Is There a Future for PGP?

← Back to Stories (view on slashdot.org)

Posted by Cliff on Wednesday January 9, 2002 @11:14AM from the deciphering-the-marketingspeak dept.

Thom Dyson asks: "So it looks like McAfee is walking away from PGP. At least that's how I interpret their marketing speak. I've been told PGP doesn't work on XP, does that hold true for the Open Source version as well?"

43 comments

Min score:

Reason:

Sort:

Does anyone even use pgp or gpg? by zcat_NZ · 2002-01-09 11:21 · Score: 4, Insightful

This should probably be a slashdot poll. Everyone agrees that encryption is a good idea and we should all be using it, but do you actually know anyone who does? Have YOU generated a key, had it signed by some trusted friends, and submitted it to a keyserver or put it on your web page? When you send mail, do you first check if the recipient has a public key and encrypt it if they do?
I know I don't.. :)

--
455fe10422ca29c4933f95052b792ab2
1. Re:Does anyone even use pgp or gpg? by anthony_dipierro · 2002-01-09 11:50 · Score: 1
  
  Everyone agrees that encryption is a good idea and we should all be using it, but do you actually know anyone who does?
  
  Sorry about picking nits, but anyone who has ever visited an https site uses encryption. I use encryption every day, to ssh to my server.
  
  I don't use pgp, but that's because it simply isn't easy to use. Across the board use of pgp would pretty much eliminate spam. One day maybe people will see the light.
2. Re:Does anyone even use pgp or gpg? by PD · 2002-01-09 11:55 · Score: 5, Interesting
  
  I agree 100% with you, and I'm thinking specifically of Usenet. I can imagine a Usenet where everyone has a certificate signed by a trusted authority, or signed by someone who was signed by a trusted authority. When a message is posted, the certificate goes along for the ride. Everything must check out before the server accepts the message. If someone spams, their certificate is revoked. If someone is signing spammers certificates consistently, then THEIR certificate is revoked. It would make a HUGE dent in the usability of the Usenet, and unlike Usenet II, it wouldn't require a system of trusted servers. I've thought about this for a while, and I'm very interested in what others think of this scheme.
  
  --
  If tits were wings it'd be flying around.
3. Re:Does anyone even use pgp or gpg? by redcliffe · 2002-01-09 12:21 · Score: 2
  
  I use it, primarily for signing mail. I also use it for communicating passwords and other sensitive information to users of the hosting provider I work at. I think mail programs should automatically use GPG if the public key for a person is available.
4. Re:Does anyone even use pgp or gpg? by redcliffe · 2002-01-09 12:34 · Score: 2
  
  It's quite easy to use with KMail. I just click on the lock icon to encrypt a message, and click on the .asc attachments to import keys. It automatically downloads public keys for people I don't already have the key for.
5. Re:Does anyone even use pgp or gpg? by zcat_NZ · 2002-01-09 12:49 · Score: 1
  
  True; we use https a lot, and SSH all the time (none of our boxes allow a plain telnet connection) What I meant was encrypted mail; almost nobody uses it even though almost everybody agrees that it's a good idea.
  I'll be more specific next time.
  And I agree with your point, I don't send encrypted mail because it's usually too much effort to track down the appropriate public key an so on. If it were as easy and automated as https then I would probably use it a lot more.
  
  --
  455fe10422ca29c4933f95052b792ab2
6. Re:Does anyone even use pgp or gpg? by redcliffe · 2002-01-09 12:59 · Score: 2
  
  It is. At least with KMail/GPG. I write a message to someone, click encrypt then send, it will download the key and encrypt it.
7. Re:Does anyone even use pgp or gpg? by gfilion · 2002-01-09 14:06 · Score: 2, Interesting
  
  I agree 100% with you, and I'm thinking specifically of Usenet. I can imagine a Usenet where everyone has a certificate signed by a trusted authority, or signed by someone who was signed by a trusted authority.
  
