Phil Zimmerman and PGP at CNN.com 141
rick_campbell writes "CNN is carrying an article about Phil Zimmerman and the fact that Network Associates is dropping support for the commercial version of Pretty Good Privacy. The article includes a little bit of Phil's take on the situation, a little history and some discussion of why this happened and what alternatives exist."
PGP can be saved (Score:5, Informative)
"Anyone interested in helping should contact me," he added.
Re:PGP can be saved (Score:2)
Adobe missed out (Score:1)
... but wait a second. We already know they're only concerned as far as it doesn't cause bad PR.
No privacy at all (Score:1)
Im "starting" to get worried about XP privacy!
Re:No privacy at all (Score:4, Insightful)
If you are really concerned, there still exist free s/w while do pretty decent job with RSA encryption algorithm. Though mind you they might not integrate into Outlook etc. as PGP did.
The crux is it'll be a long while before encrypted E-mail is the norm of every human. I have to handle mails from 100 different people professionally daily, some containing sensitive information of the sender, but they don't care to encrypt it using PGP or any other tool, and send me their sensitive info. like anything.
Re:No privacy at all (Score:3, Interesting)
I've found GPG to be very difficult to use, even as someone who uses the command line a lot, I've neither got the Windows nor the Linux version to encrypt anything yet.
they might not integrate into Outlook
Does anyone know a decent Windows email client (i.e. not Pegasus or Outlook) which does handle PGP messages?
Try The Bat! (Score:3, Informative)
Does anyone know a decent Windows email client (i.e. not Pegasus or Outlook) which does handle PGP messages?
Might I suggest The Bat! [ritlabs.com]?
Funny name, yes, but it's rapidly become my second-favourite MUA (after KMail) and certainly my favourite on Windows. It has support for both PGP and S/MIME encryption and signing (although it uses its own built-in PGP implementation which I'm not entirely happy about). It's not free in any sense of the word either (it's 30-day trial shareware), but hey, this is Windows we're talking about.
WinPT (Score:2, Informative)
Eudora (Score:2)
About as easy as it gets.
Re:No privacy at all (Score:1)
Actually works in XP (Score:3, Informative)
It is very easy to click on the tray icon and encrypt or decrypt the "current window".
From what I understand, 6.5.8ckt works better with XP than any other PGP version. I undersatnd the plugins and possibly PGP Net causes issues in XP.
Re:Actually works in XP (Score:2)
7.x solves this issue.
All these interviews and headlines (Score:5, Funny)
That's all he wants.
Cool information on article (Score:4, Funny)
Nice, nice!
But wait! (Score:1, Funny)
Re:Cool information on article (Score:2)
Re:Cool information on article (Score:1)
Not VERY smart? Oh... youre being nice dont you?
As someone who should know better, (Score:5, Interesting)
Re:As someone who should know better, (Score:4, Insightful)
Plugins exist for Outlook integration, FYI.
Re:As someone who should know better, (Score:2)
Re:As someone who should know better, (Score:2)
Anyhow, I don't encrypt my email, except when corresponding with the few other folks for whom I have keys. However, I do sign every message I send -- and this is, in my opinion, a worthwhile activity even if 99 out of 100 times that signature isn't checked. The reason is simply this: If someone forges a message in my name, and it doesn't bear my signature, I'll be able to deny it with a great deal of credibility -- even if the headers are such that it appears to be coming from my ISP, &c. By making forgeries easily detectable after-the-fact, I'm prevented from being held liable for any false statements made in my name. Ditto for documents I create which are later modified by a malicious third party: It can be determined with certainty whether a version has been modified after-the-fact or is the document I actually signed. These are useful attributes, and in my view more than justify my use of GnuPG.
Re:As someone who should know better, (Score:1)
Re:As someone who should know better, (Score:1)
This fellow discusses some technical issues he'd had with NAI PGP; I address them; and you pop in with a comparison of PGP use to being the only person in town with a telephone.
