Slashdot Mirror
How to Save PGP
Tomcat666 sends in: "The Register got some excerpts from an interview with Phil Zimmerman. He talks about how it might be possible to save PGP (Network Associates couldn't sell it, and will stop its development), OpenPGP and the future (industry-backed OpenPGP?)." A follow-up to our story yesterday about Network Associates mothballing PGP.
This isn't the end of PGP. OpenPGP is always going to be around. (or almost always - its open but everyone could decide to trash it if they like)
This is the end of commercial PGP. This isn't a good thing for PGP to be used in commercial settings. Also this is the end of the PGPDesktop which was the only thing close to an option for (l)users.
Hopefully NSI will release the code in a manner that will allow a smaller company to add value and repackage it to large corporations.
$sig=$1 if($brain =~
/. get's about what, a million unique hits? NAI put 36 million into PGP, and since they're not finding a buyer, we can assume they'd be willing to take somewhat less for it.. let's say 25 million. If /. changes it's subscribtion pay pal account instead to be a funding house to purchase PGP, each user could donate 25 dollars,and we'd have a co-op that now owns PGP. This co-op could then market it as an inexpensive payware product, available for download complete with source code for a $5 license fee. This rids the need for /. subscriptions by generating income, opens the most current version of source code up for review, and allows independant programmers to modify this source code to continually improve the product.
A win win situation! 8-)
IANAL. This is tongue in cheek. I hate having to explain myself...
How about Amnesty International who uses PGP to keep their researchers who are in dangerous parts of the world, and the people who inform them safe from governments who would think nothing of searching their laptops? PGP has saved lives of good people who without it wouldn't have access to encryption secure enough to trust their lives with.
Think about that, how many computer programs would you trust your life with?
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
That's not the real problem. PGP don't create terrorist, and we all know that encrypted mail/files aren't the only way to pass secret information. I belive we should all care about crypto. Like Phill Zimmerman says roughly: E-Mails are like postcards, PGP is just a tool to get you mail messages into an envelope. Privacy is the real issue about tools like PGP, if you are willing to let it go, goverments, industries and peoples will sooner or later abuse you rights. You're not free when you are always looked upon.
Colosse.
In the article Phil focuses on easy to use GUI interfaces for less technically adept end users as the major feature that the OpenPGP/GPG projects need to focus on. This is the main advantage that the commerical version provided, and the main thing lacking in all the other alternatives.
He clearly states that the PGP protocol is in no danger whatsoever, and will continue to remain widely implemented.
Having spent many hours deciphering gpg command lines to use PGP to its full potential makes you realize how usefull a simple, easy to use GUI interface to a PGP would be. (Implicit in this task is integration with other applications, however, you can find plugin support for almost anything that you wish to use PGP in)
The commerical PGP is only one implementation of the open PGP standard. Even up to 6.5.8, full source code was available from Network Associates.
Plus, there is GPG, PGPi, and other freeware implementations of the standard (under the umbrella of OpenPGP.org).
I don't see why "PGP" as a whole is going down.
It's like saying if Microsoft or Netscape decided to stop relasing browsers, then the entire WWW is doomed, when there's still Konquerer, Opera, Mozilla, and the whole W3C standards body, etc...
There's 10 types of people in this world, those who understand binary and those who don't.
- Slick interface
- Good sponsor
- Open source
Since a slick interface would mean development and they current development is in limbo(with two shipable inferfaces in stock!!) I really don't think that an option. Second option is a sponsor, but since nobody is willing to buy pgp, I don't really think sponsorship will be attrictive to sponsors. Leaves only one optionI was doing my taxes today (oh joy) and marked the box that mentioned something like $3 to the Presidential election campaign fund. Perhaps we could have a few donation check boxes to buy lucrative abandonware into the open source world.
Then again, sometimes it might be good to just start some projects completely over. Remember Netscape?
GnuPG. Because only the technically oriented deserve privacy.
I'm a concientious
If he would have put it under the GPL from the beginning we would not be seeing this. He would be like the Linus of crypto, but he was so determined to controll the things he shouldn't be controlling that he lost controll over the things he should be.
One app that is going a along way to making PGP slightly easier is Evolution. It has the best PGP solution I've seen yet for email. Easy and simple to use, even Joe Barr agrees.
But, the problem is you still must maintain your GnuPG bits manually on the command line. That was the beauty of NA's program. It had a slick GUI. Of course, in the end it didn't take me very long to pick up how to use gpg via the command line, but for the general populace it's still a barrier.
Fortran programmer...oh yeah. Array math for life!
specifically what does it add over GPG?
Usability? GUI?
I can't say that I don't give a fuck. I've just run out of fuck to give.
Because as we know, we should look to the closed source community (Microsoft, what?) for all our security needs. At least open source doesn't try to deal with security problems by denying they exist.
It didn't even take 10 minutes... Can someone tell me what PGP being open/closed source has to do with Microsoft? Last I checked NAI was the vendor of the product, and it was CLOSED source. From what I've heard this is an excellent product, and it's a shame to loose, no matter what plaform you run. Just because something is Open Source doesn't mean it's better. Do you think that the majority of the best coders do work for free, or for profit? And despite what you may think, some of the most talented people in this industry work at Microsoft (and NAI for that matter)... As for public vs. non-public disclosure of security issues, I'm sure that MS has plenty of reasons for NOT releasing their vulnerabilities. They have to take things into consideration that the Open Source community does not. With all the MS haters out there, as SOON as a vulnerability is announced, there are tens of thousands of script kiddies in their basement trying to wreak havoc on the Internet. Should there be vulnerabilities? No, but it's a fact of ANY software development. It doesn't mean there aren't a thousand people at MS slaving away trying to make their products better. Have a little more respect and appreciation for the scale of the systems we are even able to create nowadays. Damn zealots.
