Is There a Future for PGP?

Thom Dyson asks: "So it looks like McAfee is walking away from PGP. At least that's how I interpret their marketing speak. I've been told PGP doesn't work on XP, does that hold true for the Open Source version as well?"

Re:Does anyone even use pgp or gpg?

[PD]

I agree 100% with you, and I'm thinking specifically of Usenet. I can imagine a Usenet where everyone has a certificate signed by a trusted authority, or signed by someone who was signed by a trusted authority.

When a message is posted, the certificate goes along for the ride. Everything must check out before the server accepts the message.

If someone spams, their certificate is revoked. If someone is signing spammers certificates consistently, then THEIR certificate is revoked.

It would make a HUGE dent in the usability of the Usenet, and unlike Usenet II, it wouldn't require a system of trusted servers.

I've thought about this for a while, and I'm very interested in what others think of this scheme.

Standards! It already works.

[jmaslak]

S/MIME is an Internet Standard. I know that Outlook, Outlook Express, and Netscape Mail all support it. Others probably do, too. I can send a signed message to an Outlook user today and they can respond with an encrypted one. With PGP, that isn't usually possible today.

The other problem with PGP is that it is nearly impossible to securely exchange keys, unless you luck out and trust someone who has signed it (not likely!). You end up having to call them up on the phone and read the fingerprint or trust that your mail was secure (in which case, why are you encrypting?). S/Mime relys mostly on certificates, which although they have many problems, do solve the majority of key distribution problems.

Re:Does anyone even use pgp or gpg?

[PD]

The keys would be signed like free software is distributed. You can sell it or not. To get on Usenet for free you'd have to find somebody who would sign a key for you. It's up to the key signer to decide if they trust the person they are signing. After all, if that guy spams, then the key signer could ultimately have his certificate revoked.

I see this as a volunteer system. Lots of people currently spend their time tracking down spammers, issuing cancels, etc. So far their success has been incomplete. Much spam is stopped, but much is not. Instead of spending time with cancels and other spam hunting, they would spend time managing the certificate system. That would consist solely of revoking certificates of abusers and optionally the people who sign the keys.

There's a subtle thing here: it works both ways. Suppose you go to a shady person to get your key signed. You're posting along happily, and then everything starts getting rejected back to you. What happened? You discover that the person who signed your key also signed a key for 100 spammers, and got his certificate revoked. That makes your certificate invalid. The pressure here would be for the users to find reliable people to sign their keys, as well as for the signers to find reliable non-spammers to sign keys for.

So you see, there's no need to verify any actual identity. I could get a certificate made out to my dogs Pepper and Darwin, signed by some other dude named "Anonymous Coward" who ultimately has a certificate signed by the root authority, say Linus Torvalds. You don't need to know the actual identities of the people involved, only that their certificates fit into the chain properly. All the details of trust are properly left to the leaves of the tree.

Re:Does anyone even use pgp or gpg?

[frog51]

Yes - almost all the time for personal email to my family, friends and colleagues. Usually I have nothing secret or exciting to hide, but when I do my traffic will look no different.
Otherwise anything important will stand out like a sore thumb.
Oh, and it gives me that warm, fuzzy, "I'm a secret agent" feeling:)