Is There a Future for PGP? 43
Thom Dyson asks: "So it looks like McAfee is walking away from PGP. At least that's how I interpret their marketing
speak. I've been told PGP doesn't work on XP, does that hold true
for the Open Source version as well?"
Re:Does anyone even use pgp or gpg? (Score:5, Interesting)
When a message is posted, the certificate goes along for the ride. Everything must check out before the server accepts the message.
If someone spams, their certificate is revoked. If someone is signing spammers certificates consistently, then THEIR certificate is revoked.
It would make a HUGE dent in the usability of the Usenet, and unlike Usenet II, it wouldn't require a system of trusted servers.
I've thought about this for a while, and I'm very interested in what others think of this scheme.
WinXP compatibility (Score:2, Interesting)
Standards! It already works. (Score:3, Interesting)
The other problem with PGP is that it is nearly impossible to securely exchange keys, unless you luck out and trust someone who has signed it (not likely!). You end up having to call them up on the phone and read the fingerprint or trust that your mail was secure (in which case, why are you encrypting?). S/Mime relys mostly on certificates, which although they have many problems, do solve the majority of key distribution problems.
Re:Does anyone even use pgp or gpg? (Score:2, Interesting)
I agree 100% with you, and I'm thinking specifically of Usenet. I can imagine a Usenet where everyone has a certificate signed by a trusted authority, or signed by someone who was signed by a trusted authority.
I think that this is a great idea, but I don't see how it would be managed? Would the thrusted authorities sign the certificates for free or for a charge? If they charge something for the signing, the number of people on usenet would drop. And if this is free, how could any kind of verification of the authentity be made?
Also you would loose a lot of Usenet's privacy, since everything is signed by the sender. The evil-corporation/NSA/Ashcroft/MPAA could prove that you send a specific usenet message and beat you with a big stick.
But I agree that it would help a lot in making usenet a bit like it was in the pre-1995 era -- that is, before I discovered usenet... 8)
Re:Does anyone even use pgp or gpg? (Score:4, Interesting)
I see this as a volunteer system. Lots of people currently spend their time tracking down spammers, issuing cancels, etc. So far their success has been incomplete. Much spam is stopped, but much is not. Instead of spending time with cancels and other spam hunting, they would spend time managing the certificate system. That would consist solely of revoking certificates of abusers and optionally the people who sign the keys.
There's a subtle thing here: it works both ways. Suppose you go to a shady person to get your key signed. You're posting along happily, and then everything starts getting rejected back to you. What happened? You discover that the person who signed your key also signed a key for 100 spammers, and got his certificate revoked. That makes your certificate invalid. The pressure here would be for the users to find reliable people to sign their keys, as well as for the signers to find reliable non-spammers to sign keys for.
So you see, there's no need to verify any actual identity. I could get a certificate made out to my dogs Pepper and Darwin, signed by some other dude named "Anonymous Coward" who ultimately has a certificate signed by the root authority, say Linus Torvalds. You don't need to know the actual identities of the people involved, only that their certificates fit into the chain properly. All the details of trust are properly left to the leaves of the tree.
Re:Does anyone even use pgp or gpg? (Score:2, Interesting)
On the level of civil liberties, I think that some rights need to be exercised on general principle. If you read the literature, it's clear the government has intercepted communications by mail, telegraph, and telephone for many decades. All governments, I imagine, have done so. So do we figure it's always happened and always will? Or decide that governments (and corporations as well, of course) are abusing their rights by opening our mail, and prevent them from doing it?
It's not about what I'm saying in my message. It's about whether I have the right to send a message without it being read by Big Brother. Using tools like PGP and GPG makes a statement that may turn out to be important in the near future. If no one is using encryption, the security honchos will argue that only criminals would use encryption, so we can afford to outlaw strong encryption and settle for an updated Clipper chip. Or just stick to the old leather strap 'round the stick trick.
Re:Does anyone even use pgp or gpg? (Score:3, Interesting)
Otherwise anything important will stand out like a sore thumb.
Oh, and it gives me that warm, fuzzy, "I'm a secret agent" feeling:)