Slashdot Mirror
Zimmermann Suggests Freeing PGP Source
broody writes "NewsForge has an interesting article detailing Phillip R Zimmermann's lament at selling PGP. Since he cannot afford to buy it back outright, he is pushing for Network Associates to 'open source' it. Well, the GUI and SDK anyway. I'll say this, he's an interesting little capitalist."
Why bother? Its gone, sold, IP traded for cash. He knew what hw was doing when it was traded for money. If he really wants to do something, GnuPGP would probably welcome him with open arms...
+++ UGUCAUCGUAUUUCU
As Larry Wall likes to say, There's more than one way to do it.
:)
Why should we care what Network Assosciates's proprietary privacy software does? There's no good reason one can't write their own Public Key Encryption software.
In fact, it seems to me GPG already did that awhile ago
If this guy sold PGP five years ago, what authority does he have now to suggest the change?
What sucks is they dropped the commercial VPN client totally, the freeware version is still around (or was a couple weeks ago) but it only supports machine to machine, no machine to network connectivity, that was only in the commercial version.
If they can't make money with it, and they don't plan on it, it could be used to build will and advertising. Part of the requirement would be to leave in the advertsing banners. Or require some form of license for inclusion into other commercial software.
Note that they have not conceeded that PGP cannot be sold off, yet.
Fight Spammers!
not to bash slashdot, but why is it that Linux Today always posts the latest linux stories at least half a day before slashdot does?
anyways, on a side note, i think zimmerman is in the wrong here. if he is so concerned about the concept of pgp, then why isn't he focusing his efforts on GnuPG, which is a completely open version of the PGP concept?
You can download PGP for free right now. And the source code has been published. The enterprise version is still for sale. What is he complaining about?
No, they probally wouldn't. The IP belongs to NA, and I think he has probally seen the source code, so Gnu couldn't claim their code was a clean room implimentation.
Considering Network Associates isn't developing it further, I somewhat see his point, but I don't see how he really has a say in the matter.
That is a good idea. They already did some of it with the GPG project.
.. I remember downloading the sources of PGP three years ago to compile on my Sun box. I don't really see what the fuss is here either?
Yes, the international PGP site
PGP is very good in Outlook for email and within Windows for it's other features. Not making it available for Windows leaves people stuck in Windows with only proprietary options bundled in with Outlook/Windows, or those supplied by other vendors. GnuPG (not GnuPGP) dont work in Windows (well, it might via cygwin, but I'm not counting on it).
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
What about doing what Microplanet did with their Gravity news reader and making it freely available in binary format for all to use?
That way they don't have to give up the rights to it, but still have a loyal base of users. When they're able to make a buck off PGP again they can add some "must-have" features and the customer base will slowly come back to the commercial fold. As it is, the freeware versions will dominate and eventually PGP will be forgotten by most people.
Don't anthropomorphize computers, they don't like it.
Yes but unfortunately the latest and greatest contain desirable features, such as VPNs and hard drive encryption. I however do agree with you, the source is open so why can't someone else add it on for free?
Getting NA to open up seems more like laziness to me! And of course, it is of no benefit to them at all to do so.
The fuss is that people want the VPN features to be open source too.
I say just use something like FreeSWAN or get yourself an OpenBSD firewall and use that for VPNs.
His idea for a Dead Man's Switch license would be very interesting to see implemented. It would be nice to see something like that used in a lot of commercial software.
Think of all the software that might still be available if they had such a clause in their license. Hell, just the games!
-Pete
Soccer Goal Plans
Uh, that's great, but they still own it. Yes, you can look at the code, but you can't use or modify it without their consent - which I don't think that they intend to give. Open source means that you get those benefits.
SIG: HUP
PGP being sold out was the inspiration for the OpenPGP project which generated GPG, a perfectly good alternative to PGP.
The only real problem with GPG is the comparative lack of high quality "mere end user" facilities such as a good GUI.
Let's all dump PGP, it's served its purpose and its time is done. Put your effort into making GPG (real open source!) widely accepted and used.
