Corporate use of gnupg

Werner Koch wk at gnupg.org
Tue Feb 19 18:21:36 CET 2008


On Tue, 19 Feb 2008 14:25, rjh at sixdemonbag.org said:

> PGP Corporation has a patent on ADKs.  That's the number one reason
> why the other OpenPGP implementations do not support it.

Frankly, I did not knew about this patent until now.

I consider the ADK the wrong solution to a problem which can't be solved
by a tool.

The assumed threat model is that an encrypted mail is received by an
employee and then other employees are not able to read this mail.  In
particular if the original recipient is on vacation or not anymore with
the company.  Or well, he willfully keeps that (company) mail private.
The latter case is actually identical to snail mail: How do you assure
that all mail to a company really receives the company and not just one
person?  The internal post office opens the envelope, stamps it,
sometimes makes a copy and then distributes it to the actual recipient.
Problem solved.  Also solves the problem of keeping archives of all
business mail (which is a legal requirment in Germany).

You can and need do do the same with email: Either use a central gateway
or create pool keys for the employees.  It is merely an organisational
matter that an employee does not use his private key for business tasks.
And if he does anyway, it is the same as with snail mail: The address on
the envelope is marked "private" and not to be opened by the company.

We won't add ARR (aka ADK) to GnuPG.  It would be more useful to add a
re-encode feature to add another public or symmetric key for decryption.
A mail framework may the use this to enforce a mail policy.


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.




More information about the Gnupg-users mailing list