Is There a Future for PGP? 43
Thom Dyson asks: "So it looks like McAfee is walking away from PGP. At least that's how I interpret their marketing
speak. I've been told PGP doesn't work on XP, does that hold true
for the Open Source version as well?"
Does anyone even use pgp or gpg? (Score:4, Insightful)
I know I don't.. :)
Re:Does anyone even use pgp or gpg? (Score:1)
Everyone agrees that encryption is a good idea and we should all be using it, but do you actually know anyone who does?
Sorry about picking nits, but anyone who has ever visited an https site uses encryption. I use encryption every day, to ssh to my server.
I don't use pgp, but that's because it simply isn't easy to use. Across the board use of pgp would pretty much eliminate spam. One day maybe people will see the light.
Re:Does anyone even use pgp or gpg? (Score:5, Interesting)
When a message is posted, the certificate goes along for the ride. Everything must check out before the server accepts the message.
If someone spams, their certificate is revoked. If someone is signing spammers certificates consistently, then THEIR certificate is revoked.
It would make a HUGE dent in the usability of the Usenet, and unlike Usenet II, it wouldn't require a system of trusted servers.
I've thought about this for a while, and I'm very interested in what others think of this scheme.
Re:Does anyone even use pgp or gpg? (Score:2, Interesting)
I agree 100% with you, and I'm thinking specifically of Usenet. I can imagine a Usenet where everyone has a certificate signed by a trusted authority, or signed by someone who was signed by a trusted authority.
I think that this is a great idea, but I don't see how it would be managed? Would the thrusted authorities sign the certificates for free or for a charge? If they charge something for the signing, the number of people on usenet would drop. And if this is free, how could any kind of verification of the authentity be made?
Also you would loose a lot of Usenet's privacy, since everything is signed by the sender. The evil-corporation/NSA/Ashcroft/MPAA could prove that you send a specific usenet message and beat you with a big stick.
But I agree that it would help a lot in making usenet a bit like it was in the pre-1995 era -- that is, before I discovered usenet... 8)
Re:Does anyone even use pgp or gpg? (Score:4, Interesting)
I see this as a volunteer system. Lots of people currently spend their time tracking down spammers, issuing cancels, etc. So far their success has been incomplete. Much spam is stopped, but much is not. Instead of spending time with cancels and other spam hunting, they would spend time managing the certificate system. That would consist solely of revoking certificates of abusers and optionally the people who sign the keys.
There's a subtle thing here: it works both ways. Suppose you go to a shady person to get your key signed. You're posting along happily, and then everything starts getting rejected back to you. What happened? You discover that the person who signed your key also signed a key for 100 spammers, and got his certificate revoked. That makes your certificate invalid. The pressure here would be for the users to find reliable people to sign their keys, as well as for the signers to find reliable non-spammers to sign keys for.
So you see, there's no need to verify any actual identity. I could get a certificate made out to my dogs Pepper and Darwin, signed by some other dude named "Anonymous Coward" who ultimately has a certificate signed by the root authority, say Linus Torvalds. You don't need to know the actual identities of the people involved, only that their certificates fit into the chain properly. All the details of trust are properly left to the leaves of the tree.
Re:Does anyone even use pgp or gpg? (Score:2)
Such a system is hardly imaginary. Major browsers and mailers/newsreaders have supported X509 certificates for 5+ years now. Thwate gives out free certs (in your e-mail address only, not your real name), and Verisign charges $20 or so for individuals last I checked.
Problem is the "trusted authority" model (SMIME) is incompatible both techincally and philsophically with the PGP/GPG model (which relys on a 'web of trust' rather than a certificate authority.)
Re:Does anyone even use pgp or gpg? (Score:1)
You have big com's selling 'em (VeriSign [verisign.com] for example)
and people giving them away for free.
thawte [thawte.com].
Thawte is great, it'll give you a DigitalID/Personal Certificate thing for free, but it comes with the name of "Thawte Free User".