Yeah but there's nothing to stop people using the ideas and algorithms implemented by that code. Hence the benefits of read only open source - interoperability.
it does. i use it. please dont spread fud.
gnupg works just fine in win32
Since he developed PGP, why not develop a RGP, or Really Good Privacy. He can keep this one open, and it can compete with the closed source version.
.0199999999
It offers the liberty of being Free and Free.
Just my
If we don't fight for ourselves no one will.
Some ethics would be in place, this guy SOLD it to network associates, it's quite immoral for him to request them to open source it now!
PGP has been a quite successful product but they charged to little for it, it's funny how many software companies there is out there that don't think people value their products. Low self-estem I guess.
When Zimmerman sold PGP, what did he expect? That people would start paying
Network Associates money to use something that most people still don't
see the need for?
Forget it Phil. You killed PGP when you sold it. GPG is there take over from
PGP and make sure that those who understand the need for good encryption still
have some reviewable source to trust.
Nothing of the sort is neccisary. BSD unix was a non-cleanroom reimplimentation of AT&T unix. BSD won when it went to court. It is easier to be cleanroom though.
...and this lie crawls out of its mouth: 'I, the state, am the people.'
i agree, its just free software zealots getting greedy and wanting more than they desreve!!
GnuPG (not GnuPGP) dont work in Windows
6 -2.zip
GnuPG _does_ work on Windows: http://ftp.gnupg.org/gcrypt/binary/gnupg-w32-1.0.
But it's not graphical. For that, I've been using WinPT for some time. It's a pretty good replacement for PGPtray, not as pretty though. And it imported all my PGP 6.x/Win Keys fine too. Download with all dependencies here
Didn't I read where they were "asking" people to remove copies of PGP for download, even though they didn't offer or support PGP anymore?
Doesn't bode well, if you ask me.
you can't get freeswan for windows yet. pgp is the only vpn package that works under XP too. (and don't suggest raptormobile, that shit is buggy as hell!)
I've read on numerous occasions that NA has versions of PGP updated to run on OS X and XP, but aren't releasing them. Something to do with 9/11 maybe? It seems stupid to simply throw away a defacto standard.
Let's hope the geeks here make that problem irrelevant. So far the Mac side is doing *OK* with tools like GPG Tools, GPGMail, and Apple's own AES encrypted volumes using Disk Copy. However, syncing with key servers, file wiping and other functionality available in PGPFreeware is sorely missed. Maybe Phil Z should start a company focused on GPG rather than wasting his energy trying to get PGP open sourced...
We'd really like you to join the work on GnuPG, and on GUI projects like GNOME. I think it would be most productive to write off the PGP code base and continue your work on the existing Free Software projects. We've gotten most of the hard work done already.
Thanks
Bruce
Bruce Perens.
ok, then it just plain dont work well from a user's viewpoint (which was really my point). Or from Outlook, FWIW.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
I actually paid for a license for PGP Desktop for home and still use it heavily for pgpdisk (the encrypted virtual disk software). I like the thought that even if someone hacks into my computers with my login, they still have some work to do to get the important files.
While it sucked to see NAI drop PGP, I made sure I pulled down the latest build before my license expired. I can still get another couple of years use out of it.
I would like to think that someone will eventually pick it up. It's entirely too useful to let it die. It be nice if it turned free, but I would still pay a reasonable amount of money to get a new enhanced version.
but the article states that you can modify it and run the modified version on your machine, you just can't redistribute the modified code.
With the source code able to be modified, it might be easy for some people to think of PGP as Open Source. "You could modify it if you wanted to, and run it on your own computer, but you could not distribute a modified version," Zimmermann explains
Anyways, i dont think NA has any obligation to do as Zimm asks, he sold it to em, and it's now their's to do with as they please, even if that means that they let it just die basically. It's a shame but it is their right to do so.
"Yes, you can look at the code, but you can't use or modify it without their consent"
Actually you *can* modify it and use it as you like you just can't *distribute* it.