  I think that this is a great idea, but I don't see how it would be managed? Would the thrusted authorities sign the certificates for free or for a charge? If they charge something for the signing, the number of people on usenet would drop. And if this is free, how could any kind of verification of the authentity be made?
  
  Also you would loose a lot of Usenet's privacy, since everything is signed by the sender. The evil-corporation/NSA/Ashcroft/MPAA could prove that you send a specific usenet message and beat you with a big stick.
  
  But I agree that it would help a lot in making usenet a bit like it was in the pre-1995 era -- that is, before I discovered usenet... 8)
8. Re:Does anyone even use pgp or gpg? by jeffy124 · 2002-01-09 14:31 · Score: 3, Informative
  
  it simply isn't easy to use
  
  Huh? Since when? I use it, seems quite simple to me. You generate a keypair at install time, secure your private key with a passphrase, and two buttons get added to your mailclient - one for encryption of the message, other for signing.
  
  When you send a signed email, you're asked for that passphrase, and when you receive an encrypted mail you're asked the same -- automagically. Likewise, a digisig is also confirmed at that time too.
  
  Using the key manager, you can see your public key, submit to a keyserver (like pgp.mit.edu) for others to obtain, as well as add your friend's pubkeys to your keyring. And it's very straightforward to do.
  
  --
  The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
9. Re:Does anyone even use pgp or gpg? by PD · 2002-01-09 16:45 · Score: 4, Interesting
  
  The keys would be signed like free software is distributed. You can sell it or not. To get on Usenet for free you'd have to find somebody who would sign a key for you. It's up to the key signer to decide if they trust the person they are signing. After all, if that guy spams, then the key signer could ultimately have his certificate revoked. I see this as a volunteer system. Lots of people currently spend their time tracking down spammers, issuing cancels, etc. So far their success has been incomplete. Much spam is stopped, but much is not. Instead of spending time with cancels and other spam hunting, they would spend time managing the certificate system. That would consist solely of revoking certificates of abusers and optionally the people who sign the keys. There's a subtle thing here: it works both ways. Suppose you go to a shady person to get your key signed. You're posting along happily, and then everything starts getting rejected back to you. What happened? You discover that the person who signed your key also signed a key for 100 spammers, and got his certificate revoked. That makes your certificate invalid. The pressure here would be for the users to find reliable people to sign their keys, as well as for the signers to find reliable non-spammers to sign keys for. So you see, there's no need to verify any actual identity. I could get a certificate made out to my dogs Pepper and Darwin, signed by some other dude named "Anonymous Coward" who ultimately has a certificate signed by the root authority, say Linus Torvalds. You don't need to know the actual identities of the people involved, only that their certificates fit into the chain properly. All the details of trust are properly left to the leaves of the tree.
  
  --
  If tits were wings it'd be flying around.
10. Re:Does anyone even use pgp or gpg? by NutscrapeSucks · 2002-01-09 17:08 · Score: 2
  
  I think that this is a great idea, but I don't see how it would be managed? Would the thrusted authorities sign the certificates for free or for a charge?
  
  Such a system is hardly imaginary. Major browsers and mailers/newsreaders have supported X509 certificates for 5+ years now. Thwate gives out free certs (in your e-mail address only, not your real name), and Verisign charges $20 or so for individuals last I checked.
  
  Problem is the "trusted authority" model (SMIME) is incompatible both techincally and philsophically with the PGP/GPG model (which relys on a 'web of trust' rather than a certificate authority.)
  
  --
  Whenever I hear the word 'Innovation', I reach for my pistol.
11. Re:Does anyone even use pgp or gpg? by mlk · 2002-01-09 17:16 · Score: 1
  
  I have a PGP key (search for "Micheal Lloyd Lee" on the pgp key servers), and a S/Mime thingy.
  
