PGP Is 15 Years Old

An anonymous reader writes "PGP Corporation salutes the 15th anniversary of PGP encryption technology. Developed and released in 1991 by Phil Zimmermann, Pretty Good Privacy 1.0 set the standard for safe, accessible technology to protect and share online information."

Finally Legal!

[pen]

Congratulations, PGP! Now legal [ageofconsent.com] in Bulgaria, France, Monaco, and Thailand.

Oh, and I almost forgot Poland!

Re:

[Zonk (troll)]

Note to self: Plan trip to Bulgaria, France, Monaco, or Thailand.

Re:Finally Legal!

[dubbreak]

In Canada it can get jiggy with other encryption technology as long as it isn't >5years senior (and was able to last year as well). It'll have to wait until 16 to consent for any age and 18 if it is interested in encryption with influential power over them. I'm not sure if there are laws about related algorithms. In my neck of the woods we don't code that way.

Wait? ZIMMERMAN?

[gcnaddict]

Zimmerman? A person named Zimmermann made PGP?

As in Zimmermann with the same spelling as this Zimmerman [wikipedia.org] who was tied to this event? [wikipedia.org]

Re:

[jmp]

Or as in that Zimmerman [wikipedia.org] who was involved in that event [wikipedia.org], and wrote that song [wikipedia.org]?

Re:

[diersing]

The latter, otherwise you might end up on someone's watch list and he doesn't check twice for accuracy.

Re:

[shoelace_822695]

the key word there is _voluntary_..

Age of consent laws are there to say.. "until you are this age, you are not mature enough to decide if you can have sex or not"

it is the Age of COnsent laws that define the difference between Rape and statutary Rape. with the latter being where the young person 'consents' but is deemed to not be able to make that choice.

it is analogous to driving and achohol laws.. at age X are allowed to buy alchohol or drive a car on public roads.. but at age (X - 1day) you are not.

an

First encrypted post

[Anonymous Coward]

     -----BEGIN PGP MESSAGE-----
     Version: 2.6.2

     hIwDY32hYGCE8MkBA/wOu7d45aUxF4Q0RKJprD3v5Z9K1YcRJ 2fve87lMlDlx4Oj
     eW4GDdBfLbJE7VUpp13N19GL8e/AqbyyjHH4aS0YoTk10QQ9n nRvjY8nZL3MPXSZ
     g9VGQxFeGqzykzmykU6A26MSMexR4ApeeON6xzZWfo+0yOqAq 6lb46wsvldZ96YA
     AABH78hyX7YX4uT1tNCWEIIBoqqvCeIMpp7UQ2IzBrXg6Gtuk S8NxbukLeamqVW3
     1yt21DYOjuLzcMNe/JNsD9vDVCvOOG3OCi8=
     =zzaA
     -----END PGP MESSAGE-----

Re:First encrypted post

[Anonymous Coward]

hIwDY32hYGCE8MkBA/wOu7d45aUxF4Q0RKJprD3v5Z9K1YcRJ 2fve87lMlDlx4Oj
eW4GDdBfLbJE7VUpp13N19GL8e/Aqbyyj HH4aS0YoTk10QQ9n nRvjY8nZL3MPXSZ
g9VGQxFeGqzykzmykU6A26MSMexR4Apee ON6xzZWfo+0yOqAq 6lb46wsvldZ96YA
AABH78hyX7YX4uT1tNCWEIIBoqqvCeIMp p7UQ2IzBrXg6Gtuk S8NxbukLeamqVW3
1yt21DYOjuLzcMNe/JNsD9vDVCvOOG3OC i8=
=zzaA

Yup, It tastes exactly like chicken.

Regards,
    The NSA.

Re:First encrypted post

[mattwarden]

Leave my mother out of this.

Re:

[AftanGustur]

This is better (and actually works):

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

owFbo5vE7Jta7BqjGM8VmV+qUJyRX5qTopCRWJaqkJKfl6qQWa KQk5mdqlCSkVms
xwUA
=RODv
-----END PGP MESSAGE-----

It's sad...

[Creepy Crawler]

That there's still no equivalent to the old PGPphone.

That thing ROCKS ;)

Re:It's sad...

