Last week, we have reported that has happened in the European Parliament since the beginning of the NSA affair little in terms of IT security. We now publish the entire letter from the Directorate-General for Innovation and Technological Support (DG ITEC), which shows how attempts instead to refer to the PGP “internal encryption methods of Office, and PDF 7zip”. Basis of the letter is a request to install GPG4Win on a computer within the EU Parliament.
In its interim report DG ITEC had pointed out that one could roll-out of PGP and SMIME-based encryption and signing start once. “The need is there and available licenses” In the present we answer – which emerged significantly after the preparation of the interim report – that sounds different:
Currently, there are no right “out-of-the-box” solution for your request. A package for PGP-like software is currently under development to enable the integration in the default configuration. But we were still on information from the services involved in the technical issues.
Aside from the question of what should be “PGP-like software”, is also doubtful, as the mates with the previous interim report. The suggested at least a somewhat more advanced state of work.
DG ITEC advises, with the “internal encryption” of Office, and PDF 7zip to provide remedy in the meantime. For this, however, we must replace a password – orally. Unfortunately, we can already imagine how that happened over unsecured telephone lines
But DG ITEC proposes, in addition to using Office, 7zip and PDF, yet another workaround before.
[...] z. B. to install the software on the second partition of the laptop because this action does not require administrator rights. In practice, there are a few restrictions that make the proposal incompatible with their work in the office.
The operating system on the second partition can not connect to the internal network of Parliament. Both methods have their strengths and weaknesses and “their reliability depends on common sense and good behavior.”
English full text
For the time being there is no Suitable and standard “out -of-the-box “solution for your request. A package for a PGP-like software is currently in development in order to make its Possible integration into the standard configuration but we are quietly awaiting informations from the services Involved in this technical issue.
Nowadays, we can only propose workarounds – ie installation of the software on the second partition of the laptops: because this action does not require administrator privileges but it has some constraints in practice making this proposal incompatible with your work at the office: because the operating system on the second partition is not allowed to connect on the internal network of the EP, but It May fit your need for encryption if this need is not systematic.
There are some alternative, some are available on our system, Although They do not follow PGP’s principle of asymmetric cryptography. I can mention the built-in encryption methods in office, 7zip and PDF. In the case of built-in encryption (and this is true for asymmetric encryption), the transmission of a “key” will be Necessary – it can be a password (provided verbally), or certificates (electronic files, Usually sent by email of mobile storage devices like USB keys), the password can be trans- mitted verbally while the certificates (or encryption keys) can not: because They are too complex.
Both have Their strenghts and weaknesses and Their reliability therefore depend on common sense and good practices.
No comments:
Post a Comment