If there's a wider relevant context... well, I haven't been looking at it.
Re:As someone who should know better, (Score:2)
Re:As someone who should know better, (Score:2)
Actually, I don't sign everything I send just for the same reason.
Most of my email correspondence is of a conversational nature. But it is a conversation in written form. Thus, there is more than ample opportunity for one's words to come back to haunt one - off-hand jokes, out-of-context comments, temporary stupidity, etc. Because of this, email presents a possible risk.
Because of the insecure nature of email, there is a certain degree of deniability to it. However, even this slim margin is lost when one signs the potentially offensive email.
I do include my PGP ID and fingerprint in my signature. And I sign anything official or requiring protection from forgery. Though I have to admit, it is not as much a conversation starter as a PGP signature text added on a regular basis.
The End User Still Doesn't Care (Score:5, Interesting)
I was talking to a company about orders the other day and one of the ways you could place an order with them was to E-Mail them your credit card number. I told them I wasn't sending my credit card number over the open internet and asked if they had a PGP key I could encrypt to. They had no idea what I was talking about. After that I wasn't particularly willing to entrust my credit card number to them at all...
The old US Crypto regulations did a pretty good job of stunting crpto-enabled mailers in the US, too. Since you couldn't export encryption or even an "Encryption enabling API" there wasn't a lot of integration work going on. Sure you could get a set of scripts to use PGP or GPG with Pine, Mutt or XEmacs, but most of the people using those mailers didn't even go to the effort. We won't even go into the happy fun GUI mailers that Joe Average User wants to use. PGP did do a good job of integrating into Outlook, at least.
The upshot of all that is I think it'll be a long while before encrypted E-mail is the norm.
Re:The End User Still Doesn't Care (Score:5, Interesting)
It makes signing and encrypting AND decrypting email pretty darn easy. If a user cant figure it out today they need to be beaten over the head with the keyboard... the HARDEST thing about GPG is creating your own private key.
Re:The End User Still Doesn't Care (Score:3, Insightful)
However, with email encryption, there is still the problem of validating keys. Most people don't understand why they have to check fingerprints and sign keys, and they get lost when you try to explain a "man in the middle" attack.
Re:The End User Still Doesn't Care (Score:2)
So I don't know what David Del Torto means when he says "and it's really not there yet,", but it probably means that when he clicks on "Start" he doesn't see it yet. Maybe he should switch to Debian.
Re:The End User Still Doesn't Care (Score:5, Insightful)
If they select a check box to "Secure E-Mail" when sending e-mail to someone, and the details of how it happened were hidden, people would do it.
But, if it requires you to exchange keys with someone & manually manage the process, only the techies will do it.
It's a tough nut to crack.. To do it right, you need a trusted authority to manage identities & keys. I don't see any sign of this happening.
Re:The End User Still Doesn't Care (Score:2)
Even if you use encryption, I worry that the gubmint is going to threaten me with 20 years of ass-pounding in a federal penetentiary unless I give up my keys.
Re:The End User Still Doesn't Care (Score:5, Interesting)
I used to carry the same sentiment, complaining if a merchant provided no "secure" means of credit card information transfer.
The problem is that although email may be a much less secure method of transfer than other commonly accepted means, the generally accepted methods are almost as insecure.
e.g. - when you patronize the local drive through, realize you don't have enough cash on hand to cover your embarrassingly large order and are subsequently forced to pay with your credit card, do you know what goes on behind the window once you hand your card over? What number of pimply-faced purveyors of fast-food goodness are given the chance to jot down your card number, just as if they were to brows through the inbox of your unsecured merchant?
Likewise, when you make a purchase at a store such as CompUSA, where they take an imprint of your credit card for their records - how do you know that the storage of the receipt is anything approaching secure; that they shred the receipt sufficiently after its use is fulfilled???