  I only really ever use the S/Mime thingy, and then only ever to sign email[1]. I don't think I ever recived or sent an encripted email.
  
  Mlk
  [1] Don't even use that now, Enduera does not support it.
  
  --
  Wow, I should not post when knackered.
12. Re:Does anyone even use pgp or gpg? by mlk · 2002-01-09 17:21 · Score: 1
  
  you should try S/MIME (assuming your client & server supports it). I find it better then PGP, it uses an attachment instead of big lumps of text at the top and bottom of the msg, and it supported in most major clients.
  
  --
  Wow, I should not post when knackered.
13. Re:Does anyone even use pgp or gpg? by mlk · 2002-01-09 17:29 · Score: 1
  
  Do it the same way it's done now.
  You have big com's selling 'em (VeriSign for example)
  and people giving them away for free.
  thawte.
  Thawte is great, it'll give you a DigitalID/Personal Certificate thing for free, but it comes with the name of "Thawte Free User".
  You then earn "points", and when you have 50 (i think) you can have your name instead of "TFU".
  You get points by going to see other members who have got over 100 points, and then show 'em your ID (passport/drivers lience/etc) and they award up 10 points.
  
  This way you can have an "ignore free members" option aswell, insuring that all posters can be traced, or ignored.
  
  Mike
  
  --
  Wow, I should not post when knackered.
14. Re:Does anyone even use pgp or gpg? by cdupree · 2002-01-09 18:09 · Score: 2, Interesting
  
  On the level of software, I've used PGP frequently but not extensively for a few years now. I often sign, but rarely encrypt, my messages. I sometimes verify software with PGP signatures; if someone sends me a message with a PGP signature, I usually verify it. But these are all partly because I enjoy doing it.
  
  On the level of civil liberties, I think that some rights need to be exercised on general principle. If you read the literature, it's clear the government has intercepted communications by mail, telegraph, and telephone for many decades. All governments, I imagine, have done so. So do we figure it's always happened and always will? Or decide that governments (and corporations as well, of course) are abusing their rights by opening our mail, and prevent them from doing it?
  
  It's not about what I'm saying in my message. It's about whether I have the right to send a message without it being read by Big Brother. Using tools like PGP and GPG makes a statement that may turn out to be important in the near future. If no one is using encryption, the security honchos will argue that only criminals would use encryption, so we can afford to outlaw strong encryption and settle for an updated Clipper chip. Or just stick to the old leather strap 'round the stick trick.
15. Re:Does anyone even use pgp or gpg? by frog51 · 2002-01-09 23:53 · Score: 3, Interesting
  
  Yes - almost all the time for personal email to my family, friends and colleagues. Usually I have nothing secret or exciting to hide, but when I do my traffic will look no different.
  Otherwise anything important will stand out like a sore thumb.
  Oh, and it gives me that warm, fuzzy, "I'm a secret agent" feeling:)
I use PGP every day by Dr.+Bent · 2002-01-09 11:26 · Score: 2, Insightful

I'm working on a software project with a few friends, and whenever we talk about highly sensitive stuff, or send source code, we always PGP encrypt our messages.

Also, if i'm at work and I want to send sensitive material home to work on, I'll usually encrypt it to my own key before I send it.

The fact of the matter is, though, most people don't think what they have to say is worth protecting with encrpytion...and most of the time, they're right.

What we need is completely transparent use of PGP in an e-mail client. The user should never know it's there at all.
McAfee owns pgp? by Anonymous Coward · 2002-01-09 11:29 · Score: 0

McAfee has one of the hardest-to-navigate webpages in existance, of the 5 friggen versions of PGP (Note, this was 1-1.5 years ago), I could never tell which one was 'right for me', and every attempt to navigate or search their hack of a website yielded in a different product!

That alone stopped me & my company from using McAfee's product. We opted for the free pgp + perl scripts instead.