No todo lo que es oro brilla
he's an interesting little capitalist.
right now he seems to be a slashdoted little capitalist.
[you@someterminal you]# cd pgp-source
[you@someterminal you]# grep -c -r -i "nsa"
27
Religion is a gateway psychosis. -- Dave Foley
To me, capitalism boils down into a very simple principle, that is, do what is best for yourself, rather than trust a group of people to take care of you.
In the former, the vast majority of people do relatively well for themselves. In the latter, we get the mediocrity or tall-poppy-syndrome of socialism, or worse, the hopeless misery of the extreme socialism practiced by the soviet block and others.
In short capitalism does not restrict what you do, to preserve the interests of others; it is the role of the law to prevent others from stifling you, your advancement, OTOH, is your prerogative, not theirs.
Socialism however, places its trust (trust! in a political system! the fatal mistake - basing a political system on the will of the people? what optimistic naivete) in others supporting a system which supports you.
And? Useless, an abject and complete failure sans parallel nor exception.
So in short socialism == imposing restrictions (work not for the good of only yourself! etc) which the govt has no hope of _making_sure_ that the people follow (and as we see, self-interest leads people to violate that basic rule of socialism, which is why socialism is such a failure)
Proprietary licences == imposing restrictions (`do not copy') which the licencing authority has no hope of _making_sure_ the people follow (observe widespread software piracy, the BSA, for example)
Capitalism == NOT imposing obnoxious restrictions
OSS licences* == NOT imposing obnoxious restrictions
So, the similarities shoule be evident. OSS licences == Capitalist.
The main point behind "OSS == communist/socialist/unamerican" etc is that it is (apparently) un-capitalist to not sell software -- the economy will collapse because software vendors will go broke, so no taxes from companies(**). This is pathetically superficial. The point falls down when you realise that funds (of businesses, people) _will_ be spent. If people use non-proprietary software, the money they save will STILL go back into the economy (they'll buy beer, or whatever). The funds will get into the economy, just not through software.
Simply, this point is a lame attempt by businesses to protect their revenue stream from a paradigm shift which will _remove_ said revenue stream. My advice to them? Get into brewing.
OSS is very capitalist, once you get past the lame superficiality of "oss == non-capitalist because it raises no money" and delve into something less shallow.
final note: non-OSS does not necessarily suck; e.g. os x rox your sox.
* (well, the major ones -- i haven't delved into the less common ones, so i'll speak in terms of the major ones, that is, the GPL family, BSD and MIT licences, although the latter two are basically the same since the removal of the ad clause ~three years back)
** microsoft pays no corporate taxes: http://www.billparish.com/
> Or from Outlook, FWIW
Ah, actually there a plugin for Outlook _Express_ available now. GPGOE. Outlook will take some time -- and hacking on the office dev kit -- I guess. But yes, I get what you mean about "dont work well", but I can tell you it's getting better fast! And if you can, do give WinPT a try. You may be surprised.
It does work in OutLook. I'm using it right now.
Go get it here:
http://www3.gdata.de/gpg/
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
No sufficiently paranoid person is going to feel comfortable using encryption unless he/she can actually see the source and build the binary him/herself. The NSA backdoored NAs PGP years ago... Don't use it if you've got something to hide :) YOur better off using your Captain Crunch secret decoder ring!
BSD unix was a non-cleanroom reimplimentation of AT&T unix. BSD won when it went to court.
But only an organization like BSD, backed by the University of California and their lawyers, had the resources to stand up to AT&T in court. I wouldn't suggest being cavalier about clean-room issues to any random Open Source project.
In response to your recent request, we must notify you that you lack sufficient group privileges to access PGP-7.0-final_src.tar.bz2. In retrospect, this message will self-destruct in 5 seconds. If you would like to re-negotiate your contract with Network Associates Inc., you may do so at your discretion by contacting Bob Lovingston and submit you ple*$!##$@! k-a-b-o-o-m.BOOM.BOOM &$%#@
Sincerely,
Bob Thirston (Stability Supervisor)
That being said I tend to think that the push towards GnuPG isn't as great of an idea as some think.