While I agree that online merchants with decent security policies on buyer CC information may make me fell more secure, it is really only semantics... For all I know, the person receiving my encrypted CC info just decrypts it, jots it down on a sticky note, and sticks it on his monitor for anybody to see so that he remembers to complete my order in the morning. (Very unlikely, yes - but very possible as far as I can tell...)
Re:The End User Still Doesn't Care (Score:2)
Re:The End User Still Doesn't Care (Score:1)
Re:The End User Still Doesn't Care (Score:2)
People are perfectly comfortable handing over there credit card and letting it out of their site for extended periods of time.
Just think about when you use your credit card at a gas station. Some of those franchise owners are not the most reputable people.
The list goes on and on.
.
Re:The End User Still Doesn't Care (Score:2)
A very valid point. But I can't help but think that sending credit card information unencrypted would be like standing out on a street, hailing down someone heading in the direction of McDonald's, handing them your card, and asking them if on their way they wouldn't mind picking up a couple burgers and drop them off on their way back.
Re:The End User Still Doesn't Care (Score:2, Interesting)
Re:The End User Still Doesn't Care (Score:2)
"..it'll be a long while before encrypted E-mail is the norm."
It makes me wonder. Maybe by the time encryption becomes the norm, it's most useful forms will be obsoleted by Moore's law.
Re:Would he care if... (Score:1)
Doesn't anyone use S/MIME? (Score:3, Informative)
Then, I go to Outlook, or Outlook Express, or Netscape Communicator, or Mozilla, and I install the certificate. Then, I click the "Digitally sign this email" checkbox to automagically send my certificate to sign the email, and additionally click the "Encrypt this email" once I receive a certificate from an end-user to encrypt the email.
Sure, there are scalability issues, but any good PKI implementation can take care of those for corporate use. And, with a Network of Trust like Thawte is creating, you get the PGP-like ease-of-use with the PKI-class trust-level of a real PKI. All for the home user.
And no, I don't work for VeriSign or Thawte. I did work for a company that used certificates. A lot...
Re:The End User Still Doesn't Care (Score:1)
Re:The End User Still Doesn't Care (Score:1)
I think that Open Source/Free Software is the proper thing to solve the problem of insecure e-mail. Once a free and open standard emerges, businesses will be more inclined to get behind it. The idea that other companies can read their e-mails will scare companies enough to get behind it.
I'm optimistic about the future of crypto in the long term.
the icon (Score:1, Funny)
Tech support going the way of the dodo (Score:4, Interesting)
To which I say fine. Alternatives for most of the stuff we use here, messaging systems, web based stuff, etc. can be found in open source projects or written in house. This is just another golden opportunity for open source software. Maybe my boss will hear my pleas now.
Sad day for Joe Schmoe (Score:1)
Curiosity... (Score:4, Interesting)
Re:Curiosity... (Score:1)
dam()
Re:Curiosity... (Score:1)
Human rights groups (Score:2, Insightful)
There are people in countries with really bad governments who are using PGP to communicate.
Re:Human rights groups (Score:1)
Phil Zimmermann's website has some nice testimonials [philzimmermann.com]. This crypto stuff really does save lives, and I hope the geeks of the world are up to the challenge of keeping PGP alive.
Re:Curiosity... (Score:2)
Re:Curiosity... (Score:2)
Presumably, some top-management are uphappy about the idea of their network-support people having access to their private email.
Re:Curiosity... (Score:3, Interesting)
Then you have never attempted to submit a vulnerability or links to fixed software to CERT.
I believe their approach is "if we make it hard for them to email us, we won't have to work so hard!"
---
I'm not an expert, but I play one at work.
Re:Curiosity... (Score:2)
Re:Curiosity... (Score:1)
I do by using a combination of procmail [procmail.org] and mail-bounce [spots.ab.ca]. Here's how [bogosian.net].
