Slashdot Mirror
Phil Zimmerman and PGP at CNN.com
rick_campbell writes "CNN is carrying an article about Phil Zimmerman and the fact that Network Associates is dropping support for the commercial version of Pretty Good Privacy. The article includes a little bit of Phil's take on the situation, a little history and some discussion of why this happened and what alternatives exist."
"Anyone interested in helping should contact me," he added.
If Adobe was so concerned about encryption, they may have picked up on this bargain from NA.
... but wait a second. We already know they're only concerned as far as it doesn't cause bad PR.
"Though a free version remains available elsewhere, the company won't update it or make it compatible with newer operating systems, like Windows XP."
:))
Im "starting" to get worried about XP privacy!
Fabio - Sumare/Sao Paulo/Brazil/South America/Earth/Solar System/Milky Way/Universe
http://www.morroida.com.br
Can't we just give the poor guy a little privacy?
That's all he wants.
"But so far, PGP is limited primarily to niche markets, like human rights and organized crime -- authorities say mob suspect Nicodemo S. Scarfo Jr. used it to encode gambling records."
:)) I never knew they were SO organized!!
Nice, nice!
Fabio - Sumare/Sao Paulo/Brazil/South America/Earth/Solar System/Milky Way/Universe
http://www.morroida.com.br
I looked at PGP a while back and actually installed it. Unfortunately -- and perhaps because of my own carelessness -- it started causing issue(s) with my network connection and I ended up removing it. As the person responsible for the web/email servers where I work I know first hand how unsecure and public email is; yet I've not found a solution that I'm comfortable using. PGP seemed (at least to my knowledge) to be the most widespread, but even at that I couldn't name 3 people who I regularly exchange emails with who use it -- in fact I'm not sure if I could name anyone other than my wife who did. The only way I could ever see something like this widespread were if it were integrated into Outlook/Outlook Express/AOL/etc. and I don't see that happening. :(
I was talking to a company about orders the other day and one of the ways you could place an order with them was to E-Mail them your credit card number. I told them I wasn't sending my credit card number over the open internet and asked if they had a PGP key I could encrypt to. They had no idea what I was talking about. After that I wasn't particularly willing to entrust my credit card number to them at all...
The old US Crypto regulations did a pretty good job of stunting crpto-enabled mailers in the US, too. Since you couldn't export encryption or even an "Encryption enabling API" there wasn't a lot of integration work going on. Sure you could get a set of scripts to use PGP or GPG with Pine, Mutt or XEmacs, but most of the people using those mailers didn't even go to the effort. We won't even go into the happy fun GUI mailers that Joe Average User wants to use. PGP did do a good job of integrating into Outlook, at least.
The upshot of all that is I think it'll be a long while before encrypted E-mail is the norm.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
It also proves how dumb the companies are and how affraid they are of customer action.
America is the only country where customers truely run the buisness, where the popular control the merchandise!--Fuck 'em if they can't take a joke!
does anyone else think that the censorship icon on slashdot kinda look a guy playing a harmonica?
To which I say fine. Alternatives for most of the stuff we use here, messaging systems, web based stuff, etc. can be found in open source projects or written in house. This is just another golden opportunity for open source software. Maybe my boss will hear my pleas now.
This is a really sad day. Most of the slashdot community can continue using encryption, but their PGP package was the only one I've seen easy enough for my mother to use. The integration with outlook/etc made it so easy to use. Hopefully they'll do the Right Thing (tm) and make it open source, so that we can continue making it compatible with OSes like XP -- which unfortunately people are using.
Do many people truly use this technology? I understand many "geeks" use it, just for the cool factor, but I have yet to send email to someone who refuses to read/accept it because it was not PGP encrypted. I understand the use is for encrypting email and validating that it is, in fact, from the person who sent it...but really, does anyone use this for anything more than sending thier friends email that doesnt really need to be encrypted?
I SURVIVED THE GREAT SLASHDOT BLACKOUT OF 2002!