You then earn "points", and when you have 50 (i think) you can have your name instead of "TFU".
You get points by going to see other members who have got over 100 points, and then show 'em your ID (passport/drivers lience/etc) and they award up 10 points.
This way you can have an "ignore free members" option aswell, insuring that all posters can be traced, or ignored.
Mike
Re:Does anyone even use pgp or gpg? (Score:2)
Re:Does anyone even use pgp or gpg? (Score:1)
I'll be more specific next time.
And I agree with your point, I don't send encrypted mail because it's usually too much effort to track down the appropriate public key an so on. If it were as easy and automated as https then I would probably use it a lot more.
Re:Does anyone even use pgp or gpg? (Score:2)
Re:Does anyone even use pgp or gpg? (Score:1)
Re:Does anyone even use pgp or gpg? (Score:3, Informative)
Huh? Since when? I use it, seems quite simple to me. You generate a keypair at install time, secure your private key with a passphrase, and two buttons get added to your mailclient - one for encryption of the message, other for signing.
When you send a signed email, you're asked for that passphrase, and when you receive an encrypted mail you're asked the same -- automagically. Likewise, a digisig is also confirmed at that time too.
Using the key manager, you can see your public key, submit to a keyserver (like pgp.mit.edu) for others to obtain, as well as add your friend's pubkeys to your keyring. And it's very straightforward to do.
Command line not necessary (Score:2)
PGP doesn't have to be hard and GPG can be dead easy... not that useing either from the command line is that difficult.
There is PGPTray and on the free software side there is WinPT [winpt.org] (Windows Privacy Tray). This is a little system tray application that encrypts and decrypts from the clipboard and supports most of the common command line options.
There is also GPGOE [winpt.org], a GPG plug-in for Outlook Express.
Re:Command line not necessary (Score:1)
However I'll have to look at the plug-in for OE.
The big problem I have with 'em is the fact it sticks a big lump at the top of your email. If it "signed" just as a
mlk
Re:Does anyone even use pgp or gpg? (Score:2)
Re:Does anyone even use pgp or gpg? (Score:1)
I only really ever use the S/Mime thingy, and then only ever to sign email[1]. I don't think I ever recived or sent an encripted email.
Mlk
[1] Don't even use that now, Enduera does not support it.
Re:Does anyone even use pgp or gpg? (Score:2, Interesting)
On the level of civil liberties, I think that some rights need to be exercised on general principle. If you read the literature, it's clear the government has intercepted communications by mail, telegraph, and telephone for many decades. All governments, I imagine, have done so. So do we figure it's always happened and always will? Or decide that governments (and corporations as well, of course) are abusing their rights by opening our mail, and prevent them from doing it?
It's not about what I'm saying in my message. It's about whether I have the right to send a message without it being read by Big Brother. Using tools like PGP and GPG makes a statement that may turn out to be important in the near future. If no one is using encryption, the security honchos will argue that only criminals would use encryption, so we can afford to outlaw strong encryption and settle for an updated Clipper chip. Or just stick to the old leather strap 'round the stick trick.
Re:Does anyone even use pgp or gpg? (Score:3, Interesting)
Otherwise anything important will stand out like a sore thumb.
Oh, and it gives me that warm, fuzzy, "I'm a secret agent" feeling:)
I use PGP every day (Score:2, Insightful)
Also, if i'm at work and I want to send sensitive material home to work on, I'll usually encrypt it to my own key before I send it.
The fact of the matter is, though, most people don't think what they have to say is worth protecting with encrpytion...and most of the time, they're right.
What we need is completely transparent use of PGP in an e-mail client. The user should never know it's there at all.
Re:McAfee owns pgp? (Score:1)
It does work on Win XP (Score:4, Informative)
Well, kind of. Okay, so it gets very confused with fast user switching (it uses services which i think don't understand the concept of multiple users logged in simultaneously) so apart from the various errors that come up when you log in, yeah, it works. (Come to think of it, if it doesn't understand multiple users it certainly won't run on W2k Adv. Server with terminal services then...)