Uhhh PKI? (Score:3, Insightful)
products aren't all that easy to use - Most email encryption I have seen is implemented as simply depressing a toolbar icon. Is that really that difficult?
and the threats of not protecting e-mail from prying eyes aren't all that easy to explain, Hill said - Hill can't be serious. How about two words? Intellectual property. or how about these two: National Security. Or how about these two: Excessive litigation
Also in an article that supposedly discusses alternatives for encrypting email, PKI isn't even mentioned. What a terrible article.
Re:Uhhh PKI? (Score:3, Informative)
For those who don't know, PKI=Public Key Infrastructure. It's how you know that a public key you have for someone is actually the right one. Having a working (i.e. secure) PKI is what makes "using" encryption difficult. Everyone always assumes that explaining PKI to anybody is too difficult, so reporters like the one who wrote this article say things like "products aren't easy to use" when really they are and all the difficulty is in having a secure PKI.
It is probably telling that most widespread PKI, used for web certificates is pretty much completely broken in practice. Do YOU look at the company name listed on the certificate before you send you submit your credit card info? I've never seen a browser that by default gets you to at least verify that the company name on the cert is right. This makes man-in-the middle attacks almost easy.
Re:Uhhh PKI? (Score:1)
Three companies that sell these systems are:
Entrust Inc. [entrust.com]
RSA [rsasecurity.com]
Baltimore Technologies [baltimore.com]
Establishing your own CA (Score:1)
You can create a CA yourself fairly easily (see OpenCA [openca.org] for one example). The real problem is how to get your root certificate onto users' machines. In a "closed" environment, it's simple to install the root cert on all machines that may need it; in the more general case, even though it is simple to create a link that will install the root cert, persuading Joe User to push on past the scary messages is a different matter.
Another great idea dies (Score:3, Insightful)
Network Associates and the Government (Score:1)
Here's where a monopoly can help... (Score:1, Interesting)
Now who wouldn't celebrate something like that?
Here's where a monopoly can create a monopoly (Score:1)
You really want a company known for "Embrace and Extend" and "decommotized protocols" strategy, to push a standard for email encryption?
"Oh, your Sylpheed and gpg can't read my email? Well, just upgrade to Outlook. Outlook users can read my email just fine." -- Overheard in 2005.
Compatability (Score:1)
Loved the NA PGP product for Outlook (Score:1)
Sigh...
ehh? (Score:1)
Health Care Regulations and Encryption (Score:4, Interesting)
I work for a collection agency and since we collect for hospitals sometimes we have been looking at this. We were going to use PGP as clients have specifically mentioned that they require it. Now I am not sure what we will do. Much of what is available out there has restrictions on being used for business.
The movement towards being more secure information delivery seems slow but it is moving forward.
I am just real interested in seeing what kind of alternatives surface for businesses like ours.
.
Re:Health Care Regulations and Encryption (Score:1)
Bad news for the common user (Score:1)
I am deadly sure that, just after MS includes the "Encryption Wizard" application for managing your keyring (with a nice animated paperclip, of course) crypto be quickly adopted by everyone.
I don't think Mr. Gates cares about educating the masses, though.
Just my humble opinion, but I'm serious at it.
Largest Problem with Encryption ... (Score:2, Interesting)
Until it gets simpler, easier, better integrated with email systems, it won't be widely accepted.
Come out with a local system proxy that resides on the local machine, and have all email route through there. Have IT check to see if there is a public key for the email address, and let IT encrypt and forward onto the "real" email server. Have it handle simple text mail ... and voila ... you have a simple system that EVERY email system could use (POP3/IMAP servers in the proxy) ... and it would be simple, since regardless, it gets sent out encrypted.
BTW, I came up with this system a couple of years ago ... company folded ... I wouldn't want to work on this again since I'm "tainted" ... but ideas are free ...
Encrypted email alternatives (Score:4, Informative)
The closest thing to the dream of "just press a button" is the S/MIME in Outlook. That still requires users to get a certificate ("a what?!", they will ask). And S/MIME has drawbacks.
