Zimmermann Suggests Freeing PGP Source 211
broody writes "NewsForge has an interesting article detailing Phillip R Zimmermann's lament at selling PGP. Since he cannot afford to buy it back outright, he is pushing for Network Associates to 'open source' it. Well, the GUI and SDK anyway. I'll say this, he's an interesting little capitalist."
Free PGP? How about GnuPGP (Score:4, Insightful)
Re:Free PGP? How about GnuPGP (Score:4, Insightful)
Re:Free PGP? How about GnuPGP (Score:1)
Nothing of the sort is neccisary. BSD unix was a non-cleanroom reimplimentation of AT&T unix. BSD won when it went to court. It is easier to be cleanroom though.
Re:Free PGP? How about GnuPGP (Score:2)
But only an organization like BSD, backed by the University of California and their lawyers, had the resources to stand up to AT&T in court. I wouldn't suggest being cavalier about clean-room issues to any random Open Source project.
Re:Free PGP? How about GnuPGP (Score:1)
Re:Free PGP? How about GnuPGP (Score:1)
Re:Free PGP? How about GnuPGP (Score:1)
Re:Free PGP? How about GnuPGP (Score:1)
Re:Free PGP? How about GnuPGP (Score:5, Informative)
GnuPG _does_ work on Windows: http://ftp.gnupg.org/gcrypt/binary/gnupg-w32-1.0.
But it's not graphical. For that, I've been using WinPT [winpt.org] for some time. It's a pretty good replacement for PGPtray, not as pretty though. And it imported all my PGP 6.x/Win Keys fine too. Download with all dependencies here [lcsweb.net]
Re:Free PGP? How about GnuPGP (Score:1)
Re:Free PGP? How about GnuPGP (Score:3, Informative)
Ah, actually there a plugin for Outlook _Express_ available now. GPGOE [winpt.org]. Outlook will take some time -- and hacking on the office dev kit -- I guess. But yes, I get what you mean about "dont work well", but I can tell you it's getting better fast! And if you can, do give WinPT a try. You may be surprised.
Re:Free PGP? How about GnuPGP (Score:4, Informative)
Go get it here:
http://www3.gdata.de/gpg/ [gdata.de]
GnuPGP Win Has Problems..... (Score:2)
In MS business environments you don't tend to Admin rights on the box where you are working. I don't even have at home on my Windows box.
Re:Free PGP? How about GnuPGP (Score:5, Insightful)
Have you tried to work with Phil Z.? Oh... thought not.
People who end up in the mess Phil did are not always the folk with the best social interfaces...
The problem with PGP is that overall it is tending to hinder the use of crypto than help at this point. There is perfectly good crypto built into Outlook, Outlook Express, Notes, Netscape etc. Only thing is people don't know its there because they are being told that only crypto persecuted by the NSA should be used.
PGP has a somewhat different PKI design, but not all that much different. Anyone can be a CA with X.509, the only technical difference being that certificate signing certs have the key signing bit set.
Rather than attempt to resurect the PGP message formats it would be better to spend time building S/MIME key signing code.
Re:Free PGP? How about GnuPGP (Score:2)
PGP has a somewhat different PKI design, but not all that much different. Anyone can be a CA with X.509, the only technical difference being that certificate signing certs have the key signing bit set.
Sure, anyone can be an X.509 CA, but that doesn't help much. In order to issue meaningful X.509 certificates, you need to be a widely trusted CA, and that means commercial certificate distribution deals with Verisign, AOL and Microsoft, and that pretty much rules out all but big businesses.
PGP's web of trust has a much lower barrier of entry.
Re:Free PGP? How about GnuPGP (Score:2)
That has nothing to do with the format of the certificate. It is simply basic math.
All the major email programs allow you to install your own trust roots, always have. The problem is getting a trust root widely recognized.