They win the award for 'products most hidden by obfuscation'.
1. Re:McAfee owns pgp? by danielrose · 2002-01-10 05:22 · Score: 1
  
  agreed! there site makes every effort possible to hide the version you are after!
  
  --
  i hate pansy republicans
It does work on Win XP by DiSKiLLeR · 2002-01-09 11:55 · Score: 4, Informative

PGP 7.0.3 for Windows 2000 does run on XP.

Well, kind of. Okay, so it gets very confused with fast user switching (it uses services which i think don't understand the concept of multiple users logged in simultaneously) so apart from the various errors that come up when you log in, yeah, it works. (Come to think of it, if it doesn't understand multiple users it certainly won't run on W2k Adv. Server with terminal services then...)

You can right click on files and do encrypt. pgpkeys and pgptools work fine.

Outlook 2002 (Office XP) plugin support is different. Yeah, it works. But not really well at all. The icons seem corrupt in outlook too. You need to enable an option to auto decrypt mail. Then when you open an email PGP tries to decrypt it automatically. (the reason you must do this is that the decrypt button on the toolbar doesn't work *shrug*). Sending encrypted mail on Outlook 2002 works fine too.

I've been doing this for about a month now, with no ill effect.

So yeah, PGP 7.0.3 works on WinXP. It would be nice if it supported XP properly.

D.

--
You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
1. Re:It does work on Win XP by jeffy124 · 2002-01-09 14:36 · Score: 2
  
  Outlook 2002 (Office XP) plugin support is different. Yeah, it works. The icons seem corrupt in outlook too. You need to enable an option to auto decrypt mail. Then when you open an email PGP tries to decrypt it automatically. (the reason you must do this is that the decrypt button on the toolbar doesn't work *shrug*). Sending encrypted mail on Outlook 2002 works fine too.
  
  I can second that. I use that version using Office XP on Win2K. IIRC - if you receive an encrypted mail w/o auto-decrypt on, you can open the mail in it's own window and click the decrypt button from there.
  
  --
  The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Use Free (libre) Crypto by Deagol · 2002-01-09 11:56 · Score: 4, Informative

I ditched PGP once GnuPG came out. Ever since McAfee bought PGP (or Zimmerman sold out, take your pick), I've been weary of the product.
Most hardcore cypherpunks seems to still use PGP 2.6.x! (If USENET sigs/keys are any indication)
In any case, check out pgpi.com for different versions of PGP, many of which are actively developed. Also, search for "Cyber-KnightsTemplar PGP". I only used this version when I was a dedicated Windows user.
Now, I use GnuPG for mail/file crypto, and loopback crypto for filesystems (/pub/linux/kernel/people/hvr at your favorite mirror). I run Windows and Linux under VMWare, using the "undoable" drive type, hosted on a blowfish-encrypted loopback volume, which leaves no physical evidence on my machine of activities in the VM). I also dabble in Ouguess for my stego "needs".
While my practices in paranoia are fun, I don't take them too seriously. However, I like the idea of being able to Ascroft-Proof(tm) my machine if I wish. :-)

--
Method of processing duck feet
1. Re:Use Free (libre) Crypto by Deagol · 2002-01-09 11:59 · Score: 2
  
  Um... that should be Ashcroft-Proof(tm).
  
  --
  Method of processing duck feet
2. Re:Use Free (libre) Crypto by questionlp · 2002-01-09 12:39 · Score: 1
  
  I personally like "Asscruft" or "Asscrust" better :)
  Say goodbye to my karma...
3. Re:Use Free (libre) Crypto by renehollan · 2002-01-09 13:38 · Score: 1
  
  so, when he sends to goons to arrest you, are you "asscuffed"?
  
  --
  You could've hired me.
4. Re:Use Free (libre) Crypto by duffbeer703 · 2002-01-10 03:13 · Score: 2
  
  If you are ever arrested and refuse to provide decryption keys to the feds, you'll be arrested for obstruction of justice.
  