Pushbutton encryption is a delusion anyway. The details of key management are indispensable to security and require out-of-band verification. Unless you've checked a key fingerprint, or totally trust a key signer, you can be attacked by feeding you a fake public key and all the crypto wizardry is irrelevant.
Re:Encrypted email alternatives (Score:3, Informative)
Working for a security firm, we decided to use Outlook and S/MIME. We had a policy that we would sign all messages by default, and use encryption where possible. After over a year of problems, we have stopped the default signing. We still use encryption, but not as much. The problems included:
* People not being able to read a S/MIME signed email - includes Hotmail and certain combinations of Outlook/IE (since Outlook gets most of it's crypto libraries from IE, the version of IE is important). Sending people messages that can't be read is a serious barrier!
* Random false-negatives for signed messages. Once in a while, a message would indicate it had an invalid signature, but we could discern no change from the proper message. It does not build confidence to tell people, ignore the error message saying the email has been tampered with!
* Outlook is really lousy when it comes to acquiring and managing certificates. I'm guessing they designed it with Exchange in mind (assuming some corporation puts certificates in Exchange for a closed system). Initializing and managing certificates was a real pain, even for those who knew precisely what they were doing.
* Outlook did not have a "use encryption only if person has certificate" option, which meant that you had to manually select encrypted email every time you wanted to use it. Also, there is no good way to send a single message with encryption to people who have the certificate and ability to read it, and no encryption for people who don't.
* Occasionally we could not read encrypted mail because of a variety of errors. The most common was obscure certificate issues (actually bugs, since most of these errors should not have been transient).
* The level of S/MIME encryption would vary, according to obscure and undocumented reasons (probably bugs too). I always selected 3DES, but more than half of my messages went out with some other form of encryption. Even worse, Outlook does not give you any warning that your message is going out with weak encryption!
Not all of these are S/MIME problems, but as you can see, we are still very far from "just press a button".
PGP needs saving? (Score:2)
Many ask "how can I use this?" and etc. I suggest getting a Hush-mail account and getting your friends to do the same.
Hush-mail has no problems with adding in PGP keys - and I've e-mailed my buddies who have Hush-mail with my PGP'd mail.
I think the software needs to be maintained, but of course it's far from dead. I'd just like to see PGPhone 'grow-up'. It's an awsome app.
Re:WHAAAA!!! (Score:1)
a practical cost/gain proposition (Score:1)
By the way, if there is existing related work then please mention it.
Getting to encrypted email from here (Score:3, Interesting)
First, it will get integrated into mail clients, for those users who insist on it, in a half-hearted way. Then mail clients will pop up a warning when you send something unencrypted, which most people will just click through for most messages, but people might notice when they're sending a message which they wouldn't send by plaintext HTTP. Then it will become normal for sites with HTTPS servers to have PGP keys for email. It probably won't get much beyond that any time soon, though.
As far as implementation, I anticipate PGP and similar software dying out, in favor of PGP-like crypto functionality being supported in OpenSSL. Why OpenSSL? Because it has become the standard security library implementation. OpenSSH uses OpenSSL, even though SSH competes directly with telnet-over-SSL. OpenSSL also has all the cryptographic functions, it's BSD-licensed, and a lot of security-conscious projects beat on it. Once OpenSSL has support for PGP-formatted stuff, it will be easy for email clients to integrate it. Also, since many email clients are integrated with browsers, which need SSL support (and so use OpenSSL already), it's simply a matter of calling the decrypt function when you get an encrypted message, storing public keys in the address book, and encrypting messages to anyone who has a public key in the address book.
It is no longer necessary to have a separate program for encryption. Writing crypto code is hard, but OpenSSL does or will do almost all of it, so you're left with managing the user's private keys (just like managing client certificates), managing other people's public keys (just like managing site certificates), and distributing the user's public key (just like business-card attachments). The only tricky thing is in signing other people's keys, but if you're not worried about active attacks with people who you don't talk to out-of-band and who don't aren't corporate sites, you don't need to bother.
