday, June 19, 2003, at 09:41 PM, Steve Butler wrote:
> Not sure what industry Jeff is in. In the health care industry in the
> US we
> can simply point to the HIPPA regs and tell our vendors that need to
> something compatible with PGP and provide us with their public key.
> Had one vendor that insisted on generating a new public key for us to
> I've always wondered how they kept track of which pass phrase to use
> they had to decrypt.
> Thankfully cooler heads prevail here and I could simply provide them
> the same Public key we provide everybody else.
> But, to the point for Jeff. I'd simply ask them for their public key
> state that you'll send them an encrypted file.
> Since we encrypt on a Linux box, it would be impossible for us to send
> a SDA
> to those vendors that use Windows (and I know of at least two -- wish
> luck everytime we ship a file as they forget about the LF versus CR LF
> -----Original Message-----
> From: John B [mailto:Yochanon@tds.net]
> Sent: Thursday, June 19, 2003 4:50 PM
> To: email@example.com
> Subject: Re: Self Decrypting Archives
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On Thursday 19 June 2003 16:07, Jeff Herrin wrote:
>> Nobody is actually clicking on anything. The file creation, the
>> the FTP transfers, the decryption is all done automatically by scripts
>> are designed to specifically handle SDAs. I know they have the ability
>> their commercial version of PGP to handle whatever I send them but
>> system is specifically looking to read from an FTP folder and decrypt
>> an SDA.
>> Jeff Herrin
> So tell them how *insecure* it is. It won't take any longer to truly
> a message/whatever than to make the same message/whatever an SDA. Tell
> that if they're worried about being secure, they need to stop the SDA
> and do it right and tell them they need to quit being so lazy. It's
> plain ridiculous to have a paid-for version of PGP on a windows
> machine, and
> just use it for SDA's, it's just simply ludicrous.
> - --
> "You will bring ussss.....A SHRUBBERY!"
> These guys looked dangerous...and hungry,
> so to placate them until I found a shrubber,
> I fed them an MSN butterfly. They dined
> quite happily it seemed.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
> -----END PGP SIGNATURE-----
> Gnupg-users mailing list
> We're Moving June 20th!
> 600 University St, Suite 1400
> Seattle, WA 98101
> CONFIDENTIALITY NOTICE: This e-mail message, including any
> attachments, is for the sole use of the intended recipient(s) and may
> contain confidential and privileged information. Any unauthorized
> review, use, disclosure or distribution is prohibited. If you are not
> the intended recipient, please contact the sender by reply e-mail and
> destroy all copies of the original message.
> Gnupg-users mailing list
Gnupg-users mailing list