  --
  Conformity is the jailer of freedom and enemy of growth. -JFK
5. Re:Use Free (libre) Crypto by gorillasoft · 2002-01-10 03:44 · Score: 1
  
  IANAL, but you should be protected in the US by the little law against self-incrimination. I plead the fifth, your honor.
6. Re:Use Free (libre) Crypto by Suidae · 2002-01-10 05:00 · Score: 2
  
  nope, by the same logic that applies to things like safes. If you have a safe that they think contains something they can use in a case against you, you can be compelled to produce the key and/or combination, the 5th amendment does not protect you. I forget the reasoning, but if you are curious, someone wrote a pretty good document about it that is available on the web somewhere.
7. Re:Use Free (libre) Crypto by Suidae · 2002-01-10 05:04 · Score: 2
  
  I remember, it was on a page about an encryption product (the name of which I forget) that allows you to encrypt stuff without showing evidence that it is encrypted.
  
  The idea is that you should be able to have a system that encrypts your data, from which you can produce a set of documents, but which can also be hiding other documents which cannot be detectected.
8. Re:Use Free (libre) Crypto by Nelson · 2002-01-10 05:05 · Score: 2
  
  More importantly, and more likely is that they aren't trying to convict you, they are trying to convict someone else and they believe you may have evidence. There is no 5th amendment in that case. You give up the keys or you obstruct justice or are found in contemp and go to jail.
  
  To drive that to the logical conclusion, they try to convict you neighbor and they want all of you correspondance with him, do the saber ratteling routine and make you give up the keys. Then as they go through you computer they don't find evidence of wrong doing so much as they find evidence that you have unpopular views (perhaps you're a racist or a communist or something, not illegal to be but unpopular) and that get's entered in to the public record as well. You're an outcast and your public reputation is ruined and you have no recourse at all.
9. Re:Use Free (libre) Crypto by duffbeer703 · 2002-01-10 07:08 · Score: 2
  
  You are correct in that you cannot be compelled to incriminate yourself.
  
  Unfortunately, you cannot hinder law enforcement with a valid search warrant from searching. Encryption is thought of as a virtual lock or safe, (ie evidence) not as testimony.
  
  --
  Conformity is the jailer of freedom and enemy of growth. -JFK
10. Re:Use Free (libre) Crypto by kbyrd · 2002-01-10 07:52 · Score: 2
  
  the product was rubberhose maybe?
11. Re:Use Free (libre) Crypto by Suidae · 2002-01-11 12:32 · Score: 2
  
  yup, thats the one. cool product, makes me wish I had a good reason to use it.
WinXP compatibility by Thalin · 2002-01-09 13:01 · Score: 2, Interesting

I know one of the guys who writes PGP. Last I talked to him, he was writing the Palm version. I heard today about this thing from his wife, and as far as I know, there are only 8 developers left working on PGP. I dunno if that makes you folks appriciate why it doesn't work on WinXP or not, but I felt like I should stick up for my friend (since he's a mentor and all :P).

--
What? You want a sig?
Standards! It already works. by jmaslak · 2002-01-09 13:55 · Score: 3, Interesting

S/MIME is an Internet Standard. I know that Outlook, Outlook Express, and Netscape Mail all support it. Others probably do, too. I can send a signed message to an Outlook user today and they can respond with an encrypted one. With PGP, that isn't usually possible today.