The diameter of a graph is the length of the longest path between two nodes. If the diameter of the graph is small then either the graph cannot be large or there must be at least soe nodes of very high degree. [The Moore bound on the diameter of a graph is k * (k-1)^d where k is the degree of the nodes and d the diameter.
Applied to PGP it means that if you have a Web of trust with a trust chain length of 5 and each person signs ten other keys you can have no more than 90,000 members if the members align themselves perfectly. In practice the size of the graph would be much smaller since the connections would be either random or highly locally connected which gets you down to about 10,000 users.
PGP works largely because people take untrusted keys of key servers and because there are folk like Jeff Schiller who have signed hundreds of keys.
If you want a global PKI then you need intermediaries. PGP is not designed to scale to be a global system. But if you are prepared to put up with the size limitations of the PGP model you can do the same in S/MIME.
Microsoft even ship a mini CA tool with Office and Visual studio - makecert.exe. It is a bit idiosyncratic and you need to get another tool fro the Microsoft site to convert the private key formats to PKCS12 format but it certainly works. The SSLeay code also has a cert signer.
Re:Free PGP? How about GnuPGP (Score:2)
Not really. If your only concern is encrypting/signing mail (and other stuff) within your organization, than the CA only needs to be trusted within your organization. Trust in the CA can be enforced as a condition of employment. This makes PKI practical for many mid size businesses as well, although small businesses should look elsewhere due to the large inital outlay required.
X.509 is a clumsy tool for internal encryption. Most programs using it are using it for communications, not storage. A good chunk of any businesses need for secure communications is with other businesses. You can't make your parts supplier trust your internal CA as a condition of employment, and you usually can't even require it as a term of your contract with them.
If you wish to explicitly trust the PKI of another business than your CA's can issue each other Cross-Certificates.
Again using my parts supplier example, that would basically be me going to my parts supplier, and asking them to trust that every certificate we issue is valid. That's a lot of trust. Most people are prone to say "no", particularly if they don't understand the full ramifications of that trust.
With the PGP/GPG "Web Of Trust" model, all I would have to ask them is to trust that my key is validly my key. Much easier to do, the guy at my parts supplier can do this over the phone in many cases. Then he can sign my key and put it on their keyserver. Anyone at my parts supplier who accepts his signature will automatically trust my key. They are only asked to trust themselves, and what they can readily verify; a much more palatable trust model.
only one of the three businesses you mention is in the business of selling commercial certificates (Verisign).
The other two are the leading distributors of X.509 capable products, and therefore the leading distributors of "Here are the trusted Certificate Authorties" lists. To get on those lists takes money.
Why listen to him? (Score:1)
Re:Why listen to him? (Score:5, Insightful)
> does he have now to suggest the change?
"This guy" [philzimmermann.com] developed the PGP protocol, and it's first implementation, then released it freely on the Internet when it seemed likely the US Govt. was about to criminalise *all* personal encryption.
So, only moral authority... which doesn't seem to be worth much on the free market, these days.
Re:Why listen to him? (Score:3, Insightful)
We should all be thankful that Phil was willing to stand up for something like this.
Re:Why listen to him? (Score:2, Insightful)
No he didn't... (Score:2)
I know, I worked on it for a while back in the early days.
Re:Why listen to him? (Score:1)
Is Code a product, or a design, design's are art, objects are property.
-Gih
Didn't you read the sign? Accepting this lawnmower at discount enables us to come install this here billboard on your yard! Damn illiterate lawn users.
Re:Why listen to him? (Score:1)
Over here we call it the "First Amendment".
Commercial VPN client..... (Score:2)
Re:Commercial VPN client..... (Score:3, Informative)
What sucks is they dropped the commercial VPN client totally, the freeware version is still around (or was a couple weeks ago) but it only supports machine to machine, no machine to network connectivity, that was only in the commercial version.