Encryption is difficult for average users to grasp, - It's like a secret code.
products aren't all that easy to use - Most email encryption I have seen is implemented as simply depressing a toolbar icon. Is that really that difficult?
and the threats of not protecting e-mail from prying eyes aren't all that easy to explain, Hill said - Hill can't be serious. How about two words? Intellectual property. or how about these two: National Security. Or how about these two: Excessive litigation
Also in an article that supposedly discusses alternatives for encrypting email, PKI isn't even mentioned. What a terrible article.
Stop Continental Drift! Reunite Gondwanaland!
It seems that NA had a great concept/product on their hands and through whatever passes for sense,let it go. How many applications has this happened to? An individual or small startup has a great idea, or maybe even the elusive 'killer app' and then is quickly bought up or out by a larger corporation. The application is quickly diluted, sent through several revisions that only seem to add complexity/bugs, and then the company drops it, but keeps the 'trademarked' name.... Now we can still get copies of and continue to use PGP, but now we will have to call it something else. Here's to Zimmerman; stick to your guns!
...we are from the government - we are here to help...
You have to wonder if there was anything going on between the government and Network Associates decision on PGP. Since September 11, the demands of the government to read email have skyrocketed.
If Microsoft were serious about their "Trustworthy Computing" initiative, they'd buy PGP and integrate it into Outlook/Outlook Express and their Mac equivalents and make it mind numbingly easy to use. Within just a few years millions of people would be using PGP.
Now who wouldn't celebrate something like that?
You want to know who isn't running Firefox 2.x? They spell it "definately" and "rediculous".
What's this bs about it not being compatible with XP? I'm using my old 6.5.8 (the last version I saw before the price jumped way up) just fine in XP. There are some minor niggles but those were present in W2K as well (which, according to the documentation, is supported by 6.5.8).
The PGP application for Outlook was really nice, users could understand it, and the price was fair. We tried to buy another pile of copies, and was told, "Sorry...".
Sigh...
Don't forget pedophiles too! The nasty predators are hiding in the bushes using PGP and your children are next!
well, so long PGP... I guess I'm a nitpicker but it seemed to me that not long ago The GNU was hacking many more projects than just a PGP clone and a "command-line utility" wtf? Hello! Someone call the stupid police. I seem to have these vague sort of runins with this program called emacs... come to think of it it happens pretty much every day at work. GNU's only a privacy/command line utility maker. Deh fo the GNU that made my Emacs must be a different GNU than the one this article talks about. I'd like to meet this GNU guy on the block sometime. sorry for the pun, just had to. aight, over an out.
I'm too lame for sigs
HIPPA is some legislation that has portions going into effect now and in the next few years. It requires those who handle medical information electronically to do so in a secure manner.
I work for a collection agency and since we collect for hospitals sometimes we have been looking at this. We were going to use PGP as clients have specifically mentioned that they require it. Now I am not sure what we will do. Much of what is available out there has restrictions on being used for business.
The movement towards being more secure information delivery seems slow but it is moving forward.
I am just real interested in seeing what kind of alternatives surface for businesses like ours.
.
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
PGP actually is compatable with XP. Well... compatabile enough anyway. I had a relative install 6.5.8ckt on XP WITHOUT the e-mail plugins and without PGP Net and it works fine.
It is very easy to click on the tray icon and encrypt or decrypt the "current window".
From what I understand, 6.5.8ckt works better with XP than any other PGP version. I undersatnd the plugins and possibly PGP Net causes issues in XP.
What worries me about this is that, by getting encription deeper into its niche, the time when massive operating systems (Windows the first one) and applications (Outlook for example) integrate encryption functionality just out-of-the-box is being more and more delayed.
I am deadly sure that, just after MS includes the "Encryption Wizard" application for managing your keyring (with a nice animated paperclip, of course) crypto be quickly adopted by everyone.
I don't think Mr. Gates cares about educating the masses, though.