While there is many "free" or open source projects out there that are great on multiple platforms, GnuPG hasn't yet been fully (if at all) accepted by the Windows users.
Before you flame me; encryption needs to be open, and it needs to be easy to use in some respects. If my grandma (or male lover) has to go to the command line to encrypt his/her e-mail - it isn't happening. Now I see one project to bring it to the Windows desktop but it's being developed by linux developers.
If people expect Phil to come over to the GnuPG camp then you have to be ready to develop as much time to the Windows product as *nix.
Maybe I'm just not making sense because I'm typing fast... but simply: Gui, Gui, Gui. Equal time on all systems. Then I'll put my support behind GnuPG.
Otherwise Network Ass. should release their control over a product they raped.
Get your Unix fortune now!
I'd beg to differ. read the (currently highest moderated) post by Bruce Perens begging Phil to Join the GPG team
they ont HAVE to claim their code is clean room... as long as no code is copy-pasted over then its ok... if there is some type of bug or other problem in the code and he knows HOW to fix it but not the exact code he CAN tell them how to do that... he can give them ideas about what to do as ong as he doesn't drop in some code...
unzip; strip; touch; finger; mount; fsck; more; yes; unmount; sleep
The only piece I really use is the PGPdisk feature. Creating a totally encrypted virtual harddrive is very cool.
I create 649 / 699 MB PGPdisks, fill them with my 'backups', "unmount" them, and then burn them onto CD. Voila, encrypted CD contents. Works beautifully.
It would be the coolest thing in the world if GPG was able to mount the same PGPdisks. Heck, even using other filesystems should be possible.
It's great for keeping data private (as long as the encryption will hold, a couple of years longer maybe).
Once GPG can at least mount and hopefully also create "GPGdisks", I'll ditch PGP.
You mean something like the KDE Free Qt Foundation? Qt is triple licensed: GPL, QPL, proprietary. If TrollTech discontinues the free edition of Qt, then the last available version will be released under the BSD license. (I'm not sure whether that's with the advertising clause.)
He could probably join the project as an advisor, as long as he didn't write any code, and not break the "clean-roomliness" of the code.
Ask any (ex) Informix employee about how well the hostile takeover and fire everyone "software company" strategy works. Computer Associates: milking support contracts for all their worth for years now.
Admittedly, it's not the latest and greatest - but this is open source folks, surely some talented hackers out there can expand on what is already open?
Try reading the article before you post. The article tells you why this couldn't happen.
-a
How to rationalize theft.
The principle issue that faces any developer wishing to integrate GPG is that it is covered by GPL. That means that even if it had an SDK (which the isn't) you couldn't link with it without infecting your own code. Even LGPL libs can't link with it. At present if you wish to use GPG, you must mess around constructing command line arguments, opening pipes etc., invoking it and then parse the results. It is a major pain. There are libraries such as GPGME that hide some of this from you but it is still slower than running in-process and has significant issues running on platforms like Windows or Mac where piping etc. might be done differently.
If PGP were opened up with either a LGPL or BSD style licence I can see it being used in preference to GPG. GPG has the better command-line interface and might be ok for scripts but PGP has an SDK (as well as a great UI on Win32) and would be ultimately faster if software can link directly to it.
PZ should get involved with Mozilla. For literally years I've been waiting for someone to build in some sort of public-key email (and newsgroup) crypto. It's still not there yet, and THAT has prevented several people I know - including myself - from adopting Mozilla as my sole internet access tool. I'd love to be able to dump some of the crap I run for email and usenet.
First it was the export restrictions that were deterring Mozilla crypto. Now it's something else. I guess these projects qualify for some of what's being done today, but I needed Mozilla to do built-in crypto years ago. The standard Mozilla comeback is "do it yourself". Well, I have neither the time nor the skill to do that. But Phil does!
Maybe the NSA will buy it and then open source it, then include it with their SE Linux.
Zoot!
Using outlook to send secure email? Wouldn't those two cancel eachother out?