[Noksagt]

PGPfone does still run under Windows and the source is available [pgpi.org]. Zfone [zfoneproject.com] (also by Phil Zimmerman, is a new secure VoIP program. Gizmo and Skype also have encryption (though they're closed source).

PGPfone was AMAZING

[posterlogo]

It had very clear full-duplex quality, was simple to set up and use, and was largely platform independent. I was in a long distance relationship in college at the time, and my girlfriend had a mac (I had a PC). PGPfone was the only VOIP solution in 1999 that allowed us to voice chat for free (remember, this is before unlimited minute cell phones). Absolutely amazing as a voice chat program, let alone all its privacy features.

Re:

[charlesnw]

And we all know privacy is very important for relationship type converstations. Like phone sex :)

What's been the problem with encrypted voice?

[Beryllium Sphere(tm)]

Starium fizzled, SpeakFreely was abandoned, STU-III prohibitively overpriced, GSM crypto pathetic, Skype has secret crypto which means nobody savvy will trust it for serious work, and SIP/SRTP: well, a typical comment about that is "Are there any SIP implementations currently supporting SRTP?".

Re:

[gnoshi]

Yes, yes there are.

Twinkle [twinklephone.com] (Linux) supports both SRTP and ZRTP.
Minisip [minisip.org] and Minisplat [minisplat.org] (both Linux) presently support SRTP and are working toward ZRTP support.
Eyebeam [counterpath.com] (Windows) supports SRTP
ZFone [zfoneproject.com] (Windows, Linux, MacOSX) uses ZRTP and can work with any SIP-based software (because it intercepts and encrypts the stream).
OpenWengo [openwengo.org] (Windows, Linux) is in the process of implementing SRTP, with some automated key exchange, and later ZRTP is planned.

So really, the answer is: yes, yes there are implementations.

too bad

[Lord Ender]

Unfortunately, in the real world, 99% of email users can not or do not want to maintain a web of trust. That is why S/MIME is going to kill the PGP market. PGP/MIME is only big because it was first on the scene.

Hell, even mutt supports S/MIME. Imagine SSL with a web of trust--yuck!. PKI is the way to go...

Re:too bad

[poliopteragriseoapte]

I checked, via pgp.mit.edu. In my university, with 16000+ people, I am the only one with a PGP key signed by someone outside of my university, and I think that no more than 20 people have a PGP key uploaded to pgp.mit.edu. And there is simply NO WAY I can convince staff (or pretty much anyone) to accept my PGP-signed emails as something especially valuable (and as a replacement for a paper signature), or to send me confidential information via encrypted email instead of having me go pick up paper folders somewhere. On the other hand, everybody seems to accept as "signed" the pdf letters I produce, which include a photographed copy of my signature. I have given up.

Re:

[Anonymous Coward]

On the other hand, everybody seems to accept as "signed" the pdf letters I produce, which include a photographed copy of my signature. I have given up.

Actually with modern PDF you can digitally sign a document, much like with PGP

Re:

[flashbulb]

That is utterly ridiculous. I feel your frustration.

Re:too bad

[technicalandsocial]

I think you're confusing a few things.

Web of Trust (WoT) is a PKI model. Certificate Authorities (CA) is a competing PKI model, and the one apparently you prefer. Have you taken a look at the CA list of trust in your browser lately? I for one prefer WoT, although more work on the part of the user to maintain, the trust model is based on me, not "Staat de Nederlanden" or any other company I've never heard of. Not to mention the stolen Microsoft certificates of a few years ago. There is nothing to stop us from moving to a WoT model for our browser PKI, just as there is nothing stopping us from using the CA model for email, it's just how it's been implemented for us thus far, and which we choose to use.

MIME vs Inline are competing ways of using PKI in email, it appears you prefer MIME which does appear to be the merging standard.

Re:

[Lord Ender]

Nope, I'm not confused. You're pedantic.

It doesn't matter what you prefer. It will WoT will NEVER catch on. S/MIME will catch on as more organizations adopt it internally. Soon people will want to do at home what they do at work, and companies like Thawte will let them do so. Once gmail or hotmail start allowing "verified" (signed) mail to premium users, the rest will be history.

Re:

[Llanfairpwllgwyngyll]

"PKI - there is no P and no I.... in practice it is just a bunch of K...." - me

S/MIME is great. Inside a single organisation. But beyond that.... forget it. And I have seen many MANY attempts across MANY serious organisations.