Just my humble opinion, but I'm serious at it.
Until it gets simpler, easier, better integrated with email systems, it won't be widely accepted.
Come out with a local system proxy that resides on the local machine, and have all email route through there. Have IT check to see if there is a public key for the email address, and let IT encrypt and forward onto the "real" email server. Have it handle simple text mail ... and voila ... you have a simple system that EVERY email system could use (POP3/IMAP servers in the proxy) ... and it would be simple, since regardless, it gets sent out encrypted.
BTW, I came up with this system a couple of years ago ... company folded ... I wouldn't want to work on this again since I'm "tainted" ... but ideas are free ...
Karma? Karma? I don't need no stinkin' karma.
Hushmail (http://www.hushmail.com) is web-based OpenPGP mail. I'm a customer and sent Crypt-o-Gram a review, but have no other connection.
The closest thing to the dream of "just press a button" is the S/MIME in Outlook. That still requires users to get a certificate ("a what?!", they will ask). And S/MIME has drawbacks.
Pushbutton encryption is a delusion anyway. The details of key management are indispensable to security and require out-of-band verification. Unless you've checked a key fingerprint, or totally trust a key signer, you can be attacked by feeding you a fake public key and all the crypto wizardry is irrelevant.
A good open-source project would be to develop a means of using S/MIME messaging for secure email transport. Advantages? Already supported in Outlook and Netscape/Mozilla. Certs can be generated with openssl and corporations could use their own root certs to sign employee certs, etc.
There are some vendors out there today with products to generate certificates etc.
It works just fine!
Many ask "how can I use this?" and etc. I suggest getting a Hush-mail account and getting your friends to do the same.
Hush-mail has no problems with adding in PGP keys - and I've e-mailed my buddies who have Hush-mail with my PGP'd mail.
I think the software needs to be maintained, but of course it's far from dead. I'd just like to see PGPhone 'grow-up'. It's an awsome app.
Get your Unix fortune now!
http://i.cnn.net/cnn/2002/TECH/ptech/04/21/encrypt ion.future.ap/story.senate.encryption.jpg
y pt ion.future.ap/keyboard.data.jpg
and the other..
http://i.cnn.net/cnn/2002/TECH/ptech/04/21/encr
Finally I know what PGP looks like
khl
http://www.cryptorights.org
There are people in countries with really bad governments who are using PGP to communicate.
You windows guys are just idiots because if its not point and click your completely lost. GnuPGP works great for all email clients. Sure its CLI, but you can find a handful of GUI clients to make keys, import, export, blah, blah, blah. Then most email programs like Evolution, KMail, Pine, Elm, etc... all support the PGP keys. So quit your bitching and click on something else...laters...
This is a test. This is a test of the emergency sig system. This has been only a test.
Suddenly all of his e-mail was publicly readable at some site that simply lifts it off the internet mail servers?
Then, I go to Outlook, or Outlook Express, or Netscape Communicator, or Mozilla, and I install the certificate. Then, I click the "Digitally sign this email" checkbox to automagically send my certificate to sign the email, and additionally click the "Encrypt this email" once I receive a certificate from an end-user to encrypt the email.
Sure, there are scalability issues, but any good PKI implementation can take care of those for corporate use. And, with a Network of Trust like Thawte is creating, you get the PGP-like ease-of-use with the PKI-class trust-level of a real PKI. All for the home user.
And no, I don't work for VeriSign or Thawte. I did work for a company that used certificates. A lot...
It's hard to request that friends use encryption when (a) it's extra work for them, and (b) their email clients don't generally support encryption. This means that in my workplace, I have to assume that all of my POP mail may be read by IT co-workers (and given the draconian terms of employment foisted on me and others, I find the scenario probable). However, there is a solution to this situation: a POP client, in combination with a bit of supporting software on my mail server, that encrypts mail as I receive it on the server and decrypts it only when it reaches my machine (and does the reverse when sending). This solution will prevent anyone at my workplace from knowing the contents of my private email, and will not require that I educate and equip any of my friends with encryption software.