Of course in 2005 (when the copyright is up), PGP will be in the public domain and we can all use it.
I don't believe email encryption will become mainstream unless these things happen.
1) Major email client providers agree on a standard
2) The ability to encyrpt/decrypt is provided with the default install of their product.
Network Associates is sitting on the code to squash it. They don't want to sell it. They don't want to make money off it. They want to keep it unavailable. Texaco owned the patent for fuel injection systems in cars. Until that patent expired (patents used to expire), no cars had fuel injection. If you don't remember, they might want to look back at the date on the press release that Network Associates (a.k.a. McAffee) released, stating that they planned to discontinue PGP. It's pretty close to September 12, 2001.
I'd say that the fact that no one seems to know conclusively where you can run GnuPG is a sign that it's not ready for prime time!
-------------------------
slashdot@com.jarnot (swap the domain)
The generic response was "Open Source does not mean taking a product we don't want any more and throwing it over the wall. It means taking a product we continue to maintain and donating rights to it to the open source community. We can't just give away software without assessing the legal and PI risks. That's an expensive process, and we just won't do it unless it helps us start an OS project with some real potential."
I might be misquoting (that's why I don't name the company), but you can see the issues.
Out of curiosity, I went to NAs site looking for a client. They only make one for windows? I didn't see one for any other opsys's.
Guess we do need to save PGP.
JB
The heat from below can burn your eyes out
is a KAP (Kick Ass Privacy) or maybe TFSP (Totally Frickin' Sweet Privacy).....
Because he knows what he's talking about. That's a lot of authority.
HahahahahahahahahahahahahaHAHAHAHAHAHHAHAHAHA
Have you tried to work with Phil Z.? Oh... thought not.
People who end up in the mess Phil did are not always the folk with the best social interfaces...
The problem with PGP is that overall it is tending to hinder the use of crypto than help at this point. There is perfectly good crypto built into Outlook, Outlook Express, Notes, Netscape etc. Only thing is people don't know its there because they are being told that only crypto persecuted by the NSA should be used.
PGP has a somewhat different PKI design, but not all that much different. Anyone can be a CA with X.509, the only technical difference being that certificate signing certs have the key signing bit set.
Rather than attempt to resurect the PGP message formats it would be better to spend time building S/MIME key signing code.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Sure, someone pays a lot of money to develop or acquire software, so when they no longer want to market it as an end-user product they should just give it away, with no consideration for all the legal and financial entanglements? Please. I'll take such claims seriously when the /. crowd does something similar. (And no, developing OSS projects from scratch is not even close to being the same thing.)
For a good read w/r/t Crypto in general (including Zimmerman and some of his past,) check out Stephen Levy's book Crypto. It is excellent.
FreeBSD for the impatient.
Try out Enigmail [http://enigmail.mozdev.org/].
Enigmail is a "plugin" for Mozilla/Netscape7 Mail which allows users to access the authentication and encryption features provided by the popular GPG and PGP software (see screenshots). Enigmail is open source and dually-licensed under the GNU General Public License and the Mozilla Public License .
I was using WinPT for a while, until I stumbled on GPGshell. It calls GnuPG to do the work, so you never have to worry about entering your passphrase into a GUI. IMHO, it's a lot nicer than WinPT. When you install it, you get 3 programs, which don't need each other to work:
So anyway, here's what you do:
So far this setup has had no problem dealing with any PGP messages I've encountered, from 2.6.2 to 7.x, but I haven't tested it extensively.
Right now GUI wise, it's the easiest and nicest way to use gnupg for emails in Windows.
Does anyone know how much NAI wants for PGP? Yes, we all know that it's more than Phil Zimmerman can afford, but how much is that? Maybe some other individual or organization -- by himself/herself/themselves, or together with Zimmerman -- could buy it and Open Source it...
I always find this kind of subject amazing. Examine the realities of the situation:
(1) If the author has given the source away in the past, there is little commercial gain to be had by someone selling a compiled binary. Ergo, Network Associates can't make a go of it.
