Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is There a Future for PGP?

Posted by Cliff on from the deciphering-the-marketingspeak dept.

Thom Dyson asks: "So it looks like McAfee is walking away from PGP. At least that's how I interpret their marketing speak. I've been told PGP doesn't work on XP, does that hold true for the Open Source version as well?"

9 of 43 comments (clear)

  1. Does anyone even use pgp or gpg? by zcat_NZ · · Score: 4, Insightful
    This should probably be a slashdot poll. Everyone agrees that encryption is a good idea and we should all be using it, but do you actually know anyone who does? Have YOU generated a key, had it signed by some trusted friends, and submitted it to a keyserver or put it on your web page? When you send mail, do you first check if the recipient has a public key and encrypt it if they do?

    I know I don't.. :)

    --
    455fe10422ca29c4933f95052b792ab2
    1. Re:Does anyone even use pgp or gpg? by PD · · Score: 5, Interesting

      I agree 100% with you, and I'm thinking specifically of Usenet. I can imagine a Usenet where everyone has a certificate signed by a trusted authority, or signed by someone who was signed by a trusted authority.

      When a message is posted, the certificate goes along for the ride. Everything must check out before the server accepts the message.

      If someone spams, their certificate is revoked. If someone is signing spammers certificates consistently, then THEIR certificate is revoked.

      It would make a HUGE dent in the usability of the Usenet, and unlike Usenet II, it wouldn't require a system of trusted servers.

      I've thought about this for a while, and I'm very interested in what others think of this scheme.

      --
      If tits were wings it'd be flying around.
    2. Re:Does anyone even use pgp or gpg? by jeffy124 · · Score: 3, Informative

      it simply isn't easy to use

      Huh? Since when? I use it, seems quite simple to me. You generate a keypair at install time, secure your private key with a passphrase, and two buttons get added to your mailclient - one for encryption of the message, other for signing.

      When you send a signed email, you're asked for that passphrase, and when you receive an encrypted mail you're asked the same -- automagically. Likewise, a digisig is also confirmed at that time too.

      Using the key manager, you can see your public key, submit to a keyserver (like pgp.mit.edu) for others to obtain, as well as add your friend's pubkeys to your keyring. And it's very straightforward to do.

      --
      The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
    3. Re:Does anyone even use pgp or gpg? by PD · · Score: 4, Interesting

      The keys would be signed like free software is distributed. You can sell it or not. To get on Usenet for free you'd have to find somebody who would sign a key for you. It's up to the key signer to decide if they trust the person they are signing. After all, if that guy spams, then the key signer could ultimately have his certificate revoked.

      I see this as a volunteer system. Lots of people currently spend their time tracking down spammers, issuing cancels, etc. So far their success has been incomplete. Much spam is stopped, but much is not. Instead of spending time with cancels and other spam hunting, they would spend time managing the certificate system. That would consist solely of revoking certificates of abusers and optionally the people who sign the keys.

      There's a subtle thing here: it works both ways. Suppose you go to a shady person to get your key signed. You're posting along happily, and then everything starts getting rejected back to you. What happened? You discover that the person who signed your key also signed a key for 100 spammers, and got his certificate revoked. That makes your certificate invalid. The pressure here would be for the users to find reliable people to sign their keys, as well as for the signers to find reliable non-spammers to sign keys for.

      So you see, there's no need to verify any actual identity. I could get a certificate made out to my dogs Pepper and Darwin, signed by some other dude named "Anonymous Coward" who ultimately has a certificate signed by the root authority, say Linus Torvalds. You don't need to know the actual identities of the people involved, only that their certificates fit into the chain properly. All the details of trust are properly left to the leaves of the tree.

      --
      If tits were wings it'd be flying around.
    4. Re:Does anyone even use pgp or gpg? by frog51 · · Score: 3, Interesting

      Yes - almost all the time for personal email to my family, friends and colleagues. Usually I have nothing secret or exciting to hide, but when I do my traffic will look no different.
      Otherwise anything important will stand out like a sore thumb.
      Oh, and it gives me that warm, fuzzy, "I'm a secret agent" feeling:)

  2. It does work on Win XP by DiSKiLLeR · · Score: 4, Informative

    PGP 7.0.3 for Windows 2000 does run on XP.