Webs of trust are not the only trust model PGP can implement. In the serious business world, PGP Universal is making steady progress; policy driven, nice and easy for the users. Of course, it supports S/MIME too for all the poor souls in external organisations stuck with that :-)

S/MIME has been around a long time too

[Beryllium Sphere(tm)]

And it has not killed the PGP market or even gotten major traction. What percentage of your legitimate incoming email is S/MIME signed? Even from your bank?

Also, bear in mind that CA-based PKI is a strict subset of web of trust.

The lesson is that crypto goes nowhere in the market unless it's as transparent as TLS.

>can not or do not want to maintain a web of trust

PKI shouldn't be difficult, but from what I've seen it does seem to be beyond human comprehension.

Re:

[Lord Ender]

Every time you use SSL/TLS you are using the "CA-based" PKI.

Re:

[DrXym]

S/MIME hasn't exactly killed PGP in all the years both have been around. Getting a PKI cert is an massive pain in the arse, costs money (and / or involves trusting someone with personal details like SSN or passport nr), requires annual renewal, results in larger attachments, slower encryption, and doesn't offer better crypto over PGP.

Sure, getting signed by a CA is useful for trust but only when the signature bestowes trust. Look at the small print on most sites and you'll see that the signature bestowes

Re:

[Morlark]

Oh, I dunno, it would be really great if someone developed a plugin that could work with a major email client, so you could use just one click to sign or encrypt emails, or import keys from a keyserver, or decrypt emails from others. I'm thinking they could call it something like "Enigmail" [mozdev.org]. I think that name has a nice ring to it, don't you?

Thanks, Phil!!!

[jamstar7]

I used PGP back in the day when it was still illegal due to the 'fact' that it was considered a 'munition'. Thanks, Phil, for giving me the amount of encryption enjoyed by many small governments of the day...

Re:

[Creepy Crawler]

Damn straight.

If I met him, Id buy him a few drinks (well, as many as he wants. he deserves it).

Re:

[pegr]

If I met him, Id buy him a few drinks (well, as many as he wants. he deserves it).
 
No lie, a lesbian friend of mine once shared drinks in a hot tub with Phil in Colorado. She said he was a bit of a jerk. Of course, she hates all men so I really can't go by her opinion.
 
Ya know, I've been waiting a long time to share that factoid with somebody who would know who Phil Zimmerman is. Never thought for a moment it would be a Slashdot post...

Re:

[tomstdenis]

Um, it was illegal to EXPORT not use. Get your fud straight.

That not withstanding he [and people like him] went through hell to free up crypto projects for the rest of us. I, myself, give out a crypto library that slips through relaxed regulations on free software.

Kudos to Phil, his supporters, and PGP as a whole. [except Jon Callas, he's a jerk and I still hate him]

Tom

Re:

[jamstar7]

I said 'illegal', but never mentioned importing or exporting it. Phil went through quite a lot of legal trouble for publishing it, and under today's US government, would probably be wasting away while waiting on a tribunal for 'National Security' crimes if it came out last month.

Re:

[tomstdenis]

The munitions clause was for EXPORTED software. It wasn't, and isn't, illegal to use or publish domestic cryptographic software.

For crying out loud it's NBS (defunct, now NIST) who solicited for and published DES and 3DES in the first place!

Tom

Re:

[Morphine007]

Yes, but he PUBLISHED it on teh INTARWEB (well... usenet...but anyway) which the gubment then claimed was EXPORTATION [wikipedia.org] (Read the first two paras in the History section)... not only is the GP 100% correct, but so are you... go figure, huh

/me hands Tom a KitKat

chillax...

Re:

[tomstdenis]

Yeah, my point is that PGP wasn't illegal, making it available on the intarweb was. (and technically, without an export license, closed source software must be reviewed first..., even today) /me enjoys kitkat, still thanks Phil for going through hell for me. Still uses GPG for my projects...

Re:

[Morphine007]

(and technically, without an export license, closed source software must be reviewed first..., even today)

Yes, but thankfully if you get caught (assuming what you say is true) you won't get crucified for being an arms dealer... which is what they wanted to do to him, for allowing it to get out. And actually, it wasn't illegal for him to make it available on usenet... it became illegal the second a non-USian downloaded a copy.