(2) If a commercial company (with money in the bank) owns the IP to a piece of software there is no (repeat, NO) incentive to release the source or the binary for free. Why you ask? Because some slimebag somewhere will sue their ass if they think (1) they've been wronged, and (2) the IP owner has money in the bank. This is less of a risk of you are selling the IP, too much risk if you are giving it away.
C'mon guys, and Phil, wise up.
Could the Open source community buy it? I know I'd donate. If every one who thinks its important keep donates something, would it be enough? We could put it under a decent license (BSD, MIT, GPL, etc) and donate it to GNU, MIT, or the EFF.
Are there any sites out there which take donations to buy closed source products and open source them?
Zeinfeld writes:
PGP has a somewhat different PKI design, but not all that much different. Anyone can be a CA with X.509, the only technical difference being that certificate signing certs have the key signing bit set.
Sure, anyone can be an X.509 CA, but that doesn't help much. In order to issue meaningful X.509 certificates, you need to be a widely trusted CA, and that means commercial certificate distribution deals with Verisign, AOL and Microsoft, and that pretty much rules out all but big businesses.
PGP's web of trust has a much lower barrier of entry.
----
Open mind, insert foot.
The plug-in is THAT good.
Although I use enigmail at home, I use the gdata Outlook plug-in at work. It is much easier & smoother that enigmail.
This is one of the problems of GnuPG vs. Commercial PGP.
With GnuPG, you expect "normal" end-users go download GnuPG that has been ported to Win32 from somewhere... then go download a GUI from somewhere else, then go download an email plug-in from yet ANOTHER place.
Just getting people to understand the basics of asymmetric encryption is difficult enough without making a career out of finding a usable installation.
Complain all you want about "stupid users", but in the end, a simplified installation package is what gets people to use it. Encryption for the masses, not encryption for the techno-elite.
-SB
Anyway, I highly recommend it.
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
In MS business environments you don't tend to Admin rights on the box where you are working. I don't even have at home on my Windows box.
I know, I worked on it for a while back in the early days.
It seems that under circumstances like these, the online community often coughs up quite a bit of cash. Why not ask for donations?
If the online community gave him this money, he would be obligated to act in good faith and open source the entire thing (including the commandline wrapper if Network Associates is truly selling PGP).
Sorry, I'm not actually living in the real world. My imagination tends to get the better of me...
All data is speech. All speech is Free.
For encrypt to really take off amongst technical lay-people someone like AOL will have to seamlessly integrate it into their mailer: complete with automagic key-fetching and hiding all that nasty ASCII armoured 'garbage' (like KMail does). Unless the PGP or GNUPG creators can solve this problem then neither of them are any use to the average email user.
"I'll say this, he's an interesting little capitalist."
Very unprofessional journalism.
x.509 certificates are supported as standard in shitloads of mail clients (inc. Netscape and the ever popular MS Outhouse). Many people regard those as an "industry standard"
However, x.509 is more suited to compannies, as each public key must be signed by a trusted certificate authority to be valid. (e.g. Signed by Thwate.... otherwise use openSSL and set yourself up as a certificate authority and generate your own x.509 certs). This is only really practacle for a large company.
Individuals are better suited to PGP because of its "web of trust" model eliminates the need for certificate authoritys, but will be impractacle for a large organisation. (Its no wonder NA failed to sell PGP to companies.... the existing x.509 standard is mutch more suited)
See this link
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
You need one of the international versions of PGP available from www.pgpi.org you do
Available on a shitload of platforms
And pgpi is a very trusted site
(I could also mention the Cyber Knights Templar builds. Also very trusted + open source)
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
An interesting comment in the Newsforge article:
This would allow Network Associates to continue to sell and make money from the command-line version, more popular with corporate techies. "End-users don't pay money," Zimmermann says. "It's the businesses with their techies who pay money and they like to have a command-line product to run in a shell script, so that a big Web site, for example, can encrypt your credit card number. Their command-line product is for one of those raised-floor machine rooms with a bunch of servers and nobody around."