By the way, if there is existing related work then please mention it.
- First they ignore you, then they laugh at you, then ???, then profit.
Encrypted email will probably go through essentially the same stages as HTTPS.
First, it will get integrated into mail clients, for those users who insist on it, in a half-hearted way. Then mail clients will pop up a warning when you send something unencrypted, which most people will just click through for most messages, but people might notice when they're sending a message which they wouldn't send by plaintext HTTP. Then it will become normal for sites with HTTPS servers to have PGP keys for email. It probably won't get much beyond that any time soon, though.
As far as implementation, I anticipate PGP and similar software dying out, in favor of PGP-like crypto functionality being supported in OpenSSL. Why OpenSSL? Because it has become the standard security library implementation. OpenSSH uses OpenSSL, even though SSH competes directly with telnet-over-SSL. OpenSSL also has all the cryptographic functions, it's BSD-licensed, and a lot of security-conscious projects beat on it. Once OpenSSL has support for PGP-formatted stuff, it will be easy for email clients to integrate it. Also, since many email clients are integrated with browsers, which need SSL support (and so use OpenSSL already), it's simply a matter of calling the decrypt function when you get an encrypted message, storing public keys in the address book, and encrypting messages to anyone who has a public key in the address book.
It is no longer necessary to have a separate program for encryption. Writing crypto code is hard, but OpenSSL does or will do almost all of it, so you're left with managing the user's private keys (just like managing client certificates), managing other people's public keys (just like managing site certificates), and distributing the user's public key (just like business-card attachments). The only tricky thing is in signing other people's keys, but if you're not worried about active attacks with people who you don't talk to out-of-band and who don't aren't corporate sites, you don't need to bother.
"PGP inventor Phil Zimmermann says PGP.. "
What about Rivest, Shamir, and Adleman? Some guy puts a wrapper around their invention and suddenly he's the inventor -- R,S, and A don't even get a mention.
"Thanks for the technology...now get lost."
First of all, key exchange is an arduous process. You can't possibly trust a third party to get you keys and whatnot; In fact the ONLY valid way to get a key from someone is in person, face to face. That's it, period. Anything else is questionable. Users just aren't going to do this.
So basically, reasonable use of encryption is not going to happen until everyone is carrying around PDAs. Maybe that will be because all digital watches will be PDAs, or maybe they'll just become so cheap that every computer user will have one; I can't imagine it would cost that much to make a slim version of the good old palm pro these days, but of course 3com won't want to undercut their market. Until something like this happens, though, only geeks will use crypto.
There's another problem, too, though a lesser one; You have to make a backup of your key, or you will lose it if your computer decides to throw a disk or just scramble its contents (Windows XP Dynamic Disks, anyone?) And as we all know, only a long passphrase is a good one, but coming up with a long passphrase which is not easy to guess but is easy to remember is tough. We have computers so we don't HAVE to remember things. It would be better if you could use some sort of biometric system to store your passphrase.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Disclaimer: IANIM (I am not in marketing)
As I see it, there are two barriers to widespread adoption of PGP (or GnuPG). The first is usability; the second, more important one, is demand. People do not see the necessity of encryption, and in fact, many associate encryption with criminal activity.
The first problem can be solved through the proper use of technology: create user-friendly interfaces for key generation, key management, etc. The goal should be to make PGP/GPG as easy to use as a word processor, spreadsheet, or video game.
The second problem can be solved by promoting digital signatures as opposed to encrypted email. Most people don't care that their email is as open as a postcard. In addition, a significant chunk of the population associate encrypted email with organized crime and terrorism. These are the factors we have to work against in promoting encryption as a way to keep email private.
Digital signatures are a different matter. There is no social prejudice against digital signatures per se, and the need for digital signatures is easy to demonstrate, as detailed below.