I heard somewhere that one of the biggest reasons why this attempt to screw Phi

Re:

[tomstdenis]

Well you can still get in trouble for distributing closed source proprietary crypto without a license. The new exception is for free open source, which makes things like GPG and my LibTomCrypt possible (cuz even though I'm a cannuck, I deal a lot with americans...).

Phil wasn't the only one going through the hell. Daniel Bernstein had a similar experience. They both had quite a few supporters along the way too, so lets not forget about them.

Tom

Mt. Rushmore - Encryption Style

[diersing]

Zimmerman - Rivest - Shamir - Adleman

Hopefully somewhere (prolly MIT) there are statue to these guys. Pioneers. Legends.

Re:

[diersing]

Seconded

Re:

[mikefoley]

At the risk of wiping out all my good Karma....

Callas is not a jerk. He's a personal friend of mine from the VMS days. I saw him a few weeks ago at the RSA Conference in Europe. I don't know what your beef is, but it's obviously something childish. Jon is a nice guy. Always has been, always will.

Re:

[tomstdenis]

At my first Toorcon talk he was rude and disruptive when I mentioned that PGP had bugs in various incarnations (it was a talk on cryptanalysis, I was trying to make the point that even the big boys fall). He claims there was never a problem with the ADK, he proceeded to lecture me, DURING MY TALK, about how ADK was/is perfectly fine.

During my talk I didn't have net access, so I let him rant in order to save some grace, but afterwards I found the CERT advisory for the bug and I emailed him. He never replie

it's too bad...

[technicalandsocial]

It's too bad after 15 years, probably > one percent of internet users have even used it, or any of its OpenPGP standard derivatives (GnuPG) for example. Sort of like the NSA telephone spying fiasco this year in the U.S, you know the various bureacracies are watching all the packets they can. If you want privacy, now is the time to take control of your own. Encrypt your emails and files, IPSEC, SSH, HTTPS wherever possible, and demand it where it is not yet available for you.

Re:it's too bad...

[SEAL]

While your points are on-target, it is easy to forget how much the U.S. government locked down encryption prior to Phil's efforts. We take for granted being able to make purchases over a 128-bit encrypted connection with SSL-enabled webbrowsers. Secure global e-commerce is a direct result of political change brought around by Phil Zimmerman.

So even though use of PGP / GPG have not penetrated the mainstream, there were other beneficial aspects of its existence.

Re:

[Penguinshit]

Don't forget to use OTR [cypherpunks.ca] for your GAIM [sourceforge.net] sessions...

Re:

[XMyth]

Or better yet, Psi [affinix.com] with OpenPGP support.

Not too bad

[Anonymous Coward]

Don't forget that ssh, https, et. al., came years after PGP. What PGP did was to break the legal water for everything else. Nobody had ever heard of public key cryptography, let alone the fact that the government was trying to ban it, before PGP came out. Once it was out, suddenly it was an issue.

And after the battles to preserve it were over, the way was quite safe for the networking protocols to hit, and expand, in the mainstream.

So, while I agree with you that it is too bad that it isn't more widespread,

But...

[Mikhail Bakunin]

does it still need Mom and Dad's permission to travel?

thawte offers free x.509 certificates . . .

[rbannon]

I believe thawte [thawte.com] offers a viable and professional alternative to PGP. If you're in the NYC area, please visit my site [blogspot.com] dedicated to notarizing thawte personal certificates. It's easier than you think, and transparent for most users.

Re:

[canuck57]

I believe thawte offers a viable and professional alternative to PGP.

Open up your IE browser, Internet Options->Content->Certificates and then click on the intermediate and root trusted authorities. Each of these you must trust. Further, another weak point, someone else has the keys that can gerate other keys to spoof domains.

Rememeber, there are devices that can do SSL in the middle. Don't believe me, see http://www.bluecoat.com/downloads/support/BCS_tb_ r everse_proxy_with_SSL.pdf [bluecoat.com] Your best d

Re:

[Jaime2]

Sure, SSL in the middle is possible, but you need a properly signed certificate to set it up. It can't be used for man-in-the-middle attacks unless the CA or the certificate are compromised. Essentially, you are just moving the secure communication endpoint.