That doesn't suck at all, unless you're using Win95/98. Win2k has built in IPSec and it works quite well with FreeS/WAN (I am using it every day). vpn.ebootis.de [ebootis.de] (funny name, great documentation) shows you how to patch FreeS/WAN to use X/509 certs, and how to generate the certs, and how to make win2k and FreeS/WAN play nice together. PGPNet for Win2k was a little bit of a goofy thing.
It should be practice (Score:2)
If they can't make money with it, and they don't plan on it, it could be used to build will and advertising. Part of the requirement would be to leave in the advertsing banners. Or require some form of license for inclusion into other commercial software.
Note that they have not conceeded that PGP cannot be sold off, yet.
Re:It should be practice (Score:2)
The primary issue is that open sourcing previously closed source applications is not something the company can do for free. There's a ton of legal issues that must be considered (use of third party code, etc, etc) before a release can be made, that costs time and it costs a lot of money in most cases.
Then you hit secondary issues like shareholder reaction to the company not only giving its products away for free to whoever wants them, but also giving source code and thus some perceived competitive help (even if its not true) to the company's competitors.
All in all, there are a lot of headaches involved. Its not something most companies will do unless there's some direct market benefit for them, ala commoditizing a compliment (see here [joelonsoftware.com]).
Re:It should be practice (Score:2)
The vast majority of software companies are nothing like id on both of those accounts.
Over the wall (Score:2)
The generic response was "Open Source does not mean taking a product we don't want any more and throwing it over the wall. It means taking a product we continue to maintain and donating rights to it to the open source community. We can't just give away software without assessing the legal and PI risks. That's an expensive process, and we just won't do it unless it helps us start an OS project with some real potential."
I might be misquoting (that's why I don't name the company), but you can see the issues.
good newssource? (Score:1, Interesting)
anyways, on a side note, i think zimmerman is in the wrong here. if he is so concerned about the concept of pgp, then why isn't he focusing his efforts on GnuPG [gnupg.org], which is a completely open version of the PGP concept?
Re:good newssource? (Score:2)
Then use one of the many GUI's [winpt.org] or email clients / plugins [geocities.com] that support GnuPG.
Umm. (Score:1, Redundant)
Considering Network Associates isn't developing it further, I somewhat see his point, but I don't see how he really has a say in the matter.
What about.... (Score:1)
That way they don't have to give up the rights to it, but still have a loyal base of users. When they're able to make a buck off PGP again they can add some "must-have" features and the customer base will slowly come back to the commercial fold. As it is, the freeware versions will dominate and eventually PGP will be forgotten by most people.
Dead Man's Switch (Score:4, Interesting)
Think of all the software that might still be available if they had such a clause in their license. Hell, just the games!
-Pete
Re:Dead Man's Switch (Score:5, Informative)
In source-code escrow, the vendor promises to provide the source-code to the customer if the vendor goes out of business.
The problem is that bankruptcy courts often overturn source-code escrow clauses, because the source code turns out to be the firm's only salable asset.
The best solution is to free the code first, and for the customer to be careful not to become dependent on closed-source.
Bruce
Re:Dead Man's Switch (Score:2)
The problem is that bankruptcy courts often overturn source-code escrow clauses, because the source code turns out to be the firm's only salable asset.
Sorry to follow this a little off-topic, but this is interesting as I'm currently working with a commercial third party and we have a source-code escrow clause exactly of the sort you mention. Can you cite any specific cases where these have been overturned? I ask not because I disbelieve you but because it would be good to have case law to show my management so we can evaluate the risk of this happening to us (we're not confident of the future stability of the third party).
Re:Dead Man's Switch (Score:4, Informative)
Bruce
Re:Dead Man's Switch (Score:5, Insightful)
His idea for a Dead Man's Switch license would be very interesting to see implemented. It would be nice to see something like that used in a lot of commercial software.
They used to have that. It was called copyright. One got a fixed term of copyright, could renew it for a small fee after that term to extend it to 75 years (net, not additional), and then it would go public domain after the 75 years were up. Then someone thought of the Berne Convention, and someone else thought of the Bono Bill, and someone else thought of the DMCA . . .
