Forgot your password?
typodupeerror
Encryption Security

How to Save PGP 235

Posted by michael
from the emergency-chute dept.
Tomcat666 sends in: "The Register got some excerpts from an interview with Phil Zimmerman. He talks about how it might be possible to save PGP (Network Associates couldn't sell it, and will stop its development), OpenPGP and the future (industry-backed OpenPGP?)." A follow-up to our story yesterday about Network Associates mothballing PGP.
This discussion has been archived. No new comments can be posted.

How to Save PGP

Comments Filter:
  • Why not... (Score:2, Funny)

    by mstrjon32 (542309)
    Just open source it...but then again open source and security software aren't best used in the same sentence.
    • Isn't GPG (an OS implementation of the PGP protocol) exactly what you suggest? It's been around for quite some time.
    • Re:Why not... (Score:2, Informative)

      by gartogg (317481)
      The best way to run it is open source. There is peer review on open source programs, and also anyone who want to modify it (to get rid of keylength caps) can. If you think, you will sound more intelligent.

      The source and encryption methodology betray nothing about how to decrypt a message. That is why PGP is pretty good. Also, is anyone really going to run a company that seems so inable to make money? As least people should have source to play with if they company is going under.
    • Um...because NAI doesn't want to? They own it now, I believe. And they want to profit from it somehow.
    • Actually, any good encryption algorythm is not dependant upon the secrecy of the algorythm. It is dependant on the secrecy of the keys involved.

      The formula for PGP, as well as twofish, blowfish, RC5, and every other major encryption tech in widespread use now is well known. Part of the process of becoming a good scheme is submitting the algorythm to acedemic (mostly mathematical and statistical) review.

    • Just open source it...but then again open source and security software aren't best used in the same sentence.

      PGP does not depend on keeping the code secret for security.

      However the idea that open source automatically means good security software is not generally accepted in the crypto community. The canonical example being Kerberos whose design and code were public for 10 years before a major flaw was found.

      The point is that the ability to review code does not translate into the code being reviewed and where security code is concerned who is doing the review matters. Open or closed source does not make as much difference as expert or inexpert review.

      Most of the crypto code in use in closed source software is based on BSafe which has been extensively reviewed by at least as many crypto specialists as PGP.

      It is a pity that folk talk about 'death of PGP' rather than 'using encrypted email'. How the email gets encrypted is not as important as the ability to encrypt. The major commercial email packages have been supporting S/MIME for a long time now.

  • by qurob (543434)

    Make your pet projects free from the start.

    Notice that Phil wants to release it under a BSD style license. As much as we'd all like that, it probably isn't going to happen.
  • RTFA (Score:4, Insightful)

    by BlackSol (26036) on Friday March 08, 2002 @05:33PM (#3132580)
    This isn't the end of PGP. OpenPGP is always going to be around. (or almost always - its open but everyone could decide to trash it if they like)

    This is the end of commercial PGP. This isn't a good thing for PGP to be used in commercial settings. Also this is the end of the PGPDesktop which was the only thing close to an option for (l)users.

    Hopefully NSI will release the code in a manner that will allow a smaller company to add value and repackage it to large corporations.
  • by Choco-man (256940) on Friday March 08, 2002 @05:35PM (#3132595)
    /. get's about what, a million unique hits? NAI put 36 million into PGP, and since they're not finding a buyer, we can assume they'd be willing to take somewhat less for it.. let's say 25 million. If /. changes it's subscribtion pay pal account instead to be a funding house to purchase PGP, each user could donate 25 dollars,and we'd have a co-op that now owns PGP. This co-op could then market it as an inexpensive payware product, available for download complete with source code for a $5 license fee. This rids the need for /. subscriptions by generating income, opens the most current version of source code up for review, and allows independant programmers to modify this source code to continually improve the product.

    A win win situation! 8-)

    IANAL. This is tongue in cheek. I hate having to explain myself...
    • Aren't they dumping the PGP dept because they can't make any money off of it? What makes you think this co-op /. corp would be able to?
      • because they're not open sourceing the code, and charging 50 bucks a pop. i suggest open sourcing the code, charging 5 bucks a pop.