What about the possibility of PGP technology being a part of the next major upgrade of open internet protocals (ie, POP, SMTP, etc .. )
:)
It seems to be that possibly losing out on the client-side 'niceness' that a commercial PGP implementation provides could be a non issue if the next round of standards include support for providing PGP mechanisms as part of their protocols (not that you'd HAVE to use PGP, but that PGP would somewhere in the protocol if you wanted to use it.)
That would reduce the need to depend on the never-surefire client market penetration in order to see widespead and longterm usage of PGP as a means of protecting ones privacy.
I've always felt open protocols make the best vehicles for propogating public-interest technology. That way, you dont need [Mailclient] + [PGP intergrated client] but [Mailclient that supports Next Gen Protocol X] where one of X's functionality sets uses a private/public key encryption scheme. Not sure what the likelihood of that happening is, tho, both from the perspective of when we'll outgrow the current crop of protocols, whether the new crop will be open enough to get public interests into the design phase, and whether the creators of said protocol would even think it would be a good idea to include a PGP layer in the protocol.
"Old man yells at systemd"
GPGME is a project to do this. From the website: "It provides a High-Level Crypto API for encryption, decryption, signing, signature verification and key management."
It's a work in progress. It's useable, but of course, there is the standard disclaimer. Compiles fine on most Linux distributions. It needed a small amount of help to compile on Mac OS X. Not sure about any other OSes.
All editorial writers ever do is come down from the hill after the battle is over and shoot the wounded.
> And what's scandalous is that NAI has OS X and XP-ready versions, but won't ship them.
/create/ inefficiency in a market rather than reduce it.
We need some laws that force work into the public domain if it wont be exploited for the private domain. I'm sick of companies keeping what will go into the dustbin. This is another example of how too much private interest can
Of course, I respect that the work in question would probably have to pass some criterium whereby its release into the public domain would not cause significant damage to the company in question (if the company is to live on), but surely we can't believe that scenarios like this outweigh the benifits of laws forcing companies to push work they lose interest/money in back into the public domain?
"Old man yells at systemd"
To see what RMS actually thinks about this subject see http://www.gnu.org/philosophy/selling.html
From that page:
Then again, when has an AC let reality interfere with the contents of his posts?
-Peter
Actually just prime factoring goes out the door with quantum computers, eliptic curves and other methods are resilient to attack by quantum computers.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
It's true that currently GPG's user interface is terrible for beginning users if they have to use it directly. So, clearly, you want to use programs that embed GPG (like Evolution). Also, note that the German government is funding further development of GPG. They specifically say that their funding will be used to make GPG more usable by less experienced users, including porting the software to other operating systems, developing graphical user interfaces (GUI) and writing a handbook.
Thus, this sounds like a short-term problem at worst.
- David A. Wheeler (see my Secure Programming HOWTO)
The Windows version of PGP was pretty nice and actually hooked in with MS Exchange and other software. No I never actually used it, I specified that communications between my group and a shop we were contracting out to be encrypted with PGP. I used GPG with Linux and they went with the happy windows user interface. Most managers and probably the majority of developers will want to use the Windows version if forced to use the encryption software (By some asshole like me pointing out that transmitting the source code in the clear is a violation of corporate security policies ;-)
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Encryption (S/MIME) in Netscape and outlook is it's own worst enemy, because of the requirement to submit your personal information to a "trusted" third party (ie, a corporation - who many of those smart enough to know that encryption isn't a good idea won't trust at all) and then rely on the same "trusted" party to verify that everyone else in the world is who they say they are.
There's nothing wrong with S/MIME as a message format, but the implementations fall far short of what (as I understand it) PGP does: allowing you to generate your key without anyone having to verify it, and then YOU choose to ask specific people to verify it too. If you try to do this with any S/MIME client that I know of, it will claim that the certificate is untrustworthy because Friendly Trusted Company, Inc hasn't signed for it. PGP will try to find a way through the "web of trust" via a chain of people who all trust each other, from you to the person in question.
If someone were to integrate the S/MIME message format with PGP-style keysigning and webs of trust, and persuade the email clients to stop insisting that only TrustedCompany signed keys are trustworthy, I suspect that encryption would be a lot more widely used...
Stuart.
You don't have to be a corporation to sign keys. In fact there is a certificate signer distributed with every copy of Microsoft Office and Windows XP. Code to create X.509 certs is available as freeware in many open source distributions.
If you try to do this with any S/MIME client that I know of, it will claim that the certificate is untrustworthy because Friendly Trusted Company, Inc hasn't signed for it.
You can select the certificate and say 'trust this certificate' explicitly in all the popular implementations.
If you don't like the way the S/MIME cert handling is done it is easy enough to do it any way you choose.
Another scheme would be to set up an XKMS interface to a PGP web of trust and then drop an XKMS client into the CAPI or cryptoAPI layer of your favorite email client. Then you can configure any trust semantics you like in your Web O' trust service. No different in principle from using the BaL keyserver at MIT but a lot more powerful.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/