Re:Dead Man's Switch (Score:2)
Re:Dead Man's Switch (Score:2)
I agree, and there's a good public-policy argument to be made here. Too bad the "content industry" has convinced Congress that the purpose of copyright is to enrich them, and the "copyright bargain" has been completely forgotten. Of course, for this to work, you'd have to reverse the Berne convention and go back to requiring copyrights to be registered. (Which probably would be a good thing for the public interest as well, but that's another point.)
Re:Dead Man's Switch (Score:1)
I found some info here [bitkeeper.com], but it doesn't address the "dead man's switch".
KDE Free Qt Foundation (Score:2)
You mean something like the KDE Free Qt Foundation [trolltech.com]? Qt is triple licensed: GPL, QPL, proprietary. If TrollTech discontinues the free edition of Qt, then the last available version will be released under the BSD license. (I'm not sure whether that's with the advertising clause.)
GPG is just fine but GUI needs work (Score:2, Interesting)
The only real problem with GPG is the comparative lack of high quality "mere end user" facilities such as a good GUI.
Let's all dump PGP, it's served its purpose and its time is done. Put your effort into making GPG (real open source!) widely accepted and used.
Re:GPG is just fine but GUI needs work (Score:3, Interesting)
They have a nice little frontend for GPG that can sit in your system tray, and related projects bring GPG in to the Mozilla and Eudora mail clients as well. Plus, it's GPL'ed.
That's only for Windows, but I'm sure there are plenty of good GPG front ends for Linux and other Operating Systems as well.
I've switched, and I'm not looking back.
Re:GPG is just fine but GUI needs work (Score:2)
A thought (Score:2, Interesting)
It offers the liberty of being Free and Free.
Just my
Sad for Zimmerman but irrelevant (Score:3, Insightful)
Network Associates money to use something that most people still don't
see the need for?
Forget it Phil. You killed PGP when you sold it. GPG is there take over from
PGP and make sure that those who understand the need for good encryption still
have some reviewable source to trust.
Re:Sad for Zimmerman but irrelevant (Score:1)
Re:Sad for Zimmerman but irrelevant (Score:1, Interesting)
There are quite a number of IT-related companies run by people who are just clueless when it comes to business.
Re:Sad for Zimmerman but irrelevant (Score:2)
Maybe he expected a large company like Network Associates might know how to properly market and maintain the product. Its seems that if that assumption was made, it was incorrect.
I doubt it will happen (Score:1)
Doesn't bode well, if you ask me.
Unreleased Updates (Score:3, Interesting)
I've read on numerous occasions that NA has versions of PGP updated to run on OS X and XP, but aren't releasing them. Something to do with 9/11 maybe? It seems stupid to simply throw away a defacto standard.
Let's hope the geeks here make that problem irrelevant. So far the Mac side is doing *OK* with tools like GPG Tools [tomsci.com], GPGMail [sente.ch], and Apple's own AES encrypted volumes using Disk Copy. However, syncing with key servers, file wiping and other functionality available in PGPFreeware is sorely missed. Maybe Phil Z should start a company focused on GPG rather than wasting his energy trying to get PGP open sourced...
Re:Unreleased Updates (Score:4, Interesting)
Several friends of mine work at Microsoft, and apparently, according to one of them - important government types have been at the Microsoft campus. This gist is that has somthing to do with the whole DRM/encryption thingy.
It makes sense in a odd sort of way - if the govenment could get a back door into the worlds most popular operating system, they would have a goldmine. I'd be disapointed in the NSA if they diden't try.
Re:Unreleased Updates (Score:2)
What do they have to lose? If it ever gets public they'd say "How, they forced us, to prevent terrorism. There's nothing we can do. It's the price for our societies safety. We are glad we are helping our people win against terror".