The other problem with PGP is that it is nearly impossible to securely exchange keys, unless you luck out and trust someone who has signed it (not likely!). You end up having to call them up on the phone and read the fingerprint or trust that your mail was secure (in which case, why are you encrypting?). S/Mime relys mostly on certificates, which although they have many problems, do solve the majority of key distribution problems.
Answers by rjh · 2002-01-09 15:42 · Score: 5, Insightful
- PGP on Windows XP. PGPtray works, PGP for Outlook XP is dodgy, PGPdisk is broken and PGPnet will hork your system. At least, those are the reports on alt.security.pgp.
- NAI is walking away from PGP. This is a Good Thing, believe it or not. Or, at the very least, not a Bad Thing. PGP has always existed in two different components with totally different agendas:
  1. The community's agenda is to enhance individual liberties and ensure electronic privacy.
  2. The corporation's agenda is to turn a profit.
  ... It doesn't take a rocket scientist to see that those two agendas are not exactly in sync with each other.
- 1. The community is alive and well. There are a lot of individuals who are interested (and some who are genuinely obsessed!) with the notion of personal privacy and personal liberties. The GNU Privacy Guard crowd is part of this community--so what if their initials are GPG instead of PGP? So are the remailers, mixmasters and everyone else.
  2. NAI is dying. Due to the fact that I'm a former NAI employee, I'm not going to say more than that--except to recognize that Network Associates has a long history of buying great software companies and failing to capitalize on them. (Check out the San Jose Mercury-News from February 2001 for some brilliant examples.)
- Summary: the community is alive and kicking. GPG keeps getting better and better--at 500k, it's slim enough to fit on a floppy, it supports RFC2440 and RFC2440bis, and has good integration with almost all UNIX mailers. The WinPT and GPGshell programs give friendly Win32 front-ends (but both still need a lot of work).
... Don't panic. Unlike the Monty Python parrot sketch, PGP really is just resting. ;)
Command line not necessary by FunkyRat · 2002-01-09 16:39 · Score: 2

PGP doesn't have to be hard and GPG can be dead easy... not that useing either from the command line is that difficult.

There is PGPTray and on the free software side there is WinPT (Windows Privacy Tray). This is a little system tray application that encrypts and decrypts from the clipboard and supports most of the common command line options.

There is also GPGOE, a GPG plug-in for Outlook Express.
1. Re:Command line not necessary by mlk · 2002-01-09 17:19 · Score: 1
  
  IMO the GNU System trays are normally pants.
  
  However I'll have to look at the plug-in for OE.
  
  The big problem I have with 'em is the fact it sticks a big lump at the top of your email. If it "signed" just as a .sig (i.e. at the bottom of the email) I'd use it much more.
  
  mlk
  
  --
  Wow, I should not post when knackered.
Re:Standards! It already works - NOT! by yabHuj · 2002-01-09 22:42 · Score: 2, Informative

S/MIME seems to be no longer supported in current Netscape (version 6.0 and newer). There were problems transfering signatures/mails between mail programs of different brands (i.e. M$ and Netscape) with S/MIME. PGP / GnuPG is without any problems for any mailprogram when using the tray application.
Re:Standards! It already works - NOT! by Anonymous Coward · 2002-01-10 00:58 · Score: 0

SMIME is in the current Mozilla releases, so expect it to show up in the Netscape builds shortly. There are no plans from either Netcape or McAffee to integrate PGP, although one is free to write the code themselves.

From what I've seen SMIME mail between Netscape and Microsoft clients interoperates fine. What you can't do easily is move certificates between the clients. This puts the burden on the CAs to have 2 different cert install facilities (which the roots do, but your random corporation might not).

When you get into the MS/NS world, SMIME is an order of magnitude nicer for the user than PGP/GPGP because it's integrated directly into your mailer. (For example, signatures are automatically verified and you get a nice icon. Encrypted mail is marked in the Inbox, etc).
GPG and GPGOE work fine on WinXP by Chang · 2002-01-10 02:23 · Score: 2

I use them every day at work mostly in combination with Outlook 2002. Importing keys is a little weird, but it only took me about 2 mins to figure it out. The GUI isn't the pretiest but it functions fine.
No by /dev/trash · 2002-01-10 04:11 · Score: 1

No
Re:Standards! It already works. by danielrose · 2002-01-10 05:26 · Score: 1

How does one get a S/MIME key??

--
i hate pansy republicans