As for the big list of pre-trusted CAs, just remove the ones you don't trust.

PGP may be more secure for point to point, but shared secret or one-time pad is even better. If all you want is secure communications with someone you already have a rela

Re:

[SanityInAnarchy]

As for the big list of pre-trusted CAs, just remove the ones you don't trust.

And suddenly, I can't visit any https URLs except my own.

Really, the PGP concept of "trust" is important. There are multiple levels of trust, from simply "I trust that this key actually belongs to this person" to "I fully trust this person to be competent at signing keys, and will trust any key they sign"...

Generally, trust is earned, based on experience. Really, what has Thawte, VeriSign, or any other root CA done to earn my tru

Re:

[dubonbacon]

Your link doesn't say anything about an SSL man in the middle attack. It's just an SSL reverse Proxy for a Web server. You can set this up with properly configured apache modules.

Re:

[Beryllium Sphere(tm)]

Not to mention (Bruce Schneier may have been the first to publish about this):

What guarantees the integrity of IE's list of trusted root certificate authorities? In other words, what stops a piece of malware from installing its own public key as an ultimately trusted one?

Hint: they're stored in the registry.

Too bad it isn't better integrated into things

[Soong]

Once upon a time I generated a key, and discovered there was no one around to swap keys with. My best guess is that it has never been common enough or easy enough to get started. It needs to be as easy as hitting send on an email, automatically sign it, and if the recipient is known to have a key then encrypt it to them. I could be bothered to go through some hassle to get this going, but I think most people don't care enough and probably most of their email doesn't matter enough to bother with encrypting or signing. I still wish it was more common though.

chicken or egg

[chocolatetrumpet]

It's sort of a chicken and egg problem (why should I bother to encrypt *my* email if there is no one to exchange it with?), and the answer is definitely integration. Imagine if gmail integrated PGP - we'd suddenly have a whole bunch of PGP users to exchange messages with.

I know there are sites like hushmail.com but we need to get an existing userbase setup with encryption, and everything has to be automatic.

Unfortunately, I'm in no position to organize such a thing.

Re:

[Asztal_]

I suppose we could just keep sending them garbage that looks like encrypted email until they give in and get enigmail [mozdev.org] or whatever. ;-)

The demand for theoretically solid security

[Beryllium Sphere(tm)]

This point isn't original with me. Ian Griggs, and probably others, have been making it for years. (I'm not even sure I agree).

The use case you want is prevented by existing public key systems. They consider it insecure because there wouldn't be any proof that you were really encrypting to your friend's public key, as opposed to a public key belonging to whoever is wiretapping you. Hence the whole need for directory systems, trust systems, signers and "CA"s (signers you don't know but who are supposed to do

Maybe Google needs to kick start things

[NotQuiteReal]

Once upon a time I generated a key, and discovered there was no one around to swap keys with.

That is exactly the issue. Most people have pretty boring lives, and don't need encryption. While many of us could make at least a business case that it would be a good thing to encrypt our mail, at the end of the day, expedient convenience wins out over The Right Thing.

Until strong encryption is seemlessly and effortlessly incorporated for a critical mass of users, it isn't going to happen.

This is where you n

Gmail and encryption

[metamatic]

I'd love it if Gmail supported S/MIME.

Thunderbird, OS X Mail, Lotus Notes, Exchange and Outlook all support S/MIME out of the box. If we could get webmail users using it, we might have a chance to get other people using it.

Webmail has problems (but should do it anyway)

[Sloppy]

I'd love it if Gmail supported S/MIME.

The problem with webmail, is that encryption will never (can never) be trustworthy, since it needs to be implemented on the server, rather than on the user's trusted, known-uncompromised workstation. No one would ever really be able to rely on gmail's security.

On the other hand, there are some good reasons that they should do it, anyway.

First of all, we have to remember that a lot of users don't really have workstations that they know are safe. Sure Google (or s

Re:

[metamatic]

The problem with webmail, is that encryption will never (can never) be trustworthy, since it needs to be implemented on the server, rather than on the user's trusted, known-uncompromised workstation. [...] the very fact that companies like Symantec and McAfee are in business, suggest that millions of users can't even trust a computer inside their own house to not be compromised [...]

Which kinda undermines your first point.