We could do a poll about this topic, and see what the crow thinks.
Re:Unreleased Updates (Score:2)
It's just a posibility. If you can imagine the FBI saying "Oh, we could gather inteligence directly for Microsoft but, oh wait. The privacy thing! We'll have to find another solution."
Come on, have you switched ISP because of the gov. sniffing?
Re:Unreleased Updates (Score:2)
I've read on numerous occasions that NA has versions of PGP updated to run on OS X and XP, but aren't releasing them. Something to do with 9/11 maybe? It seems stupid to simply throw away a defacto standard.
Why is the immediate reaction to news like this on Slashdot always a conspiracy theory? Have you considered the possibility that companies like NAI (which are in business to make money) simply don't see any reason why they should give a product away for free? They paid good money for PGP and it turned out to be a real turkey.
Apparently they still sell the command line version. In an odd-case of open source business cases reversing themselves, Phil wants them to open source the GUI. If they do that, how long will it be before someone writes an open source set of command line tools? I guess they could release it with a special license that prohibits you from developing command line tools. Of course, someone would do it anyway and lawsuits would ensue.
The whole dead man's switch thing is pretty funny. Basically what Zimmerman is saying is "here's a product that I know is going to drive you into bankruptcy, so I'm taking advance precautions." If you really want the program then go buy it. Get together a consortium of interested parties and start a fund to buy back the rights. Of course, it would never work, but that's never stopped people before.
-a
The advantage of the GPL is that your customers can maintain and upgrade your software, even after you go bankrupt.
Phil, Please Join Us! (Score:5, Interesting)
We'd really like you to join the work on GnuPG, and on GUI projects like GNOME. I think it would be most productive to write off the PGP code base and continue your work on the existing Free Software projects. We've gotten most of the hard work done already.
Thanks
Bruce
Re:Phil, Please Join Us! (Score:4, Insightful)
Let me second this. (Yes, I'm seconding Bruce Perens. How's that for chutzpah?.)
Most of the Gnu Privacy Guard code base is in place, but we still need a ton of help with GUIs [gnupg.org], APIs [gnupg.org], Web-based encrypted email [winpt.org], etc. And there is no GnuPGFone as far as I know.
I know PGP is your baby .. I can appreciate that, and I know what it's like to lose control of your baby. I'm not going to pretend that GnuPG is the same thing. Nonetheless, GnuPG is working toward (mostly) the same goals, and that's something worth considering. They could also use your help, as you have years and years of hard-won experience in this field. Yeah, they're young punks, but they mean well and they do good.
Just my two cents.
Re:Phil, Please Join Us! (Score:2)
NO, and that's a huge honking problem as far as I am concerned. We've got at least three different UI projects for GnuPG, none of them ready for prime time, each one working differently from the other.
I'm horribly tempted just to take the best of the bunch and port it to wxWindows. It would run more slowly, but it would work, damnit, on Win, Gnome/Gtk, KDE and Mac.
Re:Phil, Please Join Us! (Score:2)
You don't need prz for the GUI. The only 'secret' when preparing a crypto-GUI is to make sure that anything containing key or secret material is cleaned after use. That is, you *never* deallocate memory or free up disk space without zeroing, and in the case of disk space, overwriting with patterns first. The crypto engine is the hard part.
Whilst Phil is a good cryptographer, GUIs making the whole thing understandable are another matter. I think the other guys are doing quite well there.
GnuPG misses some things like secret sharing (should be there soon) and there is no API for philosphical reasons, however that can be dealt with. The OS crypto community is currently surviving well and will continue to do so as long as various governments/interests don't succeed in tainting the whole idea by the association with terrorism and copyright violation. On these last points we need everyone we can get to keep cryptography free and there Phil can definitely help with the advocacy.
Re:Phil, Please Join Us! (Score:2)
No, the company refused to use any non-commercial product. Basically, they wanted someone to sue if something went wrong. Open source wasn't the issue.