        'course i also said it was tongue in cheek. it's an interesting idea, but i can't imagine the administrative duties involved with maintaining a co-op of that size...
      • because someone would sell the vpn client on its own, instead of only in a $100 per desktop package - I needed a vpn client, not 8 apps to confuse my mac using graphic artists.

        ostiguy
    • by dattaway (3088) on Friday March 08, 2002 @05:43PM (#3132653) Homepage Journal
      I was doing my taxes today (oh joy) and marked the box that mentioned something like $3 to the Presidential election campaign fund. Perhaps we could have a few donation check boxes to buy lucrative abandonware into the open source world.

      Then again, sometimes it might be good to just start some projects completely over. Remember Netscape?
    • I'd be happy to set this up. If everyone would send their money to my PayPal account, we could get rolling. You can trust me, I have over 6000 positive eBay transactions!
    • If /. changes it's subscribtion pay pal account instead to be a funding house to purchase PGP, each user could donate 25 dollars

      That's a great idea. However, the economics don't hold up in the face of current customer research [slashdot.org]. Right now the max "penetration rate" for subsciptions is hovering at about 20%, best case. In short, 80% of the people who read Slashdot are freeloaders who won't even pay to read their favorite web site. Couple that with the unavailability of a flat rate subsciption (despite overwhelming market preference for flat rate) and you've got a virtually nil chance of success. What makes you think Slashdot readers are going to pay for software of all things?

      • In short, 80% of the people who read Slashdot are freeloaders who won't even pay to read their favorite web site.

        What makes Slashdot such a great webpage? Is the ability to (most of the time) read about geek news? Or is the ability to read and discuss a certain post with thousands of technical savvy people?

        I believe it is the second one. If you remove those 80% (the freeloaders) would you have the diversity? You'd probably have a lot less trolls, but I think you would lose a lot of good with the bad.

        I belong to a great LUG [stllinux.org] which does not charge for membership. If they did, I wouldn't put as much effort into my time there. I try to give just as much as I get. Do I feel that I do? No, not really. I love going and hearing about aspects of Linux that I know nothing about and learning something new.

        To tie that to your post, I feel the same way about Slashdot. I could pay for a news website, and get spoonfeed mass media trash, or exert my brain here on Slashdot. These freeloaders might be the very ones who give great info in AskSlashdot, or mirror slashdotted webpages. Pay to read their favorite webpage? They do! They try to give back to the Slashdot community as best as they can.

        This is not meant to be a flamebait, you will notice I am logged in even. You seem to think cash is the ONLY method of paying for something. You have a lot to learn about life.

        Vertical
  • Isn't PGP kind of a dead end, ultimately? Based on my limited (and quite possibly wrong) understanding, as quantum computing research continues, it will become possible to break this encryption. Right?
    • of course, advances in magnetics and flight will eventually make tires on land vehicles obsolete too. unfortunately, neither of them has advanced to the point of feasibility yet, nor has quantum computing. until such time as that happens, there's a need for good ol' fashioned tires. or encryption.
    • Eventually it will be dead for this reason, but we can still get many good years of life out of it. Even when someone builds a suitable quantum computer for cracking PGP, there won't be very many such computers around for many more years.
    • People discuss quantum computing as if it were inevitable, when in fact it is not at all clear that the difficulty of getting n bits entangled in a quantum computer does not scale as exp(n)--in other words, the difficulty of getting a quantum computer working may scale just as quickly as the computational advantage you get from it. A useful quantum computer being impossible to build would not be surprising at all. Lots of neato quantum effects are in fact impossible to scale to the macro world.
    • Isn't PGP kind of a dead end, ultimately? Based on my limited (and quite possibly wrong) understanding, as quantum computing research continues, it will become possible to break this encryption. Right?

      Well PGP is a dead end but not for the reasons you give!

      Quantum computing is practically irrelevant for mainstream crypto. If someone does build a big enough quantum computer it is unlikely that we will ever know about it. But we do know that there are some pretty severe limits on what it can do, it is not a magic wand. A quantum computer does not help against AES or SHA-1 for example. I suspect that long before Quantum computing is real there will be replacements for RSA that are robust against quantum computing.