I suspect that the average webmail user's workstation is (as you suggest) a virus

Re:

[mortonda]

It needs to be as easy as hitting send on an email, automatically sign it, and if the recipient is known to have a key then encrypt it to them.

You obviously haven't tried lately.

Both Enigmail for Thunderbird and also the mail client for OSX have pgp and key management built in. They have methods for downloading, signing and uploading keys to the key servers. I've been signing my email for years, very automatically. Also, the few individuals that have keys get their email encrypted automatically. It's v

GPG not integrated into Mail by default.

[Kadin2048]

Just a small correction. The Mail client for OS X (aka "Apple Mail" or whatever you want to call it) doesn't have PGP capabilities built in.

It has some S/MIME capabilities built in (and almost totally undocumented, as far as I can tell, and it's a bit of a bear to set up), but to get anything related to PGP, you need to install the excellent set of plugins from Sente, called GPGMail [sente.ch]. It is basically an interface between Apple Mail, and the CLI gpg tools.

It relies on some undocumented and unsupported APIs in

Re:

[mortonda]

I had forgotten how I installed gpg on my mac... but I've been using it almost as long as I've had this MBP. Haven't had any problem with the pgp stuff.

The only problem I've had is with the IMAP client not seeing new messages in various folders. I have to go upstairs to my workstation to get an accurate view of my new email. :(

Re:

[SanityInAnarchy]

Once upon a time I generated a key, and discovered there was no one around to swap keys with.

You do send email, right? When people ask you about that funny little attachment to all your emails, explain PGP to them and help them generate their own key. As long as they understand that the public key must be securely verified, most people (even nontechnical people) do alright with the concept.

It needs to be as easy as hitting send on an email, automatically sign it, and if the recipient is known to have a ke

you've given up? too hard?

[fantomas]

"Personally, I've given up"

Indeed, it's just too much trouble, which show you and I both agree with the parent to your post. It's one thing being a highly competent email user and setting your own PGP up, but can we really be bothered setting up all our friends, work colleagues and family? I can't. And why don't they set up PGP? Because it's too much work and too difficult for the average user.

As one of the parent posts noted, the same people understand and happily use secure payment methods over the web. S

Not too hard, just too much apathy

[SanityInAnarchy]

My family is perfectly capable of understanding and using PGP. The problem is, like many people, they just don't think it's worth it. On an intellectual level, they understand how risky it is, but they live in a town so small and friendly you hardly have to lock your doors at night. It's that disease of saying "I'm not important enough, don't these kinds of things happen to Other People?"

I'd set it up for them, taking care of #2 -- I wouldn't mind setting up all my friends, work colleagues, and family -- bu

Re:

[maxume]

Yeah, I'll try again when one of my brothers demands it.

It needs to get into web browsers

[Sloppy]

If a popular web browser, such as Mozilla, were to implement both x509 certs and PGP certs for encrypted/authenticated connections (using GNU TLS or something like it), that would be a damn good start.

Speaking of PGP...

[FooAtWFU]

... can anyone recommend any good Windows XP PGP/GPG-type tools? You used to be able to download a little cute PGP program as freeware to sit in your tray, hold your key, and encrypt/decrypt a window or the clipboard. Now all I can find like that is WinPT, and while it's serviceable for me, it's also incredibly ugly and not very refined, and is confusing by comparison. Gak! You can still download the old PGP freeware versions but they refuse to run on WinXP - there's just a 30-day trial out there now.

If there's one thing that annoys me it's when a program disappears like that...

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[billstclair]

The free trial is also hard to find, likely intentionally so.

http://www.pgp.com/downloads/desktoptrial2.php [pgp.com]

It's fully functional for 30 days, then falls back to the functionality of the old PGP Freeware product, i.e. you can encrypt and decrypt files, windows, and the clipboard, and you can create, import, and manage keys.

Re:

[scott_karana]

Hey, you can export and sign too. I'd hate using a program that didn't let me do that.

GPG+Enigmail.

[SanityInAnarchy]

Not easy to setup, granted, but it's free, it does what you want, and it's actually pretty easy to use.

GPGShell

[Quizo69]

I use GPGShell:

http://www.jumaros.de/rsoft/index.html [jumaros.de]

It requires GnuPG to be installed as well so it's effectively a two part installer, but it works fine and does most of what you ask (it's still not the easiest GUI when it comes to paths but better than WinPT).