Re:Phil, Please Join Us! (Score:2)
I wrote a bit of pgp back in version 2 days and it was a BSD license. I *know* my code ended up in some commercial products but I wasn't compensated. Later when the s/w was sold to (via another compy whose name I have forgotten) NA, I was approached a couple of time about another port, but never through the official NA commercial channels. As the use was commercial and the rights were a nightmare, I had to decline.
So Phil selling PGP effectively stuffed it for outside contributors. Phil has to eat, so I don't begrudge him that, but he could have sorted the licensing a lot better. Many of the rest of us tried to keep the older command line variants going but it proved more and more difficult and rights became very difficult.
I like PGP (Score:1)
While it sucked to see NAI drop PGP, I made sure I pulled down the latest build before my license expired. I can still get another couple of years use out of it.
I would like to think that someone will eventually pick it up. It's entirely too useful to let it die. It be nice if it turned free, but I would still pay a reasonable amount of money to get a new enhanced version.
Re:I like PGP (Score:1, Interesting)
You don't get it! There is good reason to believe that NAI has put backdoors in for No Such Agency and/or others, and with only binaries available, it's impossible to be certain. Closed source encryption software is utterly useless, regardless of how much it costs.
Even if you aren't worried about the NSA reading your email (and you should be!), backdoored encryption is a fucking joke, because all it takes is for someone else to figure out the back door and exploit it. Even if nowhere else, at least use open source for your encryption needs.
PGP is dead. Long live GPG!
Like PGPDesk? You might like BestCrypt (Score:2)
Anyway, I highly recommend it.
-B
Re:I like PGP (Score:2)
Loop-AES [sourceforge.net]. Assuming you don't have the loopback filesystem module built right into the kernel, but have it as a module or not at all (look for loop.o), no kernel recompile or patching or even a specific kernel version is required. Patching losetup and mount, on the other hand, is required, but it's painless. And Reiser FS is a perfect companion to Loop-AES.
One handy little thing about Loop-AES I love is how the encrypted loopback filesystems can be burned straight onto a CD. The upshot of this is secure backups, like if you've got nosy roommates.
interesting? (Score:2)
right now he seems to be a slashdoted little capitalist.
Re:interesting? (Score:2, Funny)
righty dokey skip flip flap jack me old nick nack paddy wack slip de dip lipstick oh look mrs jones bomber harris tweed coat and hat it might be raining achtung baby psycho ward ten minutes please gentlemen its the lavatory express, I will!
The real reason this will never happen (Score:5, Funny)
[you@someterminal you]# grep -c -r -i "nsa"
27
PGP owns... (Score:2)
While there is many "free" or open source projects out there that are great on multiple platforms, GnuPG hasn't yet been fully (if at all) accepted by the Windows users.
Before you flame me; encryption needs to be open, and it needs to be easy to use in some respects. If my grandma (or male lover) has to go to the command line to encrypt his/her e-mail - it isn't happening. Now I see one project to bring it to the Windows desktop but it's being developed by linux developers.
If people expect Phil to come over to the GnuPG camp then you have to be ready to develop as much time to the Windows product as *nix.
Maybe I'm just not making sense because I'm typing fast... but simply: Gui, Gui, Gui. Equal time on all systems. Then I'll put my support behind GnuPG.
Otherwise Network Ass. should release their control over a product they raped.
Re:PGP owns... (Score:2)
Pub. Key Encryption should belong to the common man and it shouldn't take any _real_ computer knowledge to be private.
GnuPG lacks this... maybe Phil should just get it back and do it on his own again.
Paypal donations...?
Re:PGP owns... (Score:3, Insightful)
I've found a whole series of GnuPG interfaces and email plugins for windows (WinPT being my favorite sofar). I don't know if the developers are "Linux developers" or not - but I fail to see how that matters.