Inventor? (Score:2, Interesting)
"PGP inventor Phil Zimmermann says PGP.. "
What about Rivest, Shamir, and Adleman? Some guy puts a wrapper around their invention and suddenly he's the inventor -- R,S, and A don't even get a mention.
"Thanks for the technology...now get lost."
Re:Inventor? (Score:1)
Re:Inventor? (Score:2)
Phil did V1.0 himself. Many others helped afterwards, but the main ideas and driving force came from him. Amongst the others involved with the early releases were Branko Lancaster, Colin Plumb, Pete Gutmann, Jean Loupe-Gailly (of zlib fame) as well as many others. My contribution was just one of the early ports. Phil only really took a back seat in the development when the feds started giving him problems.
What he did was to make a combination of public and private key algorithms in a form that could be used. The stuff from RSA labs was definitely not so easy to use or integrate. Maybe he was only able to reach out to geeks, but a lot of people who were outside the military/govt world suddenly started using high-end crypto. Thank Phil for that even if didn't invent RSA.
Problems with encryption (Score:2)
First of all, key exchange is an arduous process. You can't possibly trust a third party to get you keys and whatnot; In fact the ONLY valid way to get a key from someone is in person, face to face. That's it, period. Anything else is questionable. Users just aren't going to do this.
So basically, reasonable use of encryption is not going to happen until everyone is carrying around PDAs. Maybe that will be because all digital watches will be PDAs, or maybe they'll just become so cheap that every computer user will have one; I can't imagine it would cost that much to make a slim version of the good old palm pro these days, but of course 3com won't want to undercut their market. Until something like this happens, though, only geeks will use crypto.
There's another problem, too, though a lesser one; You have to make a backup of your key, or you will lose it if your computer decides to throw a disk or just scramble its contents (Windows XP Dynamic Disks, anyone?) And as we all know, only a long passphrase is a good one, but coming up with a long passphrase which is not easy to guess but is easy to remember is tough. We have computers so we don't HAVE to remember things. It would be better if you could use some sort of biometric system to store your passphrase.
Marketing encryption (Score:3, Interesting)
Disclaimer: IANIM (I am not in marketing)
As I see it, there are two barriers to widespread adoption of PGP (or GnuPG). The first is usability; the second, more important one, is demand. People do not see the necessity of encryption, and in fact, many associate encryption with criminal activity.
The first problem can be solved through the proper use of technology: create user-friendly interfaces for key generation, key management, etc. The goal should be to make PGP/GPG as easy to use as a word processor, spreadsheet, or video game.
The second problem can be solved by promoting digital signatures as opposed to encrypted email. Most people don't care that their email is as open as a postcard. In addition, a significant chunk of the population associate encrypted email with organized crime and terrorism. These are the factors we have to work against in promoting encryption as a way to keep email private.
Digital signatures are a different matter. There is no social prejudice against digital signatures per se, and the need for digital signatures is easy to demonstrate, as detailed below.
Most people believe the From: headers on their emails without question. Unfortunately, it doesn't take much technical skill to fabricate an email with a fabricated From: header. (Below is a Python script that does just this). It's therefore trivial for a malicious person to send all kinds of forgeries to you, your friends, your co-workers, etc. The social damage can be catastrophic.
Digital signatures solve this problem neatly: if you have any doubts about who actually sent the email, or the actual contents of the email, the digital signature gives you near mathematical certainty that the message and sender are authentic.
In my experience, it only takes a couple of humorous demonstrations to get the point across to your intended audience; after which, they become motivated to learn and use PGP/GPG to sign and verify the signatures of emails. Using PGP/GPG for encryption is a logical next step.
By the way, if you do try to demonstrate the forged From: header trick, please make absolutely sure that your audience is prepared ahead of time, and that you are legally authorized to do this, before you make your demonstration. Otherwise you could unnecessarily end up in a heap of trouble.