HTH

Re:

[XMyth]

Enigmail for Thunderbird has others have mentioned

And also, Gpg4Win [gpg4win.org] as no one else has mentioned. Very nice package...with a tray icon for encrypting/decrypting. Installs a shell extension for explorer too. Fantastic setup.

The title is wrong. Quit perpetuating the myth

[Anonymous Coward]

Jeez, will this fairy tail never end? Phil NEVER released PGP. Crap, I was there and I remember it. Phil had to be browbeaten and bribed to give up the software (for which he had already been paid to develop).

There were two people who were hauled up in front of the Federal Grand Jury. Phil was one. Kelly Goen was the other. It was Kelly who paid Phil, who researched the law (so that the release could be done legally) and who had been pushing for developing public key cryptography for years before he ever met Phil. And it was Kelly who had the guts to do the actual release. Phil thought he was completely safe at the time (and legally speaking he probably was, not that innocence has ever stopped the Feds before).

If you want to search, you might be able to find the original Jim Warren articles in Microtimes around, who Kelly kept in touch with during the actual release. Jim thought Kelly was paranoid as hell until the FBI showed up on his door, and he wrote at least one article about it.

For your amusement, Kelly went around the San Francisco Bay area with an old acoustic coupler modem to various pay phones and would upload it onto a different server. Then he'd call Jim to tell him where it was at, in case something happened to him. He was under the impression that the single best thing the NSA could do was to knock him off before he put it on those servers. Looking back at it now, he was quite right.

And no, this isn't being posted by Kelly. Just someone else who was there at the time.

So please, get your facts straight and give Kelly some credit while he's still alive. Thanks.

For the history files

[Beryllium Sphere(tm)]

I don't know enough to say who's right, but here's Phil Zimmermann's acount of PGP history [lwn.net]. Also check out Adam Back's PGP timeline [cypherspace.org], which he warns is probably inaccurate. Microtimes columnist's recollections of PGP history [boogieonline.com].

Re:

[Niten]

Here's a copy of Jim Warren's article [google.com], for anyone interested.

15 years

[papasui]

and still almost nobody uses it. There's a real trade off between security and convince. How many people do you think would use SSL if they had to download a separate program beyond the web browser and setup certificates to support it? Probably about 10% of the general internet population, and those would be the ones who realized their credit card numbers weren't be passed encrypted. General rule of thumb.. If it's not (relatively) easy for the end user it will never become popular.

Re:

[cysurfer]

I used it 63,000+ times last month alone (automated of course). While PGP may not be very popular for the individual user, it is commonly used in the corporate world.

63000 encrypted transfers

0 unencrypted transfers

Keeping my butt out of trouble, PRICELESS

It's.........

[stunt_penguin]

a good thing Larry David was busy on other projects (and isn't a famous cryptographer on the side) otherwise the project may have been dubbed PPPPPPPGP, with the first couple of Ps in italics, probably. [youtube.com]

Sosumi, Sir Paul!

[Chris Tucker]

"When I find myself in times of trouble, PRZ, he comes to me, speaking words of wisdom, 'PGP, PGP!'"

PGP didnt Invent RSA encryption

[EEPROMS]

I remember watching an English documentary about 5 or so years ago on the history of encryption and cyphers. One thing I remember was how the RSA public and private key encryption wasn't invented by PGP even though they were awarded a patent , it was invented by an english researcher while working for one of the many U.K government secret service shadow projects at the time. The UK security services have been using RSA encryption for many years before PGP ever figured it out but wouldn't admit to this fact

Re:

[cryptoguy]

you are confusing the peope behind RSA (Ron Rivest, Adi Shamir, and Leonard Adleman) with PGP. Phil Z did not invent any algorithms (well, except for Bass-O-Matic). He just was the first to make an implementation that became publicly available.