    Well, kind of. Okay, so it gets very confused with fast user switching (it uses services which i think don't understand the concept of multiple users logged in simultaneously) so apart from the various errors that come up when you log in, yeah, it works. (Come to think of it, if it doesn't understand multiple users it certainly won't run on W2k Adv. Server with terminal services then...)

    You can right click on files and do encrypt. pgpkeys and pgptools work fine.

    Outlook 2002 (Office XP) plugin support is different. Yeah, it works. But not really well at all. The icons seem corrupt in outlook too. You need to enable an option to auto decrypt mail. Then when you open an email PGP tries to decrypt it automatically. (the reason you must do this is that the decrypt button on the toolbar doesn't work *shrug*). Sending encrypted mail on Outlook 2002 works fine too.

    I've been doing this for about a month now, with no ill effect.

    So yeah, PGP 7.0.3 works on WinXP. It would be nice if it supported XP properly.

    D.

    --
    You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
  3. Use Free (libre) Crypto by Deagol · · Score: 4, Informative
    I ditched PGP once GnuPG came out. Ever since McAfee bought PGP (or Zimmerman sold out, take your pick), I've been weary of the product.

    Most hardcore cypherpunks seems to still use PGP 2.6.x! (If USENET sigs/keys are any indication)

    In any case, check out pgpi.com for different versions of PGP, many of which are actively developed. Also, search for "Cyber-KnightsTemplar PGP". I only used this version when I was a dedicated Windows user.

    Now, I use GnuPG for mail/file crypto, and loopback crypto for filesystems (/pub/linux/kernel/people/hvr at your favorite mirror). I run Windows and Linux under VMWare, using the "undoable" drive type, hosted on a blowfish-encrypted loopback volume, which leaves no physical evidence on my machine of activities in the VM). I also dabble in Ouguess for my stego "needs".

    While my practices in paranoia are fun, I don't take them too seriously. However, I like the idea of being able to Ascroft-Proof(tm) my machine if I wish. :-)

    --
    Method of processing duck feet
  4. Standards! It already works. by jmaslak · · Score: 3, Interesting

    S/MIME is an Internet Standard. I know that Outlook, Outlook Express, and Netscape Mail all support it. Others probably do, too. I can send a signed message to an Outlook user today and they can respond with an encrypted one. With PGP, that isn't usually possible today.

    The other problem with PGP is that it is nearly impossible to securely exchange keys, unless you luck out and trust someone who has signed it (not likely!). You end up having to call them up on the phone and read the fingerprint or trust that your mail was secure (in which case, why are you encrypting?). S/Mime relys mostly on certificates, which although they have many problems, do solve the majority of key distribution problems.

  5. Answers by rjh · · Score: 5, Insightful
    • PGP on Windows XP. PGPtray works, PGP for Outlook XP is dodgy, PGPdisk is broken and PGPnet will hork your system. At least, those are the reports on alt.security.pgp.
    • NAI is walking away from PGP. This is a Good Thing, believe it or not. Or, at the very least, not a Bad Thing. PGP has always existed in two different components with totally different agendas:
      1. The community's agenda is to enhance individual liberties and ensure electronic privacy.
      2. The corporation's agenda is to turn a profit.

      ... It doesn't take a rocket scientist to see that those two agendas are not exactly in sync with each other.

      1. The community is alive and well. There are a lot of individuals who are interested (and some who are genuinely obsessed!) with the notion of personal privacy and personal liberties. The GNU Privacy Guard crowd is part of this community--so what if their initials are GPG instead of PGP? So are the remailers, mixmasters and everyone else.
      2. NAI is dying. Due to the fact that I'm a former NAI employee, I'm not going to say more than that--except to recognize that Network Associates has a long history of buying great software companies and failing to capitalize on them. (Check out the San Jose Mercury-News from February 2001 for some brilliant examples.)
    • Summary: the community is alive and kicking. GPG keeps getting better and better--at 500k, it's slim enough to fit on a floppy, it supports RFC2440 and RFC2440bis, and has good integration with almost all UNIX mailers. The WinPT and GPGshell programs give friendly Win32 front-ends (but both still need a lot of work).
    ... Don't panic. Unlike the Monty Python parrot sketch, PGP really is just resting. ;)