Most people believe the From: headers on their emails without question. Unfortunately, it doesn't take much technical skill to fabricate an email with a fabricated From: header. (Below is a Python script that does just this). It's therefore trivial for a malicious person to send all kinds of forgeries to you, your friends, your co-workers, etc. The social damage can be catastrophic.
Digital signatures solve this problem neatly: if you have any doubts about who actually sent the email, or the actual contents of the email, the digital signature gives you near mathematical certainty that the message and sender are authentic.
In my experience, it only takes a couple of humorous demonstrations to get the point across to your intended audience; after which, they become motivated to learn and use PGP/GPG to sign and verify the signatures of emails. Using PGP/GPG for encryption is a logical next step.
By the way, if you do try to demonstrate the forged From: header trick, please make absolutely sure that your audience is prepared ahead of time, and that you are legally authorized to do this, before you make your demonstration. Otherwise you could unnecessarily end up in a heap of trouble.
It should be noted that PGP and GPG have an advantage in meeting the demand for digital signatures, since they're both relatively mature technologies. The danger is that the government could push hard for their own scheme, with built-in back doors and/or mandatory key-escrow. Selling secure, non-escrowed encryption is going to be much harder in the present political climate than it was before.
Hope this helps.
Finding God in a Dog
At work we've got an online app that hosts insurance data. So far we've had two insurance companies that have refused to send us data over the Net unless they can encrypt it with PGP - one of them said "we love PGP, we use it all the time."
Does anyone know a decent Windows email client (i.e. not Pegasus or Outlook) which does handle PGP messages?
Might I suggest The Bat!?
Funny name, yes, but it's rapidly become my second-favourite MUA (after KMail) and certainly my favourite on Windows. It has support for both PGP and S/MIME encryption and signing (although it uses its own built-in PGP implementation which I'm not entirely happy about). It's not free in any sense of the word either (it's 30-day trial shareware), but hey, this is Windows we're talking about.
For what I can see in every day life PGP is stron as ever, at least openpgp.
------I can please only one person per day. Today is not your day. Tomorrow isn't looking good either.------
Please, it's Phil Zimmermann with two N's.
Several comments have pointed out that encryption demand just wasn't there. I agree. While we would like to think that every end user would see the need for encrypted e-mail, we all know that hasn't happened. Yes, if MS or AOL made including encryption a standard part of their e-mail packages, that would go a long way, but the complexity of encryption needs to be hidden from the end-user.
Truth be told, most people really don't need encryption on a message-by-message basis. Encryption activists feel that a world with strong encryption is broadly a better one, but that requires a "network effect" from adoption and the current costs for adoption for end users are just too high in terms of complexity for them to want to go to the effort of adopting it for a vague future goal -- even assuming they comprehend it and agree.
Effecting real change may require backing away from some of the ideal crypto solution as a way of avoiding the complexity costs. People have mentioned several areas of complexity, including e-mail program transparency, certificate management, out-of-band verification, and trust networks.
However, if we consider web-browsing, these have been effectively hidden from end-users and have thus failed to hinder adoption. Web browsers have public key encryption built in, plus a master set of certificates for verification. Because web browsers don't require two-way verification of identity, users don't have to worry at all about managing their own key. Adoption of SSL has been effectively transparent to users. Those who seek to have crypto email become the standard should seek similar solutions to transparent adoption first, rather than seeking to delivering the most sophisticated crypto. Once adoption has been catalyzed, the technology can be improved as the masses become familiar with it.
Designers of the next generation of e-mail software should look to make certificates a natural part of the email environment. This should first center on identify verification, not encryption. There are several places this could happen:
- When first setting up a new email address, the user should be prompted to create (or import) a digital ID for signing the e-mail. This certificate should be automatically (and transparently) sent to a central key-server. This key should be non-expiring. There should be options for upgrading/replacing the digital ID for advanced users. Passphrases should not be used by default, but could be an option for advanced users seeking additional security.