Nobody is stopping any developers from running with GnuPG development on their favorite platform. In fact, as already pointed out, Windows development is definately picking up (probably due to NAI's dropping PGP - way to create an itch / need). And the GnuPG developers are definately thinking ahead with libraries such as their GPGME API. No more shell front-ends like the old PGP GUI days. GPGME provides direct hooks in to GnuPG (WinPT uses it).
In short, the door is wide open.
Re:PGP owns... (Score:2)
The problem is that _right now_ it's just kinda weak.
GPL/OSI developers _usually_ put their win32 work on hold that is what scares/bothers me.
I hope though that GnuPG becomes the de facto standard, because free as in speech is a Good Thing.
Re:PGP owns... (Score:2)
But there is now more of a demand for GnuPG solutions for Windows. And OS development has been showing up more and more often in Windows environments. So the future is good, I think.
Re:PGP owns... (Score:2)
I would like to maybe see a sourceforge section entirely devoted to win32 Open Source projects.
Like I said, the problem I see with GnuPG is only that the Windows clients will be always a step behind and that won't help.
Yes, we need more developers, but I'm not the person to talk to. I've got a better chance of getting "Hello World" out of C++ than Holyfield has getting his ear out of Tyson's mouth.
I think you've changed my outlook on the situation, and now I DO with that Phil goes with the team. Maybe he can bring the Win32 developers with him.
[[the situation of win32 GPL development as I can see it is that most people who will develop on the platform realize they can charge any amount for any application. When I first tried Linux years ago I realized that you don't have to pay for simple tools that should be free(like i ever did!). Have a problem in Windows, the software to fix it will cost a pretty penny. Quality over Cash...ah, the beauty of linux]]
Re:PGP owns... (Score:2)
In a Windows environment, you've paid hard cash for your OS, cash for your development tools, small amounts of cash for the various little shareware apps that make life nice... and can expect to spend MORE cash in the future if you ever wish to upgrade and/or expand your current holdings. Its no suprise developers wish to replenish that pool of available cash.
And that's the difference in currency - code vs cash; a gift culture vs a monetary system.
That's not to say one can't mix cash and gift cultures. But it would go towards explaining the vastly different software landscapes between Windows and (for example) Linux.
GPGDisk? (Score:2, Informative)
I create 649 / 699 MB PGPdisks, fill them with my 'backups', "unmount" them, and then burn them onto CD. Voila, encrypted CD contents. Works beautifully.
It would be the coolest thing in the world if GPG was able to mount the same PGPdisks. Heck, even using other filesystems should be possible.
It's great for keeping data private (as long as the encryption will hold, a couple of years longer maybe).
Once GPG can at least mount and hopefully also create "GPGdisks", I'll ditch PGP.
What would you expect from CA? (Score:1, Interesting)
One reason for PGP over GPL (Score:3, Interesting)
The principle issue that faces any developer wishing to integrate GPG is that it is covered by GPL. That means that even if it had an SDK (which the isn't) you couldn't link with it without infecting your own code. Even LGPL libs can't link with it. At present if you wish to use GPG, you must mess around constructing command line arguments, opening pipes etc., invoking it and then parse the results. It is a major pain. There are libraries such as GPGME that hide some of this from you but it is still slower than running in-process and has significant issues running on platforms like Windows or Mac where piping etc. might be done differently.
If PGP were opened up with either a LGPL or BSD style licence I can see it being used in preference to GPG. GPG has the better command-line interface and might be ok for scripts but PGP has an SDK (as well as a great UI on Win32) and would be ultimately faster if software can link directly to it.
Re:One reason for PGP over GPL (Score:3, Insightful)
Other programs do the same (have a separate security dedicated process). Check ssh and its privilege separation [umich.edu], and postfix and its multitude of little processes [postfix.org].
