Can GnuPG Deliver?

jso888 writes "After Network Associates decided to halt further development of PGP, I'm sure that many users like myself who use non-CLI platforms most of the time, wondered "what next?" (PGP Freeware is not an option, since it's tied into the Network Associates product). Salon today has a nice article on GnuPG, the Open PGP/GNU alternative. The article highlights one of the problems with Open Source software today: its "by the geek, for the geek" nature, which by and large places barriers to mass adoption of OSS, especially important capabilities like personal encryption. One of the nice things about NAI PGP was its ease of use and commercial polish. It was easy to install and use, and integrated nicely with Windows software like Eudora and ICQ. GnuPG, admittedly, isn't quite there yet, the article concludes. That's too bad; given the privacy-hostile world we live in, the last thing we need is another barrier to widespread cryptography adoption."

Get PGP encryption into Mozilla

[augustz]

If you have a bugzilla account, head on over to
http://bugzilla.mozilla.org/show_bug.cgi?id=22687 and vote for what is probably the singles most popular bug there is. They need a framework which allows folks to plug in something like GPG at will. Plenty of work went into trying to get somewhere without any luck.

Re:what have YOU got to hide ?

[einhverfr]

What do I regularly encrypt?

1: Financial information (bank acct transactions, credit card accounts, tax information, etc).

2: Information I need to get past the casual check (such as viruses I am analyzing for possible harm) so that my AV software or mailer won't balk at it.

3: Confidential business information.

Here is another application to Assymetric Encryption: Digital Signatures (basically encryption in reverse). I digitally sign all:

1: Confidential business information (also encrypted).
2: Security-related emails to people who depend on my security skills (and need to be able to trust that the email really came from me-- social engineering IS a real threat).

I also sign emails that contain attachments so that the reader knows that I knowingly sent them.

OK. So is this enough of a reason why Citizen Joe would need good strong public key encryption (note that symetric encryption like 3DES will NOT provide for digital signatures).

Geeks & Interfaces

[maggard]

NAI PGP for Windows was a good program?! Show me one average person who ever felt it was a slam-dunk. You know, not the ones who read /. but those that had to install it for some reason, were given this fool thing and a sheet of local instructions and told "install this" and weren't found trembling under their desk 3 days later with a pooched PC.

Ech.

Some great concepts but still a cranky idiosyncratic bastard of a program. Trivial to use? Sure, after reading far too many poorly written manual pages. Easy to interact with? When it didn't hopelessly mangle what it was supposed to secure (we didn't want one-way!) Integrated - as long as you didn't do this or that or...

Look, you want a well integrated NAI program look at how NAV interacts with Outlook. Yeah it's a big pig and lots of folks hate it but to the user it's *not an issue*. It scans for nasties. It scans incoming & it scans outgoing. It can be configured with a few clicks in a clean interface written in simple language. It just works.

Personally I ask any ambitious developer to take the same strategy NAI does for NAV and don't try to build yourself into the apps and instead become a proxy. I'd love a local PGP proxy app that my mail could go through. The only interface I'd need would be a tiny plug-in to set a header on messages for the proxy to read and act on. That sort of plugin should be simple enough to write for all of the popular email apps, let the engine remain consistant across everything.

With how to talk to the engine simplified then the effort can be moved to making PGP as an installation easier, more intuitive, and less of a jerk. For one thing default to a minimal install, go the install-on-demand route if need be, but DON'T dump a half-dozen applications into a system by default. Firewalls and VPNs are lovely but make sure the customer knows what they're getting into first, leave it as a second phase install by default. Plug-ins? Drop folks to a web-page where plugs for each app can be listed. Include some default plugs in the install for the most common uses but still encourage the ambitious to check out the newer/more featureful/not-in-the-distrib versions.

Finally, why isn't there yet a standard for PGP-certifying and/or encoding web-pages?

Re:Why is PGP Freeware not an option?

[Chasing+Amy]

Umm, PGP isn't *exactly* closed-source--only the latest versions 7.x truly are. Up through 6.5.8 the source is available free for non-commercial use according to its own license. http://www.pgpi.org/ for details and source code. In fact, most PGP fans don't use version 7 precisely because the code hasn't been released and reviewed yet, while many of the earlier builds have undergone a good deal of scrutiny.

In fact, there are several unofficial forks. I myself use 6.0.2ckt Build 07 from http://www.ipgpp.com/ , which seems to be popular with a lot of folks. The real hardcore PGP zealots are still using 2.6.x branches. Personally, I have no idea what the submitter of the story was thinking when he used that phrase. Most PGP users will continue to use PGP, and if bugs are found they will be fixed, just as the unofficial 6.0.2ckt version has gone through 7 build releases as has 6.5.8ckt. If a bug is found, someone will fix it, no problem.