Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Encryption Security

Is There a Future for PGP? 43

Posted by Cliff from the deciphering-the-marketingspeak dept.
Thom Dyson asks: "So it looks like McAfee is walking away from PGP. At least that's how I interpret their marketing speak. I've been told PGP doesn't work on XP, does that hold true for the Open Source version as well?"
This discussion has been archived. No new comments can be posted.

Is There a Future for PGP? More

Is There a Future for PGP?

Comments Filter:

  • Re:Does anyone even use pgp or gpg? (Score:5, Interesting)

    by PD ( 9577 ) <slashdotlinux@pdrap.org> on Wednesday January 09, 2002 @07:55PM (#2813553) Homepage Journal
    I agree 100% with you, and I'm thinking specifically of Usenet. I can imagine a Usenet where everyone has a certificate signed by a trusted authority, or signed by someone who was signed by a trusted authority.

    When a message is posted, the certificate goes along for the ride. Everything must check out before the server accepts the message.

    If someone spams, their certificate is revoked. If someone is signing spammers certificates consistently, then THEIR certificate is revoked.

    It would make a HUGE dent in the usability of the Usenet, and unlike Usenet II, it wouldn't require a system of trusted servers.

    I've thought about this for a while, and I'm very interested in what others think of this scheme.

  • WinXP compatibility (Score:2, Interesting)

    by Thalin ( 130318 ) on Wednesday January 09, 2002 @09:01PM (#2813954) Homepage
    I know one of the guys who writes PGP. Last I talked to him, he was writing the Palm version. I heard today about this thing from his wife, and as far as I know, there are only 8 developers left working on PGP. I dunno if that makes you folks appriciate why it doesn't work on WinXP or not, but I felt like I should stick up for my friend (since he's a mentor and all :P).

  • Standards! It already works. (Score:3, Interesting)

    by jmaslak ( 39422 ) on Wednesday January 09, 2002 @09:55PM (#2814174)
    S/MIME is an Internet Standard. I know that Outlook, Outlook Express, and Netscape Mail all support it. Others probably do, too. I can send a signed message to an Outlook user today and they can respond with an encrypted one. With PGP, that isn't usually possible today.

    The other problem with PGP is that it is nearly impossible to securely exchange keys, unless you luck out and trust someone who has signed it (not likely!). You end up having to call them up on the phone and read the fingerprint or trust that your mail was secure (in which case, why are you encrypting?). S/Mime relys mostly on certificates, which although they have many problems, do solve the majority of key distribution problems.

  • Re:Does anyone even use pgp or gpg? (Score:2, Interesting)

    by gfilion ( 80497 ) on Wednesday January 09, 2002 @10:06PM (#2814220) Homepage

    I agree 100% with you, and I'm thinking specifically of Usenet. I can imagine a Usenet where everyone has a certificate signed by a trusted authority, or signed by someone who was signed by a trusted authority.

    I think that this is a great idea, but I don't see how it would be managed? Would the thrusted authorities sign the certificates for free or for a charge? If they charge something for the signing, the number of people on usenet would drop. And if this is free, how could any kind of verification of the authentity be made?

    Also you would loose a lot of Usenet's privacy, since everything is signed by the sender. The evil-corporation/NSA/Ashcroft/MPAA could prove that you send a specific usenet message and beat you with a big stick.

    But I agree that it would help a lot in making usenet a bit like it was in the pre-1995 era -- that is, before I discovered usenet... 8)

  • Re:Does anyone even use pgp or gpg? (Score:4, Interesting)

    by PD ( 9577 ) <slashdotlinux@pdrap.org> on Thursday January 10, 2002 @12:45AM (#2814735) Homepage Journal
    The keys would be signed like free software is distributed. You can sell it or not. To get on Usenet for free you'd have to find somebody who would sign a key for you. It's up to the key signer to decide if they trust the person they are signing. After all, if that guy spams, then the key signer could ultimately have his certificate revoked.

    I see this as a volunteer system. Lots of people currently spend their time tracking down spammers, issuing cancels, etc. So far their success has been incomplete. Much spam is stopped, but much is not. Instead of spending time with cancels and other spam hunting, they would spend time managing the certificate system. That would consist solely of revoking certificates of abusers and optionally the people who sign the keys.

    There's a subtle thing here: it works both ways. Suppose you go to a shady person to get your key signed. You're posting along happily, and then everything starts getting rejected back to you. What happened? You discover that the person who signed your key also signed a key for 100 spammers, and got his certificate revoked. That makes your certificate invalid. The pressure here would be for the users to find reliable people to sign their keys, as well as for the signers to find reliable non-spammers to sign keys for.

    So you see, there's no need to verify any actual identity. I could get a certificate made out to my dogs Pepper and Darwin, signed by some other dude named "Anonymous Coward" who ultimately has a certificate signed by the root authority, say Linus Torvalds. You don't need to know the actual identities of the people involved, only that their certificates fit into the chain properly. All the details of trust are properly left to the leaves of the tree.

  • Re:Does anyone even use pgp or gpg? (Score:2, Interesting)

    by cdupree ( 89998 ) on Thursday January 10, 2002 @02:09AM (#2814976)
    On the level of software, I've used PGP frequently but not extensively for a few years now. I often sign, but rarely encrypt, my messages. I sometimes verify software with PGP signatures; if someone sends me a message with a PGP signature, I usually verify it. But these are all partly because I enjoy doing it.

    On the level of civil liberties, I think that some rights need to be exercised on general principle. If you read the literature, it's clear the government has intercepted communications by mail, telegraph, and telephone for many decades. All governments, I imagine, have done so. So do we figure it's always happened and always will? Or decide that governments (and corporations as well, of course) are abusing their rights by opening our mail, and prevent them from doing it?

    It's not about what I'm saying in my message. It's about whether I have the right to send a message without it being read by Big Brother. Using tools like PGP and GPG makes a statement that may turn out to be important in the near future. If no one is using encryption, the security honchos will argue that only criminals would use encryption, so we can afford to outlaw strong encryption and settle for an updated Clipper chip. Or just stick to the old leather strap 'round the stick trick.

  • Re:Does anyone even use pgp or gpg? (Score:3, Interesting)

    by frog51 ( 51816 ) on Thursday January 10, 2002 @07:53AM (#2815595) Homepage Journal
    Yes - almost all the time for personal email to my family, friends and colleagues. Usually I have nothing secret or exciting to hide, but when I do my traffic will look no different.
    Otherwise anything important will stand out like a sore thumb.
    Oh, and it gives me that warm, fuzzy, "I'm a secret agent" feeling:)

Slashdot Top Deals

And it should be the law: If you use the word `paradigm' without knowing what the dictionary says it means, you go to jail. No exceptions. -- David Jones

Close