      The reason PGP is a dead end is that it was only deployed for email and only gives good privacy. PGP is not a good mechanism for signing binding e-commerce contracts.

      It would be much better if people spent their time persuading people to use the crypto that is already built into Outlook Express, Communicator, Notes etc. rather than trying to resurect a competing message format.

      • Encryption (S/MIME) in Netscape and outlook is it's own worst enemy, because of the requirement to submit your personal information to a "trusted" third party (ie, a corporation - who many of those smart enough to know that encryption isn't a good idea won't trust at all) and then rely on the same "trusted" party to verify that everyone else in the world is who they say they are.

        There's nothing wrong with S/MIME as a message format, but the implementations fall far short of what (as I understand it) PGP does: allowing you to generate your key without anyone having to verify it, and then YOU choose to ask specific people to verify it too. If you try to do this with any S/MIME client that I know of, it will claim that the certificate is untrustworthy because Friendly Trusted Company, Inc hasn't signed for it. PGP will try to find a way through the "web of trust" via a chain of people who all trust each other, from you to the person in question.

        If someone were to integrate the S/MIME message format with PGP-style keysigning and webs of trust, and persuade the email clients to stop insisting that only TrustedCompany signed keys are trustworthy, I suspect that encryption would be a lot more widely used...

        Stuart.
        • by Zeinfeld (263942) on Friday March 08, 2002 @11:43PM (#3133871) Homepage
          Encryption (S/MIME) in Netscape and outlook is it's own worst enemy, because of the requirement to submit your personal information to a "trusted" third party (ie, a corporation - who many of those smart enough to know that encryption isn't a good idea won't trust at all) and then rely on the same "trusted" party to verify that everyone else in the world is who they say they are.

          You don't have to be a corporation to sign keys. In fact there is a certificate signer distributed with every copy of Microsoft Office and Windows XP. Code to create X.509 certs is available as freeware in many open source distributions.

          If you try to do this with any S/MIME client that I know of, it will claim that the certificate is untrustworthy because Friendly Trusted Company, Inc hasn't signed for it.

          You can select the certificate and say 'trust this certificate' explicitly in all the popular implementations.

          If you don't like the way the S/MIME cert handling is done it is easy enough to do it any way you choose.

          Another scheme would be to set up an XKMS interface to a PGP web of trust and then drop an XKMS client into the CAPI or cryptoAPI layer of your favorite email client. Then you can configure any trust semantics you like in your Web O' trust service. No different in principle from using the BaL keyserver at MIT but a lot more powerful.

  • by crush (19364)
    specifically what does it add over GPG? Would it not be better for GPG if PGP were to die?

    I actually have no objections to it being presevered and developed, especially if it were Free Software, what I'm asking for is reasons for it to be preseved from the point of view of Free Software advocates.

    • Re:Why save PGP? (Score:4, Insightful)

      by aridhol (112307) <ka_lac@hotmail.com> on Friday March 08, 2002 @05:56PM (#3132725) Homepage Journal
      specifically what does it add over GPG?

      Usability? GUI?
      • What "usability" is added by PGP? I'm actually interested having never used anything except commandline PGPi on Linux and GPG. I never found any usability problems with it once I understood what the ideas behind it were (took about a day of reading as I had absolutely no clue about encryption).
    • The Windows Version (Score:3, Interesting)