Re:One reason for PGP over GPL (Score:2)
Phil should work on Mozilla (Score:4, Interesting)
First it was the export restrictions that were deterring Mozilla crypto. Now it's something else. I guess these [mozilla.org] projects qualify for some of what's being done today, but I needed Mozilla to do built-in crypto years ago. The standard Mozilla comeback is "do it yourself". Well, I have neither the time nor the skill to do that. But Phil does!
NSA (Score:2, Interesting)
Mainstream email encryption (Score:2, Insightful)
1) Major email client providers agree on a standard
2) The ability to encyrpt/decrypt is provided with the default install of their product.
Errrrm... x.509 certificates! See this link. (Score:2)
x.509 certificates are supported as standard in shitloads of mail clients (inc. Netscape and the ever popular MS Outhouse). Many people regard those as an "industry standard"
However, x.509 is more suited to compannies, as each public key must be signed by a trusted certificate authority to be valid. (e.g. Signed by Thwate.... otherwise use openSSL [openssl.org] and set yourself up as a certificate authority and generate your own x.509 certs). This is only really practacle for a large company.
Individuals are better suited to PGP because of its "web of trust" model eliminates the need for certificate authoritys, but will be impractacle for a large organisation. (Its no wonder NA failed to sell PGP to companies.... the existing x.509 standard is mutch more suited)
See this link [mcg.org.br]
nobody gets it. (Score:2, Interesting)
So why didn't he free the source to it himself? (Score:2)
For a good read w/r/t Crypto in general (including Zimmerman and some of his past,) check out Stephen Levy's book Crypto. It is excellent.
Windows users: try GPGshell with Nullify GnuPG (Score:4, Informative)
I was using WinPT [winpt.org] for a while, until I stumbled on GPGshell. It calls GnuPG to do the work, so you never have to worry about entering your passphrase into a GUI. IMHO, it's a lot nicer than WinPT. When you install it, you get 3 programs, which don't need each other to work:
So anyway, here's what you do:
So far this setup has had no problem dealing with any PGP messages I've encountered, from 2.6.2 to 7.x, but I haven't tested it extensively.
Re:Why bother? (Score:2)
>proprietary privacy software does? There's no good
>reason one can't write their own Public Key >Encryption software
Because another Free implementation - of anything - will always be useful.
Re:PGP Source already open (Score:2)
close (Score:3, Informative)
With the source code able to be modified, it might be easy for some people to think of PGP as Open Source. "You could modify it if you wanted to, and run it on your own computer, but you could not distribute a modified version," Zimmermann explains
Anyways, i dont think NA has any obligation to do as Zimm asks, he sold it to em, and it's now their's to do with as they please, even if that means that they let it just die basically. It's a shame but it is their right to do so.
Re:close (Score:2)
but the article states that you can modify it and run the modified version on your machine, you just can't redistribute the modified code.
Nice selective clipboard. The article does not say that, it says:
"You could modify it if you wanted to, and run it on your own computer, but you could not distribute a modified version" (emphasis added).
The "could" here refers to past tense... before he sold it.
Re:PGP Source already open (Score:1)
Actually you *can* modify it and use it as you like you just can't *distribute* it.
Re:PGP Source already open (Score:2)
Re:PGP Source already open (Score:2)
Admittedly, it's not the latest and greatest - but this is open source folks, surely some talented hackers out there can expand on what is already open?
Try reading the article before you post. The article tells you why this couldn't happen.
-a
Re:Ethics please! (Score:2)
He sold it to them, yes, but now they've effectively killed it, and don't plan to do anything with it.. so it's fair enough that the pgp using world want's to see it opened. Zimmerman is one of those.
Re: (Score:2)
Re: (Score:2)
All Platforms Available! See pgpi.org (Score:2)
You need one of the international versions of PGP available from www.pgpi.org [pgpi.org] you do
Available on a shitload of platforms [pgpi.org]
And pgpi is a very trusted site
(I could also mention the Cyber Knights Templar [rootsweb.com] builds. Also very trusted + open source)