PGP or GnuPG

Sat Apr 16 09:51:03 CEST 2005

On Thu, 2005-04-14 at 09:49 +0200, Johan wrote:
> Hello,
> 
> I am trying to decide if I should use GnuPG or PGP and I got confused when
> I read point nine in the PGP whitepaper
> "http://download.pgp.com/pdfs/whitepapers/Top10_Why-PGP_050105_FL.pdf". To
> me this say that "easy data recovery" is only a matter of money. Am I
> right or where can I read about how ADK and key reconstruction etc
> actually works.

I'm having a bit of a hard time decyphering your question, but I think I
can answer it to some degree.

Point 9 does NOT mean that another entity (e.g. a business competitor,
system cracker, or government) will be able to decrypt your data if they
have a whole lot of money and you're not using a PGP Corporation
product. In fact, if you use binary programs from an entity like PGP
Corporation instead of open source GPG as part of your security system,
you are MORE vulnerable to this kind of attack.

It would be much easier for a wealthy attacker to pay off or break the
fingers of someone who works for PGP Corporation in order to get a back
door inserted into their software than it would be to do the same with
GPG. The reason is that you can download and examine the source code of
GPG, and then compile this audited code for use in your system.

This is the meaning of point 9 according to my interpretation:

Suppose there's a company called Alice Corporation that has an employee
named Bob. Bob has the only copy of an important document, and it's
encrypted with his key. That means Bob is the only one who can decrypt
this document. Now suppose that Bob loses his key, or refuses to decrypt
the document; this would mean Alice Corporation is in trouble.

One way to guard against this possibility is to keep a backup of Bob's
private key. Then if Bob refuses to decrypt the document or loses his
key, the corporation can still get at it.

The essence of point 9 is that the above is a clumsy solution that
creates a lot of new problems, and that PGP Corporation's software
provides a more refined options for mitigating this risk.

However, you'll notice this passage near the end of point 9:

"PGP Corporation provides solutions that feature patented Additional
Decryption Key (ADK) options [...]"

This should set off alarm bells when you read it for two reasons:

1. When you make the choice to use patented software, you put yourself
in a position to fall victim to vendor lock-in. With sufficient legal
resources, the holder of the patent could prevent other software authors
from creating competing software, thus forcing you to stay with the
original company, even if the costs of staying with that particular
vendor increase and the benefits decrease.

2. When you make the choice to use patented software, especially if you
have to pay for the privilege, you make the statement that you support
software patents. This is bad for everyone.

Now, I should make it plain that I don't know whether or not PGP
Corporation enforces this particular patent to the detriment of the
general public. However, even if it doesn't, it could change its mind in
the future.

Hope some of this helps,

Eric