      by Greyfox (87712)
      The Windows version of PGP was pretty nice and actually hooked in with MS Exchange and other software. No I never actually used it, I specified that communications between my group and a shop we were contracting out to be encrypted with PGP. I used GPG with Linux and they went with the happy windows user interface. Most managers and probably the majority of developers will want to use the Windows version if forced to use the encryption software (By some asshole like me pointing out that transmitting the source code in the clear is a violation of corporate security policies ;-)
      • Ah, thanks for the repsonse and an answer to my question as opposed to the weird moderation of my question as a "Troll". I'd never used the Windows version and had only ever used PGP and GPG on linux. I had several problems using later versions of keys generated by PGP with GPG and wondered if there were something like "better" or other encryption algorithms included with PGP. What is it that needs to be interfaced with exchange? I was doing everything through Emacs and it was very nice and easy.
        Cheers,
        Crush
        • Yeah, but your manager isn't going to want to run Linux or Emacs. And you're lucky if he doesn't try to make YOU run Microsoft project too! PGP and GPG interface well with Emacs and other E-Mail clients but there's always some setup involved by you. Having to do anything other than click "setup" and run install shield makes managers irritable. Which is about all it takes with the Windows version of PGP. Fortunately you can explain how to use it in terms of things they can grasp, so they will actually use those extra menu entries on Exchange once you get a key generated for them and stuff.
  • by PureFiction (10256) on Friday March 08, 2002 @05:38PM (#3132618)
    In the article Phil focuses on easy to use GUI interfaces for less technically adept end users as the major feature that the OpenPGP/GPG projects need to focus on. This is the main advantage that the commerical version provided, and the main thing lacking in all the other alternatives.

    He clearly states that the PGP protocol is in no danger whatsoever, and will continue to remain widely implemented.

    Having spent many hours deciphering gpg command lines to use PGP to its full potential makes you realize how usefull a simple, easy to use GUI interface to a PGP would be. (Implicit in this task is integration with other applications, however, you can find plugin support for almost anything that you wish to use PGP in)
    • How 'bout putting the algorithm into a library? If there's one library for PGP (written in ISO-standard C), front-ends could be written for it for any platform. One back-end to watch for major bugs, and front-ends that allow the interfaces people are used to.
      • by Cadre (11051) on Friday March 08, 2002 @06:14PM (#3132803) Homepage
        How 'bout putting the algorithm into a library?

        GPGME [gnupg.org] is a project to do this. From the website: "It provides a High-Level Crypto API for encryption, decryption, signing, signature verification and key management."

        It's a work in progress. It's useable, but of course, there is the standard disclaimer. Compiles fine on most Linux distributions. It needed a small amount of help to compile on Mac OS X. Not sure about any other OSes.

        • by aridhol (112307) <ka_lac@hotmail.com> on Friday March 08, 2002 @06:22PM (#3132848) Homepage Journal
          Compiles fine on most Linux distributions. It needed a small amount of help to compile on Mac OS X

          Yes, but in the Real World we still need to support Windows.

          Note that GPGME isn't really a GPG library. It uses the GPG command-line behind the scenes, so it is inherently unportable - you can't get IO from another running process in ISO C.

          When I suggested creating a PGP library, I meant a true library. Make the code ISO9899 compliant, then the only issue is linking it to the front end.
          • you can't get IO from another running process in ISO C

            No, but you can use ISO C to make system calls (ported like everything else in the dual *nix/win/mac universes) that can communicate with the GPG process.

            Really, this isnt that big of a deal. It's a slight inconvienance, but you still end up with a very portable library that can be used to interface with GPG in a programmable manner.
      • by PureFiction (10256) on Friday March 08, 2002 @06:29PM (#3132894)
        How 'bout putting the algorithm into a library?

        This has been asked many, many times of the GPG developers, and they always have a very sound, technically reasonable explanation: Making a shared or static library for the GPG code would be a security risk.

        Once you have the code linked in (statically or dynamically) you can do Bad Things to the GPG code. Manipulate static variables, change environment settings, corrupt memory, all in an attempt to compromise security.

        This makes integration a bit more difficult, but there are still a number of wrapper libraries that provide similar functionality using fork() and exec() with the command line.

        Personally I prefer a bit more integration effort with more security than vice versa.
        • I am the only user on my system. If my system has been compromised, they'll install a trojaned binary anyway. Or they'll break in and install a keyboard sniffer. Or extract the data with a pair of needle nosed pliers. It's amazing how much data you can extract with a pair of needle nosed pliers...

          Really, if "they've" already compromised the system to the point where you have to worry about the libraries being secure, you've got bigger problems on your hands than the libraries being secure. The only thing the lack of a library is contributing to is a hampering of programmers incorporating GPG natively into everything from E-Mail clients to network protocols.

