GnuPG Celebrates 10 Years

Posted Dec 28, 2007 18:41 UTC (Fri) by raven667 (subscriber, #5198)
In reply to: GnuPG Celebrates 10 Years by jd
Parent article: GnuPG Celebrates 10 Years

Official corporate e-mails would be included in "official electronic documents", in this. How often have we seen e-mails dragged into court, only for there to be arguments over whether they're genuine, complete, or some other such nonsense? Backups of all e-mails only get you so far, if you can't be sure if what is presented is what was stored, or that what was stored was what was written. It would also make it impossible to land up in debates over whether an e-mail was in an official capacity or not. An official signature means an official e-mail. No official signature means it can't be enforced as corporate policy.

Here are some reasons why some companies don't necessarily agree with your assessment.

That would seem to open up the company to all sorts of potential liability with very little benefit. Retaining email for long periods of time can open up your organization to legal fishing expeditions where your IT and legal team spends its time answering subpoenas and going through old backup tapes rather than their actual work. This can be especially onerous for an organization like an ISP which is storing and processing data on behalf of third parties, you might end up in the middle of a lawsuit that doesn't even involve you.

One of the answers to this problem is aggressive data deletion policies, as soon as the data isn't needed purge it. It's easy to respond to discovery requests when you can show that you don't have the data in question any more. It is also more secure in that if your system is compromised the attackers can't make off with customer data you don't have anymore.

The other issue is that signing documents can have other implications, especially if you make any claims to non-repudiation. Any offhand comment by an employee to a customer can become legally binding in some locations. Non-repudiation claims are especially a problem because someone could install a trojan on a workstation or simply leave their computer unlocked and unattended allowing others to sign or encrypt messages as them. Poor private key management is also standard practice at most organizations. Problems such as this can be time consuming and expensive to clear up and are just liability for the company.

In the specific case of PGP style key management escrow is an issue. In the common use case every user generates their own private key which is not necessarily shared with the company officers. If an employee moves on to another job, the company may lose access to any emails and documents they've received or encrypted for themselves. Of course this risk exists in any event, any person can install GPG and digitally shred their system and the risk can be migrated if the GPG deployment is thought through and managed properly but there are additional risks in jumping into proper forethought of these and other issues.

I hope I'm not too much of a killjoy but I wanted to provide some counterbalancing information as to why this can be difficult or perceived to be difficult at some companies. These are concerns that I've heard when proposing a similar email encryption deployment.