Can GnuPG Deliver?

jso888 writes "After Network Associates decided to halt further development of PGP, I'm sure that many users like myself who use non-CLI platforms most of the time, wondered "what next?" (PGP Freeware is not an option, since it's tied into the Network Associates product). Salon today has a nice article on GnuPG, the Open PGP/GNU alternative. The article highlights one of the problems with Open Source software today: its "by the geek, for the geek" nature, which by and large places barriers to mass adoption of OSS, especially important capabilities like personal encryption. One of the nice things about NAI PGP was its ease of use and commercial polish. It was easy to install and use, and integrated nicely with Windows software like Eudora and ICQ. GnuPG, admittedly, isn't quite there yet, the article concludes. That's too bad; given the privacy-hostile world we live in, the last thing we need is another barrier to widespread cryptography adoption."

secrets and PGP

[56ker]

How many of us actually have secrets to hide that we go to the bother of encrypting them with PGP any more though? I have only ever sent a few PGP e-mails before I figured it was too fiddly and time consuming to bother with.

Re:secrets and PGP

[tzanger]

And I don't understand the concept of PGP Sigs either.. How does that prove anything? What's to prevent me from smacking a PGP Sig on my email? Does anybody verify those?

I use KMail; it has very nice GnuPG integration, the only missing feature is for *it* to go through and encrypt my attachments instead of making me do it. At any rate, any email with a PGP sig is automatically checked and since I have the colour bar enabled signed messages with keys I trust (and that pass) are in a green border. Good sigs with keys I don't know/trust are in a yellow border and bad signs are in a red border. Very eye-catching and very nice.

I generally sign messages (not encrypt) if I want to give the person on the other end a way of verifiying that what I sent didn't get altered. I encrypt when I don't want anyone else reading it. It's perhaps a subtle difference, but I use it quite often.

Something to work on.

[ilcylic]

The advantage, of course, is that if someone decides it's important to make GPG pretty, it will get done.

Interfacing isn't that hard. What sort of "easy to use" features would be desired in a personal encryption suite?

A graphic display? PerlTK can do that. Simple means to keep track of new keys? I don't know what features would be wanted here. Lets figure it out and write it. Open Source is all about fixing problems you percieve.

-il cylic

PGP Value?

So, if PGP is valuable, and the company doesn't want it.... how big a tax deduction could they get from donating it to GNU?

Get PGP encryption into Mozilla

[augustz]

If you have a bugzilla account, head on over to
http://bugzilla.mozilla.org/show_bug.cgi?id=22687 and vote for what is probably the singles most popular bug there is. They need a framework which allows folks to plug in something like GPG at will. Plenty of work went into trying to get somewhere without any luck.

GnuPG is lame; it should be a library

I'm glad that Werner has put in all this work, but he doesn't actually understand security design. He is under the brain-dead notion that if gpg were a library that could be linked in to other programs, it would somehow be less secure. This is obviously not the case, but it is creating a huge barrier to gpg usage. We should be able to link that program in to mail readers, web browsers, databases, all kinds of things, but none of that is possible to do easily because it needs to run as a separate program. Anyway, I hope it gets more support now, and I hope someone who knows a bit more about security takes up the challenge.

Re:what have YOU got to hide ?

[einhverfr]

What do I regularly encrypt?

1: Financial information (bank acct transactions, credit card accounts, tax information, etc).

2: Information I need to get past the casual check (such as viruses I am analyzing for possible harm) so that my AV software or mailer won't balk at it.

3: Confidential business information.

Here is another application to Assymetric Encryption: Digital Signatures (basically encryption in reverse). I digitally sign all:

1: Confidential business information (also encrypted).
2: Security-related emails to people who depend on my security skills (and need to be able to trust that the email really came from me-- social engineering IS a real threat).

I also sign emails that contain attachments so that the reader knows that I knowingly sent them.

OK. So is this enough of a reason why Citizen Joe would need good strong public key encryption (note that symetric encryption like 3DES will NOT provide for digital signatures).

Re:Why is PGP Freeware not an option?

Because it's not maintained, so if a bug is found in it, NAI is the only one who can fix it (and they probably won't).

Isn't closed source security software fun?

GPG has delivered for me

[kraf]

I use it to encrypt/decrypt files I don't want others to read.
And it's quite easy: gpg -c and -d .

Re:Why is PGP Freeware not an option?

[pkplex]

Surely there must be more reasoning behind the "(PGP Freeware is not an option, since it's tied into the Network Associates product)." qoute.

I have actually just installed PGP 7 Freeware on my NT4/Win2000 box, and was a bit worried when I saw that qoute.. I want PGP 7 Freeware to be secure. Is it not so?

Can somebody please explain ?

Geeks & Interfaces

[maggard]

NAI PGP for Windows was a good program?! Show me one average person who ever felt it was a slam-dunk. You know, not the ones who read /. but those that had to install it for some reason, were given this fool thing and a sheet of local instructions and told "install this" and weren't found trembling under their desk 3 days later with a pooched PC.

Ech.

Some great concepts but still a cranky idiosyncratic bastard of a program. Trivial to use? Sure, after reading far too many poorly written manual pages. Easy to interact with? When it didn't hopelessly mangle what it was supposed to secure (we didn't want one-way!) Integrated - as long as you didn't do this or that or...

Look, you want a well integrated NAI program look at how NAV interacts with Outlook. Yeah it's a big pig and lots of folks hate it but to the user it's *not an issue*. It scans for nasties. It scans incoming & it scans outgoing. It can be configured with a few clicks in a clean interface written in simple language. It just works.