        • Once you have the code linked in (statically or dynamically) you can do Bad Things to the GPG code. Manipulate static variables, change environment settings, corrupt memory, all in an attempt to compromise security.

          What? That doesn't seem plausible to me at all. That would mean that any malicious software using (for example) libc could take over any other application using libc? No way.

          Besides, there are lots of other security libs that work without problems. If libSSL is possible then why not libGPG?

          • The problem isn't that Bad Guys will do all of those things on purpose to compromise security.

            The problem is that well-meaning programmers will do all of those things by accident, and it's a damn sight harder to do so with an executable.
    • http://www.sente.ch/software/GPGMail/index.html
  • I don't get it... (Score:4, Insightful)

    by Ryu2 (89645) on Friday March 08, 2002 @05:40PM (#3132631) Homepage Journal
    The commerical PGP is only one implementation of the open PGP standard. Even up to 6.5.8, full source code was available from Network Associates.

    Plus, there is GPG, PGPi, and other freeware implementations of the standard (under the umbrella of OpenPGP.org).

    I don't see why "PGP" as a whole is going down.

    It's like saying if Microsoft or Netscape decided to stop relasing browsers, then the entire WWW is doomed, when there's still Konquerer, Opera, Mozilla, and the whole W3C standards body, etc...
  • by Semi_War (163701) on Friday March 08, 2002 @05:40PM (#3132633) Homepage
    I've read the article and can derive three possible solutions.
    • Slick interface
    • Good sponsor
    • Open source
    Since a slick interface would mean development and they current development is in limbo(with two shipable inferfaces in stock!!) I really don't think that an option. Second option is a sponsor, but since nobody is willing to buy pgp, I don't really think sponsorship will be attrictive to sponsors. Leaves only one option :)
  • Sorta Phil's fault (Score:3, Informative)

    by argoff (142580) on Friday March 08, 2002 @05:50PM (#3132700)

    If he would have put it under the GPL from the beginning we would not be seeing this. He would be like the Linus of crypto, but he was so determined to controll the things he shouldn't be controlling that he lost controll over the things he should be.
    • by Slynkie (18861)
      Or, since back in 1991(?) when Phil first started his PGP work there was virtually NO corporate use of GPL'd software, PGP would have buried itself.

      I think it was definitely advantageous to have the corporate support of PGP in order to get it entrenched (however deeply it is) in the business world. Now, with commercial PGP going away, it's possible companies will have no choice but to move to open sourced alternatives and implementations if they wish to keep their security and privacy intact.

      • You've put the cart before the horse. Corporations needed encryption - and that led to the adoption of technologies like PGP in the industry, the GPL would have encouraged it's use even more, and perhaps have forever thwarted the patent abuses that came with PGP. It's not like corporations decided from upon high that they would suddenly give their blessing to PGP which would then in turn become entrenched.

    • Grow up.

      The PGP algorithm was not Phil Zimmerman's to sell. He basically made a freeware version of a popular commercial program, using their proprietary algorithm, and spread it all over the internet. He did this because believed that people should be able to avoid government surveillance on the internet. Whether or not you agree with him (I do), "encryption for the masses" is now a reality.

      I would be willing to guess that Phil was more afraid of government agencies like the CIA, KGB, and FBI, than of Microsoft and Cisco. It is only slashdot readers who can't understand the difference between a corporation, which can take away your money or your job, and a government, which can take away your life or your freedom. Having to pay $1 extra on a DVD is not oppression. It may be unfair. It may be something you should write to your congressman about. But it is not opression. Oppresssion is being shot because you supported the wrong political candidate, like in the U.S.S.R. under Stalin.
      • Oppresssion is being shot because you supported the wrong political candidate, like in the U.S.S.R. under Stalin.

        My friend, there were no wrong political canditates in Stalin's day. Because they were all dead.

      • by Zeinfeld (263942)
        The PGP algorithm was not Phil Zimmerman's to sell. He basically made a freeware version of a popular commercial program, using their proprietary algorithm, and spread it all over the internet.

