GNU Privacy Guard (GPG) PGP Alternative 43
Scrub writes "
The GNU Privacy Guard (GPG) 1.0.0. has been released.
GPG is intended to be a free replacement for
PGP. The good thing about it is, that it doesn't
make any use of patended algorithms and that its development was outside the US. US crypto-laws just dont apply here, what a
pity!"
Can we piss off the NSA anymore? (Score:1)
The US goverment considers crypto to be a form of munition abeit not a very deadly munition, but a munition non-the-less.
now that everyone has the right to poke around in the sources for this kewl crypto system the US goverment should think twice about its ongoing push to create back doors in the various crypto systems developed inside the country. I mean, if everyone has the code, how are they going to hide a backdoor entry? We all know the answer to that question: they can't!! Yippy!!!
Now what needs to happen, or may already be happening(?), is to port the sources to other operating systems. Yes...yes, even the nasty old windows operating system too. Once this happens to a good number of OS's it will become a standard crupt system and no goverment will be able to snoop around in your data.
Well, guess its time to start porting the sources over to my prefered OS, the BeOS. Letme just say thanks to the nice people who hate the goverment as much as I do for makeing this possible. Your sooo kewl!!!
-Diz
Re:PKP Patent (Score:1)
(GPG,PGP) How often do you change your underwear? (Score:5)
When I considered my first public key, I kinda thought I'd use it forever.
Reading about the GPG replacement for PGP, my first thoughts were
GPG Works Great with (Score:1)
It is also smoothly interoperable with the Network Associates "Desktop PGP" product, which is a clever little windows program that lives in your task bar, and thus makes life easy for the users.
Now if I could just get them to stop taping the passwords to their monitors!
My only complaint is that it's not option compatible with PGP.
I'm very impressed. Question though: I thought that PKP had a patent on the very notion of Public Key encryption, regardless of the actual algorythm. Can someone clarify this for me?
Thanks,
Loopy
Re:Option Compatability (Score:2)
US citizens *do* need a license to export crypto (Score:2)
I don't think your advice on 3DES is terribly clearly thought out, but that's an article for another time: 3DES is perfectly good as you say.
--
Re:Pipes are not crypto API's (Score:1)
Now I have a question. If I make an API that makes it easy to use any kind of plugin, including a crypto plugin, am I safe?
--
Re:Paranoia & Silly Export laws (Score:1)
I can think of several reasons:
That's not counting local-system use, like insuring that even if a cracker gets on my local system he can't read the spreadsheet containing my bank account details.
plug: Using GPG with Pine (Score:1)
Yes, I know mutt has good interface also, but Pine is also a decent mailer, and a lot of people use it, so I support it.
US Export laws (Score:2)
#DEFINE MAX_BITS 4096
So that if you wanted to get thru US customs you could just change this to 40 ?(And of course change it back before you arrive at your destination ;-) )
Re:(GPG,PGP) How often do you change your underwea (Score:1)
Public Key algorithms is nice but not perfect (Score:1)
I do it myself... because only really hardcore privacy advocates use encryption it isnt practical to encrypt anything ather than the most extremely top secret stuff (thus branding it: "THIS IS A SECRET MAIL"... not so clever)
What do we need to make e-mail encryption a hit?
Oh well...
Re:Just to dispel a few honest mistakes people mad (Score:1)
As you point out though, all the symmetric cyphers are 'good enough'.
Daniel
Mailer (and other apps) integrations issues (Score:3)
As evidenced in the Mozilla Crypto FAQ [mozilla.org] any program that is designed to call crypto plugins (a.k.a Crypto with "holes") comes under the same export restrictions as crypto, regardless of if the program uses crypto. This would mean that, technically, if you want to add GPG support to YFM (Your favourite Mailer) then just by the addition of GPG compatibility, YFM has fallen under the US export laws, and US citizens have a lot of trouble to try and work on it.
For those of you that noted it, this was the basis of the Microsoft crypto function that caused so much hassle of late. Technically, windows with the crypto API (even with no "crpyto") is "cryto with holes" and falls under export restrictions. To get around this, MS agreed to restrict the loading of crypto modules that they themselves signed (hence the need for the MS key). So this "loading restricted crypto with holes" was allowed to be exported without restrictions.
AFAIK, the only restriction to the export of "crpyto with holes" is if the API can only be used for verification, but for GPG to be useful for its full range, it needs encrption also. Hence, any program that integrates it fully, would be subject to restrictions.