Compare this to the reference in the snort article, where the core code is free, because its the techies who use that, and the GUI addons that cost.
I'm not really going anywhere with this, but it is a little surprising to see two completely diametric viewpoints on the same idea.
Well, the GNU Project is not "any random Open Source project" either. Though the FSF might prefer the current situation, without PZ involved in GnuPG.
But I doubt that PZ would be interested in working on GnuPG anyway. Seems he's more interested in his project surviving.
He saw some dirty arabs and fired. Too bad it was just some friendly kurds, BBC reporters and his fellow cowboys.
GnuPG is partly backed by the german government:
gnupg.de
gnupp.de
Someone is wrong on the Internet!
Not really. If your only concern is encrypting/signing mail (and other stuff) within your organization, than the CA only needs to be trusted within your organization. Trust in the CA can be enforced as a condition of employment. This makes PKI practical for many mid size businesses as well, although small businesses should look elsewhere due to the large inital outlay required. If you wish to explicitly trust the PKI of another business than your CA's can issue each other Cross-Certificates.
.NET but my industry sources tell me that it is about 3 generations behind Entrust and 2 behind Verisign as far as capabilities, security, and (surprise) interoperability. This doesn't surprise me given the MS record with PKI and security in general. I'd better stop there or I won't get any work done today.
Also, only one of the three businesses you mention is in the business of selling commercial certificates (Verisign). MS sells PKI products that allow you to generate your own self-signed certificates. MS has a PKI offering coming in
Stop Continental Drift! Reunite Gondwanaland!
That has nothing to do with the format of the certificate. It is simply basic math.
All the major email programs allow you to install your own trust roots, always have. The problem is getting a trust root widely recognized.
The diameter of a graph is the length of the longest path between two nodes. If the diameter of the graph is small then either the graph cannot be large or there must be at least soe nodes of very high degree. [The Moore bound on the diameter of a graph is k * (k-1)^d where k is the degree of the nodes and d the diameter.
Applied to PGP it means that if you have a Web of trust with a trust chain length of 5 and each person signs ten other keys you can have no more than 90,000 members if the members align themselves perfectly. In practice the size of the graph would be much smaller since the connections would be either random or highly locally connected which gets you down to about 10,000 users.
PGP works largely because people take untrusted keys of key servers and because there are folk like Jeff Schiller who have signed hundreds of keys.
If you want a global PKI then you need intermediaries. PGP is not designed to scale to be a global system. But if you are prepared to put up with the size limitations of the PGP model you can do the same in S/MIME.
Microsoft even ship a mini CA tool with Office and Visual studio - makecert.exe. It is a bit idiosyncratic and you need to get another tool fro the Microsoft site to convert the private key formats to PKCS12 format but it certainly works. The SSLeay code also has a cert signer.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
I really love that expression "like trying to herd cats".
...
I would be right there ready to test binaries if you do something like this, but the idea of going off and starting yet another project worries me. You never know, diplomacy might actually work (especially if Phil Zimmerman was the diplomat).
You might try doing a cross platform but different native toolkit kinda thing like Abiword does.
The Mozilla plugin has potential, interesting.
My GUI design philosophy is if in doubt copy what everyone else is doing (in this case copy the official PGP). Do it differently only if you can demonstrate why your way is better (and even then it has to be substantial better to overcome the problem of inconsistancy+learnability).
Trying desperately to stay on topic and protect my meagre Karma
OK, let's put this one to rest for once and all. I can't even begin to use the code unless I've paid for the right to do so. PGP Freeware exempted yes, but if I'm trying to do something for, say, a company, then I can't do squat with the code. Sure, I could theoritically modify it, but I would be in trouble for using that code until I've bought the license.
SIG: HUP
Conare writes:
Not really. If your only concern is encrypting/signing mail (and other stuff) within your organization, than the CA only needs to be trusted within your organization. Trust in the CA can be enforced as a condition of employment. This makes PKI practical for many mid size businesses as well, although small businesses should look elsewhere due to the large inital outlay required.