        No he did not. Phil did not have rights to use the RSA algorithm. But the code, the message formats, everything that was all Phil and Phil alone.

        Drove the rest of us working on secure email up the wall. Phil had a point about the PEM certification hierarchy nonsense. But he could have reused the PEM message formats instead of rolling his own.

        The version of PGP in use today is largely the MIT version set up by Jeff Schiller and Hal Abelson and coded by Derek Atkinson arround RSAREF. That version has always been GPL as far as I know, with the major proviso that it linked to RSAREF which was encumbered big time but had no choice 'cos of the patent.

      • ...The PGP algorithm was not Phil Zimmerman's to sell....

        It shouldn't have been anybdy's to sell..

        Whether or not you agree with him (I do), "encryption for the masses" is now a reality.

        And the GPL would have made it more of a reality instead now PGP is heading toward the scrap heap.

        The USA, the USSR, corporations or what not - taking away freedoms is taking away freedoms and the best way to loose a lot of freedoms is to accept the nickle and diming of a little freedom.

  • GUI Interface (Score:3, Informative)

    by TheMatt (541854) on Friday March 08, 2002 @05:53PM (#3132712) Homepage Journal
    One app that is going a along way to making PGP slightly easier is Evolution. It has the best PGP solution I've seen yet for email. Easy and simple to use, even Joe Barr [linuxworld.com] agrees.

    But, the problem is you still must maintain your GnuPG bits manually on the command line. That was the beauty of NA's program. It had a slick GUI. Of course, in the end it didn't take me very long to pick up how to use gpg via the command line, but for the general populace it's still a barrier.
  • On the server side (Score:4, Interesting)

    by SirSlud (67381) on Friday March 08, 2002 @06:13PM (#3132802) Homepage
    What about the possibility of PGP technology being a part of the next major upgrade of open internet protocals (ie, POP, SMTP, etc .. )

    It seems to be that possibly losing out on the client-side 'niceness' that a commercial PGP implementation provides could be a non issue if the next round of standards include support for providing PGP mechanisms as part of their protocols (not that you'd HAVE to use PGP, but that PGP would somewhere in the protocol if you wanted to use it.)

    That would reduce the need to depend on the never-surefire client market penetration in order to see widespead and longterm usage of PGP as a means of protecting ones privacy.

    I've always felt open protocols make the best vehicles for propogating public-interest technology. That way, you dont need [Mailclient] + [PGP intergrated client] but [Mailclient that supports Next Gen Protocol X] where one of X's functionality sets uses a private/public key encryption scheme. Not sure what the likelihood of that happening is, tho, both from the perspective of when we'll outgrow the current crop of protocols, whether the new crop will be open enough to get public interests into the design phase, and whether the creators of said protocol would even think it would be a good idea to include a PGP layer in the protocol. :)

  • Scandelous (Score:5, Interesting)

    by SirSlud (67381) on Friday March 08, 2002 @06:17PM (#3132820) Homepage
    > And what's scandalous is that NAI has OS X and XP-ready versions, but won't ship them.

    We need some laws that force work into the public domain if it wont be exploited for the private domain. I'm sick of companies keeping what will go into the dustbin. This is another example of how too much private interest can /create/ inefficiency in a market rather than reduce it.

    Of course, I respect that the work in question would probably have to pass some criterium whereby its release into the public domain would not cause significant damage to the company in question (if the company is to live on), but surely we can't believe that scenarios like this outweigh the benifits of laws forcing companies to push work they lose interest/money in back into the public domain?
    • We need some laws that force work into the public domain if it wont be exploited for the private domain.

      Let me be the first to say: No, no we don't.

      If you want software they wrote and they won't give it to you, find an alternative, write it yourself, anything else.. But for the love of god, don't pass silly laws like this. How tragic that would be...
      • "If you want software they wrote and they won't give it to you, find an alternative, write it yourself, anything else.."