So, to add GPG to "Your favourite mailer", it would split the development into several camps. One, maintaining the original email program as a base and others (maybe us and non-us) adding the cryto API's. This would add work of course, and in many cases would be dropped because the only version that could be worked on globally (which the open source model is) would be the original version. Thus, the export laws naturally make the work gravatate towards the non-gpg version. Funny that.
--
US Export Laws (Score:2)
"The future is already here,
it's just not evenly distributed yet"
Usability of Security (Score:2)
It shows that A LOT of improvement is needed to make PGP-like security usable for the avarage user.
Klaus
you may need your privacy more than you think (Score:1)
--
Just to dispel a few honest mistakes people made.. (Score:5)
Pipes are not crypto API's (Score:1)
Now we clearly see that cat(1) and mail(1) are not exportable. All Linux developers in the US go to jail. Or something
Not quite. The export laws apply to programs with crypto api's, i.e. api's that are designed for used in such ways. It does not cover general usage cases (or else every exe that uses DLL's could be restricted)
For example, case 1. A mailer could quite legally have a function SpellCheckAndSend which calls an external spell checker on the message and sends the message. Could someone replace ispell with pgp? yes. Does this make the mailer crypto with holes? No.
Case 2. A mailer adds an interface with pgp/gpg and if the message is marked as such, before sending it calls EncrpytOnlyForReaders which calls an external program pgp/egp program. Is there crypto in the mailer? No. Does this make the mailer crypto with holes? Yep.
IANAL, of course, but this is the way I see the cryto laws with plugins working. In some ways its very much like the Demon libel suit, and their follow up actions, that deemed a link to a deflamlatory article was itself deflamatory.
In other words, the attitude is: Action A is against the law. If you do Action B, which deliberately makes Action A easier to do, then you are also breaking the law.
--
pgp vs gpg (Score:1)
i wonder how secure this stuff can be?
Re:Just to dispel a few honest mistakes people mad (Score:2)
Re:GPG Works Great with (Score:1)
Migrating from PGP to GPG (Score:4)
Check out the Moving from PGP to GPG [technocage.com] guide. It will show you how to move pgp5 keys to gpg for exchanging encrypted messages with people using pgp5.
Re:PGP Compabibility (Score:1)
It can interoperate with PGP5/6 users as long as they use DH/DSS keys and the associated default symmetric encryption (3DES or CAST128?).
See the GNUPG Homepage [gnupg.org] for more info.
Re:The Wassenaar Arrangement (just as bad as US la (Score:1)
Since GNU PG is freely downloadable, it's exempt from the Wassenaar rules. (Of course, Janet Reno's ticked about this loophole and has been trying to get it closed for the past couple weeks, but so far has been unsucessful.)
Remailers?? (Score:1)
Are any of the anonymous remailers using keys that can be used by gpg? The ones that I downloaded tonight are all RSA-type keys.
Re:Public Key algorithms is nice but not perfect (Score:1)
Paranoia & Silly Export laws (Score:1)
First, I can't really see the need for encryption for normal users.
Obviously, I wouldn't like my mail to be read by everybody, but fooling with encryption ?
Nobody I know, uses or have used encryption for their e-mail. ( But well, none of them are linux nerds ).
Resembles very much the giggle and whispering among the teenage girls that visits my 14 year old son.
Secondly, a have another silly example of the exports laws in action.
A few years ago, I worked with implementing a new credit card service here in Sweden. It required the use of DES. We had bought an IBM S/88 non-stop computer for processing.
Then the fun started.
The software on the IBM was incomplete, in that the DES algorithm part could not be exported from the US !
Observe that it was the implementation which could not be exported.
The algorithm itself were public and perfectly available in document form.
So we just took the document and coded a DES encrypter/decrypter in less than a day.
Weird.
The Wassenaar Arrangement (just as bad as US laws) (Score:1)
It's full name is: The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies.
It's signed by 35 countries (including the US) and restricts the export of crypto-software and a lot of other things from all these countries.
If GPG is made in one of these countries you might get into trouble too.
Re:The Wassenaar Arrangement (just as bad as US la (Score:1)
Re:US Export Laws (Score:1)
to take credit for their work. If their names
show up in a crypto package developed in Finland,
the authorities in the US wouldn't have to decrypt
their actual submission.
Alex.
Re:Mailer (and other apps) integrations issues (Score:1)
--
Re:I do know of something comparable for Linux (Score:1)
>gnupg 1.0.0 is available as an rpm in ftp://ftp.replay.co m/pub/crypto/incoming/gnupg-1.0.0-1.i386.rpm
(2:37pm EDT 9-8-99)
This URL is already slashdotted/down.