How to Save PGP

Tomcat666 sends in: "The Register got some excerpts from an interview with Phil Zimmerman. He talks about how it might be possible to save PGP (Network Associates couldn't sell it, and will stop its development), OpenPGP and the future (industry-backed OpenPGP?)." A follow-up to our story yesterday about Network Associates mothballing PGP.

Let's create a /. Corporation

[Choco-man]

/. get's about what, a million unique hits? NAI put 36 million into PGP, and since they're not finding a buyer, we can assume they'd be willing to take somewhat less for it.. let's say 25 million. If /. changes it's subscribtion pay pal account instead to be a funding house to purchase PGP, each user could donate 25 dollars,and we'd have a co-op that now owns PGP. This co-op could then market it as an inexpensive payware product, available for download complete with source code for a $5 license fee. This rids the need for /. subscriptions by generating income, opens the most current version of source code up for review, and allows independant programmers to modify this source code to continually improve the product.

A win win situation! 8-)

IANAL. This is tongue in cheek. I hate having to explain myself...

Open Source probably the solution but not BSD!

[Semi_War]

I've read the article and can derive three possible solutions.

• Slick interface
• Good sponsor
• Open source

Since a slick interface would mean development and they current development is in limbo(with two shipable inferfaces in stock!!) I really don't think that an option. Second option is a sponsor, but since nobody is willing to buy pgp, I don't really think sponsorship will be attrictive to sponsors. Leaves only one option :)

Re:GPG, OpenPGP, and what needs saving

[aridhol]

How 'bout putting the algorithm into a library? If there's one library for PGP (written in ISO-standard C), front-ends could be written for it for any platform. One back-end to watch for major bugs, and front-ends that allow the interfaces people are used to.

On the server side

[SirSlud]

What about the possibility of PGP technology being a part of the next major upgrade of open internet protocals (ie, POP, SMTP, etc .. )

It seems to be that possibly losing out on the client-side 'niceness' that a commercial PGP implementation provides could be a non issue if the next round of standards include support for providing PGP mechanisms as part of their protocols (not that you'd HAVE to use PGP, but that PGP would somewhere in the protocol if you wanted to use it.)

That would reduce the need to depend on the never-surefire client market penetration in order to see widespead and longterm usage of PGP as a means of protecting ones privacy.

I've always felt open protocols make the best vehicles for propogating public-interest technology. That way, you dont need [Mailclient] + [PGP intergrated client] but [Mailclient that supports Next Gen Protocol X] where one of X's functionality sets uses a private/public key encryption scheme. Not sure what the likelihood of that happening is, tho, both from the perspective of when we'll outgrow the current crop of protocols, whether the new crop will be open enough to get public interests into the design phase, and whether the creators of said protocol would even think it would be a good idea to include a PGP layer in the protocol. :)

Re:Why not...

[Anonymous Coward]

The biggest problem with PGP (IMO) is that Microsoft and Netscape never thought to integrate it into their mailers, instead choosing SMIME (which requires buying a certificate). Thus, PGP was always relegated to non-standard plug-in hackery.

Scandelous

[SirSlud]

> And what's scandalous is that NAI has OS X and XP-ready versions, but won't ship them.

We need some laws that force work into the public domain if it wont be exploited for the private domain. I'm sick of companies keeping what will go into the dustbin. This is another example of how too much private interest can /create/ inefficiency in a market rather than reduce it.

Of course, I respect that the work in question would probably have to pass some criterium whereby its release into the public domain would not cause significant damage to the company in question (if the company is to live on), but surely we can't believe that scenarios like this outweigh the benifits of laws forcing companies to push work they lose interest/money in back into the public domain?

The Windows Version

[Greyfox]

The Windows version of PGP was pretty nice and actually hooked in with MS Exchange and other software. No I never actually used it, I specified that communications between my group and a shop we were contracting out to be encrypted with PGP. I used GPG with Linux and they went with the happy windows user interface. Most managers and probably the majority of developers will want to use the Windows version if forced to use the encryption software (By some asshole like me pointing out that transmitting the source code in the clear is a violation of corporate security policies ;-)

RE: Maybe we should think before we POST!

[vertical_98]

In short, 80% of the people who read Slashdot are freeloaders who won't even pay to read their favorite web site.

What makes Slashdot such a great webpage? Is the ability to (most of the time) read about geek news? Or is the ability to read and discuss a certain post with thousands of technical savvy people?

I believe it is the second one. If you remove those 80% (the freeloaders) would you have the diversity? You'd probably have a lot less trolls, but I think you would lose a lot of good with the bad.

I belong to a great LUG [stllinux.org] which does not charge for membership. If they did, I wouldn't put as much effort into my time there. I try to give just as much as I get. Do I feel that I do? No, not really. I love going and hearing about aspects of Linux that I know nothing about and learning something new.

To tie that to your post, I feel the same way about Slashdot. I could pay for a news website, and get spoonfeed mass media trash, or exert my brain here on Slashdot. These freeloaders might be the very ones who give great info in AskSlashdot, or mirror slashdotted webpages. Pay to read their favorite webpage? They do! They try to give back to the Slashdot community as best as they can.

This is not meant to be a flamebait, you will notice I am logged in even. You seem to think cash is the ONLY method of paying for something. You have a lot to learn about life.

Vertical

Re:Please do correct me if I'm wrong, but

[sab39]

Encryption (S/MIME) in Netscape and outlook is it's own worst enemy, because of the requirement to submit your personal information to a "trusted" third party (ie, a corporation - who many of those smart enough to know that encryption isn't a good idea won't trust at all) and then rely on the same "trusted" party to verify that everyone else in the world is who they say they are.

There's nothing wrong with S/MIME as a message format, but the implementations fall far short of what (as I understand it) PGP does: allowing you to generate your key without anyone having to verify it, and then YOU choose to ask specific people to verify it too. If you try to do this with any S/MIME client that I know of, it will claim that the certificate is untrustworthy because Friendly Trusted Company, Inc hasn't signed for it. PGP will try to find a way through the "web of trust" via a chain of people who all trust each other, from you to the person in question.

If someone were to integrate the S/MIME message format with PGP-style keysigning and webs of trust, and persuade the email clients to stop insisting that only TrustedCompany signed keys are trustworthy, I suspect that encryption would be a lot more widely used...

Stuart.