You can right click on files and do encrypt. pgpkeys and pgptools work fine.
Outlook 2002 (Office XP) plugin support is different. Yeah, it works. But not really well at all. The icons seem corrupt in outlook too. You need to enable an option to auto decrypt mail. Then when you open an email PGP tries to decrypt it automatically. (the reason you must do this is that the decrypt button on the toolbar doesn't work *shrug*). Sending encrypted mail on Outlook 2002 works fine too.
I've been doing this for about a month now, with no ill effect.
So yeah, PGP 7.0.3 works on WinXP. It would be nice if it supported XP properly.
D.
Re:It does work on Win XP (Score:2)
I can second that. I use that version using Office XP on Win2K. IIRC - if you receive an encrypted mail w/o auto-decrypt on, you can open the mail in it's own window and click the decrypt button from there.
Use Free (libre) Crypto (Score:4, Informative)
Most hardcore cypherpunks seems to still use PGP 2.6.x! (If USENET sigs/keys are any indication)
In any case, check out pgpi.com for different versions of PGP, many of which are actively developed. Also, search for "Cyber-KnightsTemplar PGP". I only used this version when I was a dedicated Windows user.
Now, I use GnuPG for mail/file crypto, and loopback crypto for filesystems (/pub/linux/kernel/people/hvr at your favorite mirror). I run Windows and Linux under VMWare, using the "undoable" drive type, hosted on a blowfish-encrypted loopback volume, which leaves no physical evidence on my machine of activities in the VM). I also dabble in Ouguess for my stego "needs".
While my practices in paranoia are fun, I don't take them too seriously. However, I like the idea of being able to Ascroft-Proof(tm) my machine if I wish. :-)
Re:Use Free (libre) Crypto (Score:2)
Re:Use Free (libre) Crypto (Score:1)
Say goodbye to my karma...
Re:Use Free (libre) Crypto (Score:1)
Re:Use Free (libre) Crypto (Score:2)
Re:Use Free (libre) Crypto (Score:1)
Re:Use Free (libre) Crypto (Score:2)
Re:Use Free (libre) Crypto (Score:2)
The idea is that you should be able to have a system that encrypts your data, from which you can produce a set of documents, but which can also be hiding other documents which cannot be detectected.
Re:Use Free (libre) Crypto (Score:2)
Re:Use Free (libre) Crypto (Score:2)
Re:Use Free (libre) Crypto (Score:2)
To drive that to the logical conclusion, they try to convict you neighbor and they want all of you correspondance with him, do the saber ratteling routine and make you give up the keys. Then as they go through you computer they don't find evidence of wrong doing so much as they find evidence that you have unpopular views (perhaps you're a racist or a communist or something, not illegal to be but unpopular) and that get's entered in to the public record as well. You're an outcast and your public reputation is ruined and you have no recourse at all.
Re:Use Free (libre) Crypto (Score:2)
Unfortunately, you cannot hinder law enforcement with a valid search warrant from searching. Encryption is thought of as a virtual lock or safe, (ie evidence) not as testimony.
WinXP compatibility (Score:2, Interesting)
Standards! It already works. (Score:3, Interesting)
The other problem with PGP is that it is nearly impossible to securely exchange keys, unless you luck out and trust someone who has signed it (not likely!). You end up having to call them up on the phone and read the fingerprint or trust that your mail was secure (in which case, why are you encrypting?). S/Mime relys mostly on certificates, which although they have many problems, do solve the majority of key distribution problems.
Re:Standards! It already works - NOT! (Score:2, Informative)
Re:Standards! It already works. (Score:1)
Answers (Score:5, Insightful)
... It doesn't take a rocket scientist to see that those two agendas are not exactly in sync with each other.
GPG and GPGOE work fine on WinXP (Score:2)
No (Score:1)