        The whole *point* is the avoid this vast duplication of effort. If a company has created something which has value to the public which it refuses to sell, and in fact is just going to dissolve, *why* shouldn't the public have access to it? How is this a silly or tragic law?
    • Is it really the right of the people to say what private citizens must give and give up? From a governmental perspective corporations are not that much different from a private citizen. Having laws that "force" companies to essentially "give up" hard-earned intellectual property is akin to walking into your neighbor's garage and taking some tools he hasn't used in awhile. Sure you may use the tools that your neighbor is "wasting", possibly putting them to better use, but it just seems plain wrong.
      • Yet the fact remains. Corporations are not human beings and software is not gardening tools. It's possible to stretch analogies too far and in this case I think you have just that.

        Corporations are routinely held to different standards then human beings. Nothing new about that.
    • So in the name of freedom you would pass the slavery act requiring all developers to disclose their private unpublished code under penalty of imprisonment if they don't.

      Sorry dude, but their code is their code. Period. It does not belong to you. It doesn't matter what the morality of copyright is or is not. This is private, undisclosed and published code. To force it into the public domain would violate every tenet of liberty.
    • What we need are more people in the world who don't have knee-jerk reactions that start with "we need some laws...". While you're sick of companies that keep what is going in to the dustbin, I am sick of people telling others what to do with product that THEY don't own and didn't create.

      If you write some code and want to give it away, please do. If you write some code, sell a package, decide you don't want to screw with it any more and then give it away, that's great of you too.

      At the same time, if I write code and make some neato package, you are perfectly welcome to politely suggest how I distribute it. But in the end, its the owner's choice, not yours, and if you don't like it, tough shit.

      I wish NAI would release the code under [insert free (speach and beer) license of choice here] so that development can continue. I wish PZ hadn't sold it to them in the first place, but as I state above, his code - his choice. But the first legislative attempt to FORCE them to release the code will plant me firmly on the side of NAI.

      And that's my opinion for any other piece of orphanware, abandonware, garbageware, nolongerwantedware etc etc. I too wish that companies would find it in the goodness of their hearts to release code they are no longer going to support or use. But its THEIR code, and NO ONE should have the right to FORCE them to do ANYTHING with it.

      The thing that depresses me the most these days when I read /. and postings on /. is how quick people here are to totally ignore the licenses and rights of others, but are equally quick to pounce on anyone who violates the GPL. And that just makes the fight for Free Software that much harder. Its getting to the point where everyone assumes we're just a bunch of loud mouthed hypocrits.
      • However if it is in the best interests of the governed the government does have the right/duty to suspend the intellectual property rights of a company.

        For example the intellectual property rights on certain AIDS medications have been suspended in Brazil.

        Although the software question doesnt really rise to the same bar, since its not really/usually a life or death issue, it doesnt mean that there would never be a case where the needs of the public would outweigh the harm done to the individual even for software (although I couldn't come up with any at the moment).

        I respect the rights of an author to control their work, however I also feel that holding on to a piece of property effectively forever that you never intend on doing anything with just for the sake of controlling it (in particular IP) is miserly, anti-social and relegates it to be forgotten forever adding nothing to the human condition. (However these decisions are only sometimes made by the original developers, often instead being relegated to some company that owns the code the developers produced, or bought said company or the work is already completely forgotten by everyone and no one really knows who owns it anymore).
        • However if it is in the best interests of the governed the government does have the right/duty to suspend the intellectual property rights of a company.

          Says you. I personally don't trust any government to decide what is "in the best interests of the governed."

          For example the intellectual property rights on certain AIDS medications have been suspended in Brazil.

          Yes, Brazil, that great bastion of liberty...

          I respect the rights of an author to control their work

          No, you clearly don't.
          • "Yes, Brazil, that great bastion of liberty..."

            It was a tough choice. Respect the IP rights of a foreign company and let a few hundred thousand people die, strip the IP rights from that company and let your citizens live. In the US there would be no question we would let the people die. In brazil apparently the govt cares more about it's citizens then the IP rights of foreign corporations.

            Yes it seems like a weird concept but I guess that's the way those foreigners think.
            • And now corporations are discouraged from doing the necessary research and development to create new medicines. If they make it, it'll just be freed by some penny-ante nation and the drug company can never recoup its investment and make a profit.

