what is GPG's #1 objective: security or anti-patent stance ( Re: on the state of PGP compatibility (2nd try))

Thu Apr 4 05:27:43 EST 2002

Adam Back <adam at cypherspace.org> writes:

>Back in the days of pgp2.x I used to receive and send a fair proportion of
>mail encrypted with pgp; these days it is a much lower proportion, and a
>rather high proportion of those fail.  It's not like I'm using old software or
>failing to try what is reasonable to get messages to work.  Even with my
>fairly complete collection of PGP versions you saw the results.  Imagine how
>much worse it will be between people who do not upgrade frequently or take
>such defensive strategies.  So you say upgrade already.  However as I think I
>have demonstrated, I follow this strategy myself and as you can see it doesn't
>work either.

I've been in a similar situation.  Back when I was fighting our government over
crypto export controls, it was sometimes necessary to talk to journalists in a
manner which didn't give the spooks a week's advance notice about something
which they shouldn't have known about until they opened the morning paper.
This was in the days of PGP 5.x.  Some of the people I was talking with were
pretty patient, and often put up with multiple iterations of neither side being
able to decrypt the other's messages, but eventually the choice came down to
given the opposition advance notice or not having the story published at all,
and there's really not much choice there.

Now substitute "human rights group" for "journalist" and "secret police" for
"spooks" and you can see why this is a problem.  Non-commercial PGP has always
been by geeks, for geeks, with features more important than minor
considerations like usability.  Who cares if there are 146 semi-documented,
vaguely-defined command-line options, look at the algorithm choices!  If you
want to use some obscure hash algorithm which was fasionable for 2 months in
1997, you can, and who cares if it takes you half an hour, the FAQ, the
manpage, and an online search to figure out how to encrypt a file?

That's why non-commercial crypto will always struggle to find mainstream
acceptance.  Doing the crypto engine is (relatively) easy, and fun, and there
are lots of people willing to help.  Doing the UI components is dreary and
boring, and no-one is interested because they've just spotted a hash algorithm
published in the Journal of the Bratislavian Philological Society in 1978 which
they urgently need to add support for.

(Although I don't use Windows mailers, I've heard nice things about The Bat,
 http://www.ritlabs.com/the_bat/features.html, which has built-in PGP support.
 Apparently at some point Pegasus Mail, http://www.pmail.com, will have built-
 in PGP and S/MIME support as well).

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com