- Address books or nickname managers should include an icon/notation to indicate which addresses have digital IDs. When nicknames are created or imported, the program should check all e-mail addresses against a keyserver and import the public keys.
- When sending mail, signing should be the default.
- When receiving mail, the return address should be checked against the nickname file or against they keyserver automatically. Signed mail should be specially flagged as such in the Inbox. Encrypted e-mail should be automatically decrypted on receipt/viewing. (Advanced users might opt to keep encrypted on disk and only decrypt for viewing)
- For moderately advanced users, options should exist to enable encryption by default. This should automatically encrypt if the e-mail address matches one in the nickname file with a digital ID associated with it. Advanced users could opt to automatically seek a key from a keyserver and send encrypted if found or plaintext if not found.
Consumers would have to find a reason to upgrade to this kind of system. One possible option is to use the signatures to help spam stomping. Using e-mail addresses alone for filtering may work for a while, but ultimately likely fail due to the ease of forgery. Filtering on signatures either against the ID in the nickname file or a verified key on the keyserver (one signed by a master CA, so that legit companies could send you something without you having to have them in your nickname file) might work very well. With spam being the problem that it is, this might be part of a "killer app" of next generation e-mail programs to deal with the problem.What this largely throws out is the element of getting signed certificates and requiring consumers to manage them. However, I'm certain that after people got used to the idea, the notion of having their digital ID certified wouldn't be so complicated. (It would of course need to be affordable.)
(One could imagine that when governments begin to issue digital ID's these will be signed by the government and could be used for e-mail signatures as well.)
The question of course is who could make all this happen? It probably still falls to the major e-mail program makers. I'm surprised that MS hasn't started down this path. Building in transparent signatures like this should be beneficial for their corporate business, and they should be able to sell lots of PKI add-ons for corporations to do certificate management. (Ironically, I think Notes has had this built in for ages, but it only works within the Notes server.)
So, anyone from MS listening? Now's your chance to delivery against your privacy initiative. Best of luck.
-XDG
This is really of relevance to me. The other day I had a client call to let me know her trial version of PGP for MacOS had expired. So, I went to register it, and found out that was no longer possible. Now we need to find a replacement which will work with Eudora under MacOS 8/9, and will not expire. Any suggestions? (No, we are not replacing her desktop machine with Linux)
WinPT is a great toolbar application, a front-end for GnuPG. It lets you ecnrpyt/decrypt from/to any application, including email of cours. That's one of the end-user applications that support OpenPGP that we've been telling our customers to use, when we install our product on their site so they can process forms and encrypt results via email.
Notepad specialist & FAT administrator, group training available
Hey,
Here are some cool gpg links:
http://biglumber.com
key Signing Mailing List
Encrypt!!!
Douglas Calvert
Who cares? Bill Goatse maybe?
You can create a CA yourself fairly easily (see OpenCA for one example). The real problem is how to get your root certificate onto users' machines. In a "closed" environment, it's simple to install the root cert on all machines that may need it; in the more general case, even though it is simple to create a link that will install the root cert, persuading Joe User to push on past the scary messages is a different matter.
My next sig will be ready soon, but subscribers can beat the rush
but really, does anyone use this for anything more than sending thier friends email that doesnt really need to be encrypted?
Yes. http://www.ptclub.com accepts encrypted mail, and if you take a look at their website, you'll understand that people using the advertised services want privacy.
Of course, dealing with companies like this has other risks than loss of privacy - for all I know the entire company could be a scam. They're based in Panama, so good luck to anybody whose money disappears and wants to sue them. But at least you don't risk your government reading your email to them.
I run a service that provides priority digital document delivery. I'd like to add end-to-end encryption to the system, and GPG looks ideal, except that it's distributed under the GPL instead of the LGPL, so I can't incorporate it into my commercial service. The mechanisms that I've seen to "integrate" GPG into any commercial email clients are all awkward, with nightmarish installation procedures, which is (IMO) a partial cause of the complete failure of secure email in the marketplace (not counting us geeks).