              And so we end up without medicines which would have been possible. Yeah, that's really smart.

              • That remains to be seen. Let's check back here next year and see if any new drugs have been developed at all. If there were new drugs developed then you are wrong. Your assertion is easy to test. We'll see next year.
    • We need some laws that force work into the public domain if it wont be exploited for the private domain.

      So you're saying if I create something really great, and decide not to sell it or let anyone use it, that there should be a law where you can come and take my creation and put it in the public domain?

      This is called socialism.

      Please move to China.
  • by dwheeler (321049) on Friday March 08, 2002 @07:21PM (#3133128) Homepage Journal
    So, PGP is may not be available in the future. This is no big deal, really, since GPG [gnupg.org] is already available and can be used as a replacement.

    It's true that currently GPG's user interface is terrible for beginning users if they have to use it directly. So, clearly, you want to use programs that embed GPG (like Evolution). Also, note that the German government is funding further development of GPG [gnupg.de]. They specifically say that their funding will be used to make GPG more usable by less experienced users, including porting the software to other operating systems, developing graphical user interfaces (GUI) and writing a handbook.

    Thus, this sounds like a short-term problem at worst.

  • What is the advantage of PGP over S/MIME? They seem to be answering largely the same problem.

    PGP is a product of its own, which is probably good and bad -- good, because you can use it with non-email, and (awkwardly) with most mail clients. S/MIME would have to be built in, I imagine -- but a couple of easy implementations would bring encryption (and decryption) to many more people than the current situation with PGP/GPG/whatever.

    So why aren't people making S/MIME capable clients?

  • It would be good if there were some general mechanism for the public to purchase pieces of software, and place them either in the public domain or under an open source license of some sort. Since I'd be a beneficiary in many cases, I should (and sometimes would) be willing to cough up some cash to contribute to the purchase.

    But what I really want to do, at least initially, is to promise a payment, which becomes payable when enough other people have promised that the software's current owner agrees to the deal. Inevitably trust issues come up: I might welch on my promise. Or to make things more complicated, I might promise and pay only on the condition of anonymity.

    How to do all this? One way would be to place the money in escrow for a limited time, and if the deal doesn't come together by then, I get my money back. The people trying to organize the deal would give themselves a time limit and encourage donors to set their escrow timers for that time limit. A reputable bank or insurance company (or maybe a casino?) could act as the escrow agent.

    There's a guy named Ronnie Horesh with a very cool idea called social policy bonds [geocities.com], intended to bring market forces to bear on social issues. Government auctions off bonds, which mature when some measurable social goal occurs, and are then redeemable for larger amounts. He once commented that a social policy bond is like a bet. The government hedges its position (that, say, literacy is good) by begging that literacy won't go up. When literacy does go up, the government has to pay up.

    In the same way, if I believe that PGP should go into the public domain, I may hedge that belief by betting Network Associates that they won't do that. They can easily win that bet by releasing PGP, when they decide that winning all those bets is more important than retaining PGP as closed-source software.

  • It just seems very strange that all of commerical products that provide good encrypted message transfer have suddenly become "unecconomical" for the companies that make them. Especially in this post Sept 11 world? I think there is something fishy here...And I don't like it.

    ttyl
    Farrell
  • The important parts of PGP as shipped by NAI for Windows is NOT the encryption engine per se - this is available from other sources as the command line binary we all know and love.
    The important parts are the Windows infrastructure and the patented protocols that appeared in PGP5.
    The Windows infrastructure is more than just the GUI - the GUI is OK, but nothing special. The infrastructure includes
    • a low level secure storage driver at the OS level
    • integration with many mail clients
    • an Explorer shell extension to handle encrypt / decrypt, secure wipe, and verify functions
    • a secure viewer with anti-tempest fonts
    • the PGPNet VPN solution
    • the PGPDisk secure storage solution
    This is what NAI have paid to develop, and this is why it represents a major loss.

    Jon.

If A = B and B = C, then A = C, except where void or prohibited by law. -- Roy Santoro

Working...