Personally I ask any ambitious developer to take the same strategy NAI does for NAV and don't try to build yourself into the apps and instead become a proxy. I'd love a local PGP proxy app that my mail could go through. The only interface I'd need would be a tiny plug-in to set a header on messages for the proxy to read and act on. That sort of plugin should be simple enough to write for all of the popular email apps, let the engine remain consistant across everything.

With how to talk to the engine simplified then the effort can be moved to making PGP as an installation easier, more intuitive, and less of a jerk. For one thing default to a minimal install, go the install-on-demand route if need be, but DON'T dump a half-dozen applications into a system by default. Firewalls and VPNs are lovely but make sure the customer knows what they're getting into first, leave it as a second phase install by default. Plug-ins? Drop folks to a web-page where plugs for each app can be listed. Include some default plugs in the install for the most common uses but still encourage the ambitious to check out the newer/more featureful/not-in-the-distrib versions.

Finally, why isn't there yet a standard for PGP-certifying and/or encoding web-pages?

Re:Why is PGP Freeware not an option?

[Chasing+Amy]

Umm, PGP isn't *exactly* closed-source--only the latest versions 7.x truly are. Up through 6.5.8 the source is available free for non-commercial use according to its own license. http://www.pgpi.org/ for details and source code. In fact, most PGP fans don't use version 7 precisely because the code hasn't been released and reviewed yet, while many of the earlier builds have undergone a good deal of scrutiny.

In fact, there are several unofficial forks. I myself use 6.0.2ckt Build 07 from http://www.ipgpp.com/ , which seems to be popular with a lot of folks. The real hardcore PGP zealots are still using 2.6.x branches. Personally, I have no idea what the submitter of the story was thinking when he used that phrase. Most PGP users will continue to use PGP, and if bugs are found they will be fixed, just as the unofficial 6.0.2ckt version has gone through 7 build releases as has 6.5.8ckt. If a bug is found, someone will fix it, no problem.

Outlook plugin

[Moritz+Moeller+-+Her]

Here is the gpg Outlook plugin, German and English version:
http://www3.gdata.de/gpg/download.html

Re:Make it Seamless, Silly.

[MrMickS]

Having switched to Mac OS X I'm using a Chat (AIM/MSN/Yahoo/IRC/Jabber) called Fire.

This has seemless GPG integration. You select the key you want to use, enter your pass phrase on startup and it's ready to work.

Key exchange is managed from within the chat windows. There is an option to send your public key to your "buddy" and it automatically inserts the key into their keychain.

This is as seemless a use of encryption tech that I've seen in software and would make a good model of how to integrate into other applications.

BTW. I've had some experience in using PGP in a commercial environment being responsible for adding mandatory PGP signing to the UK domain registry in 1996.

Why I can't use GPG

I need a GPG plugin for Lotus Notes, Eudora, IE-Mail, Outlook and so forth. Until it's done as a package, I can't use it.

I need something simple that I can install into Lotus Notes so that a non-tech person can use this.

Don't give me any crap about you can do this or you can do that... I need this so my mom can use it, she's worse then Eric Raymonds "Aunt Tillie"

Re:Try the many front ends

[HiThere]

You are right. GPG only tries to do what the designers intended it to do. And if what they wanted wasn't what the business wanted ...

If businesses want to use open source for something that the open source programmers don't feel like doing, then they will need to subsidize the development. That's the way it works. But if they do, then they get the options they want.

If they choose to go with a closed source product, then they get what the developer provides, until the developer decides to stop providing it. If it's open source, then they get it with no time limits, but if the project stops supporting it, and they want maintenance, then they will need to pay for it, in some way or other.

TANSTAAFL? Well, not really. But if your menu is the same as the other guys, then you can sure get a cheaper rate. And if you need a specially selected choice of wine with your dinner, then you pay extra.

OTOH, if you go closed source, you probably don't have any choice as to what will be provided on the major products (that's a result of what they call a monopoly). And for the lesser products, you still don't have much choice after you make your purchase.

Nothing's perfect. Open Source has it's flaws, and some of them are a bit excessive. But in my mind they pale in comparison to the flaws of closed source with a central monopoly.

Back to GPG and the need for added features. If businesses want the product that you describe they can:

1) write it from scratch or hire a consultant to do so

2) modify an existing open source program as permitted by the license. If they are modifying GPG, then the GPL determines their choices. Which includes keeping everything secret, but also include forking the GPG into (say) the GPGC and just adding the features that were missing. This would probably also make modifying the existing GUI shells relatively simple.

3) do without

4) do something illegal, and count on chance and their lawyers

5) do something I haven't thought of

The features that you mention all seem quite reasonable for a commercial group to want, but it is quite unreasonable to expect an agglomeration of individuals to be in favor of them. E.g., if I were to have an encrypted disk partition, then it would be to my benefit if nobody could read it without my permission. And if I quit in anger, or was fired, then I wouldn't want the company to be able to read my disk. It would (perhaps) be to their benefit to be able to do so, but it's not at all clear that it would be to my benefit.

This reasoning applies to all levels of the company from the secretary to the general manager. And this may in some measure explain why no significant effort is put into features of benefit to the company but not to the individuals. (Of course, computer techs will be most aware of this, but then they would also need to be the ones initiating the argument for funding the project.)

A closed source company would be more likely to provide these functions, but they would also be more likely to keep their code secret and unmaintained if they went out of business. Perhaps leaving you with disks they were unreadable (what is the most likely cause of their going out of business?).