PGP popularized RSA encryption

[Sloppy]

RSA has(had) the patent on RSA public key encryption. PGP was just the first to popularize it, and make it easy for people to use it. And, in fact, not having the patent (on both RSA PK and also IDEA symmetric) is what caused PGP to later switch to ElGamal and 3DES, so that those are now part of the OpenPGP standard whereas RSA and IDEA are deprecated and fading into disuse, despite the fact that the RSA patent finally expired. (Yet Another Example of math patents doing the exact opposite of promoting th

Re:

[jlockard]

Nope, RSA Security was awarded the patent. PGP implemented RSA in their code (as well as Diffie-Hellman (DH), but had no hand in developing the encryption. Also the UK security services used something similar to RSA, basically the same idea, different implementation, but could probably have been covered under the same patent language.

Key to the problem

[ToeSide]

PGP suffers because of remarkably poor nomenclature. The terms "public key" and "key pair" lend less than zero towards understanding the simple concept of how these objects are involved with encrypting and decrypting messages.

I've supported applications that use PGP for almost 9 years, and the number of times I must explain and re-explain how PGP keys work is just sad. In fact, there is one PGP administrator who methodically signs and distributes, every month, his company's latest public key *and* key pai

Because they're not.

[SanityInAnarchy]

When signing, in fact, the exact opposite happens.

Public and private isn't too bad, it's just that no one ever, EVER bothers to learn them. I mean, come on, if people can learn words like "clutch", "gearshift", "ignition", and so on, why can't they understand that the PUBLIC key is what you send to everyone, and the PRIVATE key is what you don't even share with your lover?

Re:

[pinchhazard]

oh, share it with your lover. just don't WRITE it on her. people may see what's written on your hand and throw off your whole privacy scheme.

Re:

[kwark]

"Why, oh why, didn't Phil just call them "encoders" and "decoders?"

Would that be because the "encoder" used for encryption is the "decoder" used for signing?

GnuPG 2 is released

[beat.bolli]

Maybe it should be noted in this context that GnuPG 2 has been released [gnupg.org] recently. No longer a monolithic application, it includes tools for key and passphrase caching, smart card support, configuration, certificate revocation list and LDAP support and more. Thanks to Werner Koch et al for keeping developing this valuable tool.

The first step...

[Kjella]

...would be to say "My e-mail server, my key server". Use SSL certs or whatever to verify that you're talking to a legitimate server, and a way to connect securely to request a key is a must. I presume it's quite feasible to verify that you're talking to a legitimiate @domain.com server when trying to get the public key for a @domain.com address. So if I have a yahoo.com address, you can ask SMTP server "PUBK name@yahoo.com" and get either "no keys, sorry" or "uploaded key follows". Your email client should

Inappropriate PGP usage: my sin.

[dotmax]

In the early 90s i spent (way too much of) my energy in the marijuana movement. Not wholly surprisingly, i got a little paranoid about marajuana-movement organizations' mailing lists being confiscated in various busts around the country.

So i relentlessly harangued a national organization to distribute a windows/DOS/Mac PGP release to all of their chapters.

I felt pretty good about it until i got a call from someone in another state:

        "duuuude. i forgot my passphrase..."

How did you do that?

          "we were rilly baked ..."

i've always wondered how much damage i did to the marijuana movement by handing a bunch of stoners a tool that required memorizing a passphrase...

my bad!

Re:

[Lord Kano]

i've always wondered how much damage i did to the marijuana movement by handing a bunch of stoners a tool that required memorizing a passphrase...

I'm sure that "the man" appreciates your help.

LK

Re:

[account_deleted]

Comment removed based on user account deletion

Ideas

[matt me]

Everyone here is talking about PGP encrypted mail.

I know there's problems with security legislation in the USA, and it's patented/restricted somehow. I would use gnupg for email if I had anyone to use it with. I only come across it in signed software.

Do you think signed/encrypted mail has a part to play in the new email? Email as we have it is WANK, with all the spam and shit. Something needs to be done. Perhaps a system could really on signing email with a unique key from a sender. Then there's an delocali

Re:

[Anonymous Coward]

Actually it should read

"Are you GAY?
Are you a NIGGER?
Are you a GAY NIGGER?
Are you a member of the GNAA?

If you answered "Yes" to all of the above questions, you should go find a cliff or a bridge somewhere, then take your entire fucktarded family. Have all of them jump off to their deaths, and after that jump to yours. Then there will be less fucktards in the gene pool."

Re:

[Lord Kano]

All the musicians you liked then are 15 years older, and lost their hair (like you).

Bitch, I have more hair now than I did 15 years ago.

LK