X.509 is a clumsy tool for internal encryption. Most programs using it are using it for communications, not storage. A good chunk of any businesses need for secure communications is with other businesses. You can't make your parts supplier trust your internal CA as a condition of employment, and you usually can't even require it as a term of your contract with them.
If you wish to explicitly trust the PKI of another business than your CA's can issue each other Cross-Certificates.
Again using my parts supplier example, that would basically be me going to my parts supplier, and asking them to trust that every certificate we issue is valid. That's a lot of trust. Most people are prone to say "no", particularly if they don't understand the full ramifications of that trust.
With the PGP/GPG "Web Of Trust" model, all I would have to ask them is to trust that my key is validly my key. Much easier to do, the guy at my parts supplier can do this over the phone in many cases. Then he can sign my key and put it on their keyserver. Anyone at my parts supplier who accepts his signature will automatically trust my key. They are only asked to trust themselves, and what they can readily verify; a much more palatable trust model.
only one of the three businesses you mention is in the business of selling commercial certificates (Verisign).
The other two are the leading distributors of X.509 capable products, and therefore the leading distributors of "Here are the trusted Certificate Authorties" lists. To get on those lists takes money.
----
Open mind, insert foot.
The CKT builds http://www.ipgpp.com/ (get 6.5.8ckt08, *not* the beta version unless you actually want to help test) of PGP have been around for a while.
They haven't always been popular with prz, because they permit the use of monstrous public key sizes (which meant little without a monstrous symmetric algo and big hash algorithm to back them up), and monstrous public keys are slow and of insignificant practical use without the accompanying Faraday cage, dedicated terminal and tinfoil hat.
They are, however, the "best" version of PGP out there and the only one that's still being worked on.
GnuPG is another implementation of OpenPGP (RFC2440), of course, as many other people have mentioned - but that isn't terribly suitable for Windows, not having a GUI of it's own (for philosophical reasons - it is, after all, a command line utility) and lacking a good, stable GUI to the standards of PGP (they're new - give them time and support and they will get better). Also, GPG has no support for locking pages of memory which contain security-critical data against being swapped out under Windows (and currently relies on being suid root under Linux for this too, before you all cry victory - don't start beaming until it starts using capabilities - suid applications make me nervous).
The CKT builds of PGP 6.5.8 work under XP, and there are no (as far as I am aware) reported problems with the Outlook and Bat plugins. They just suck a bit less than the vanilla builds. I know of no vulnerabilities in the current CKT build (don't use the beta in production environments though, it's broken on a few things).
Their copyright is probably a bit dodgy. I'm only saying probably because I'm not a lawyer; it's moot - trying to shut them down would be a Bad Idea (because of the million mirrors theorem) and a Bad Thing (because Encryption Is Good(tm) and what else is there of the same quality now?). It would be lovely if that could be resolved - if the CKT builds could be legitimised, and more people worked on them.
I can't speak for the third-party licensing situation though. It could be too complex to resolve - as I said above, I'm no lawyer.
As for the command line version being saleable, NAI are in a fantasy world. The PGP command line pales next to GnuPG for so many reasons I don't even have to list them (besides, it'd start an argument if I did).
The loss of the PGP command line would be frankly non-critical. The OpenPGP crypto core could be replaced or rewritten, probably more easily than you think, especially as there are independent, clean implementations to crib notes from (i.e., GPG). The GUI and SDK (and the plugins) are the important bits. It'd be a shame if they were lost... not to mention all the ancillary bits like PGPnet (did that ever get stable?... OTOH, there's SSH port forwarding so I can do without it), PGPdisk (not a panacea, but useful - I just plain don't like Scramdisk, but that's a viable option too) and so on.
By getting the SDK and GUI back you'd get all the really important stuff that PGP has over what, were it to be commercialised again, would be its competitors. You might have to rewrite the actual cryptography because of excess legal baggage, but given quite large revisions in the OpenPGP standard like MDC support, and for the sake of cleaner code, would that be such a bad thing?
Best of luck, Phil. Oh, and by the way - thanks. Probably too few people remember to say that.