Is there any legal way that I can transparently integrate GPG into my software? Is there an alternative open source solution?
it is time for you to get a new account. the slashbots are on to you.
I've got GPG, and I have enigmail to integrate it with Mozilla. If everyone I knew had keys, I'd encrypt every email that I sent. But I can't do that, and simply signing it won't do. People that don't know what PGP is get scared when they see my signed message, with those "weird" "-----BEGIN PGP SIGNED MESSAGE----" type things and hash identifiers. People will think I've got a virus, so I can really only encrypt or sign my email to a select few people, and I talk to those people via IRC and AIM far more than I do by email. It's got to be much more seamless for people to not get scared by encryption.
--
"Everybody wants a rock to wind a piece of string around." - They Might Be Giants, "We Want a Rock"
PGP (freeware) integrates nicely with Eudora-- just right-click a message and type in your passphrase to encrypt or decrypt it.
About as easy as it gets.
You really want a company known for "Embrace and Extend" and "decommotized protocols" strategy, to push a standard for email encryption?
"Oh, your Sylpheed and gpg can't read my email? Well, just upgrade to Outlook. Outlook users can read my email just fine." -- Overheard in 2005.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
In AD 2002, war was beginning. ...
Phil: What happen?
Admin: Someone set up us the bomb.
Receptionist: We get signal!!
Phil: What?!?
Receptionist: Main screen turn on.
Phil: It's YOU!
Asscroft: How are you gentlemen !!
Asscroft: All your file are belong to us!
Asscroft: You are on the way to destruction.
Phil: What you say!!
Asscroft: You have no chance to survive make your time!
Asscroft: HA HA HA HA
Phil: Take off every 'gpg'
Phil: You know what you are doing.
Phil: Move 'gpg'
Phil: For great crypto!
Anyone with any sense knows that the Feds have been working for years to stop the public from having strong crypto. They have a great excuse now for pursuing and eliminating easy-to-use crypto. I just can't get the image of Asscroft, spittle spraying from his gob and drooling onto his chin, chanting random passages from the Bible while he plots the next liberty-divesting move that he and his goon-squad comit.
Paranoid? SURE!!!
Correct? PROBABLY!!!
PGP lost out to S/MIME long ago. S/MIME is THE standard.
As for Zimmerman, and his "asking for help", this is typical ofd this fucking cheapskate. For a start, he WAS PAID to develop PGP which was then given away - he did NOT give it away out of the kindness of his heart. Then he gets others to (il)legally export his code (by printing/scanning), and again the world thinks he is a genourous guy, when all he is after is a way of legally exporting his software.
And all the time he was moving goalposts, so that freeware implementations never managed to be compatible with later versions of PGP.
He is a money grabbing bastard. Fuck him
Already done. There are C and Java S/MIME projects out there. Sun even provide java S/MIME for free, and I think SSLEAY will also do the trick
About PGP or GPG is remembering your damn passphrase.
Like so many people have already pointed out, even if I adopt it, no one I communicate with uses it, so I don't use my passphrase a whole lot.
I encrypted a journal I was keeping (not regularly), and went to unencrypt it, and couldn't remember the exact way to type the pass phrase in. I had a lot of punctuation, upper, lower, and numbers, and couldn't figure out exactly where I was typing wrong.
Of course being the true paranoid, I never wrote it down anywhere either.
I really hope it will become more popular, it is an Outlook style UI email client. Highly encrypted. Plus you can use it for chat and sending files, too.
CryptoHeaven runs on both Windows and Linux.
With PGP being mostly used as an email plugin, and with the NAI problems I would look into alternative ways of sending encrypted email. There are a few other software which in addition to email, also handle instant messaging and file sharing in a secure mode. I would strongly recommend you try CryptoHeaven as it is relatively easy to use and provides great crypto. Its great for mail, chat and file transfers.
I have zero karma and I meta moderate and ocationaly get a chance to actualy moderate too.