It should be noted that PGP and GPG have an advantage in meeting the demand for digital signatures, since they're both relatively mature technologies. The danger is that the government could push hard for their own scheme, with built-in back doors and/or mandatory key-escrow. Selling secure, non-escrowed encryption is going to be much harder in the present political climate than it was before.
Hope this helps.
PGP lives!!! (Score:1)
The perfect should not be the enemy of the good (Score:1)
Several comments have pointed out that encryption demand just wasn't there. I agree. While we would like to think that every end user would see the need for encrypted e-mail, we all know that hasn't happened. Yes, if MS or AOL made including encryption a standard part of their e-mail packages, that would go a long way, but the complexity of encryption needs to be hidden from the end-user.
Truth be told, most people really don't need encryption on a message-by-message basis. Encryption activists feel that a world with strong encryption is broadly a better one, but that requires a "network effect" from adoption and the current costs for adoption for end users are just too high in terms of complexity for them to want to go to the effort of adopting it for a vague future goal -- even assuming they comprehend it and agree.
Effecting real change may require backing away from some of the ideal crypto solution as a way of avoiding the complexity costs. People have mentioned several areas of complexity, including e-mail program transparency, certificate management, out-of-band verification, and trust networks.
However, if we consider web-browsing, these have been effectively hidden from end-users and have thus failed to hinder adoption. Web browsers have public key encryption built in, plus a master set of certificates for verification. Because web browsers don't require two-way verification of identity, users don't have to worry at all about managing their own key. Adoption of SSL has been effectively transparent to users. Those who seek to have crypto email become the standard should seek similar solutions to transparent adoption first, rather than seeking to delivering the most sophisticated crypto. Once adoption has been catalyzed, the technology can be improved as the masses become familiar with it.
Designers of the next generation of e-mail software should look to make certificates a natural part of the email environment. This should first center on identify verification, not encryption. There are several places this could happen:
What this largely throws out is the element of getting signed certificates and requiring consumers to manage them. However, I'm certain that after people got used to the idea, the notion of having their digital ID certified wouldn't be so complicated. (It would of course need to be affordable.)
(One could imagine that when governments begin to issue digital ID's these will be signed by the government and could be used for e-mail signatures as well.)
The question of course is who could make all this happen? It probably still falls to the major e-mail program makers. I'm surprised that MS hasn't started down this path. Building in transparent signatures like this should be beneficial for their corporate business, and they should be able to sell lots of PKI add-ons for corporations to do certificate management. (Ironically, I think Notes has had this built in for ages, but it only works within the Notes server.)
So, anyone from MS listening? Now's your chance to delivery against your privacy initiative. Best of luck.
-XDG
Alternative for MacOS? (Score:2)
Cool GPG web of trust links (Score:2)
Here are some cool gpg links:
http://biglumber.com [biglumber.com]
key Signing Mailing List [alt.org]
Encrypt!!!
PGP can seem "scary" (Score:2)
All your file are belong to us! (Score:1)
Phil: What happen?
Admin: Someone set up us the bomb.
Receptionist: We get signal!!
Phil: What?!?
Receptionist: Main screen turn on.
Phil: It's YOU!
Asscroft: How are you gentlemen !!
Asscroft: All your file are belong to us!
Asscroft: You are on the way to destruction.
Phil: What you say!!
Asscroft: You have no chance to survive make your time!
Asscroft: HA HA HA HA
Phil: Take off every 'gpg'
Phil: You know what you are doing.
Phil: Move 'gpg'
Phil: For great crypto!
Anyone with any sense knows that the Feds have been working for years to stop the public from having strong crypto. They have a great excuse now for pursuing and eliminating easy-to-use crypto. I just can't get the image of Asscroft, spittle spraying from his gob and drooling onto his chin, chanting random passages from the Bible while he plots the next liberty-divesting move that he and his goon-squad comit.
Paranoid? SURE!!!
Correct? PROBABLY!!!