On Thu, Jul 20, 2000 at 07:03:50PM -0700, Salzman, Noah wrote:
> First,
> The Unix flavors of PGP E-Business Server 7.0 (fancy name for Command Line,
> fancy price too) will support the creation of _Windows-based_ SDAs. PGP 7
> is "due out in the near future."
>
> The classic example of the request we get is "we generate our customer's
> billing statements on Solaris/AIX/HP-UX and we want to encrypt the files
> using PGP and then email them to the customer... but we don't want our
> customers to have to install PGP on their Windows machine."
>
> [So you just feel comfortable training people's users to run
> executables they get from potentially untrusted sources over the net,
> eh? Are you really helping anyone's security here?
>
> Am I the only person left on earth who finds "self-extracting" bundles
> to be a menace to security? --Perry]
No, we all think that it's dumb. But it makes users who don't
know how anything works feel better if it's "encrypted".
Never mind that there's no more security then sending it in the clear.
If it says "encrypted" and has a pretty graphic of a lock or a key on
it, it must be secure right?
> SDAs may not be desirable by the linux-leaning crypto-savvy folks on this
> list, but there is a market for SDAs amongst the unwashed masses using
> millions of Windows-only PCs.
Why not send then a SDA that contains a copy of PGP, installs it,
generates a key for the user, posts it to a keyserver, sets up the
correct MIME content-type hooks in the user's browser, and then send
them the real PGP-encrypted file 10 minutes later when they're equipped
to deal with it?
It's still not secure, but it's a lot less insecure than a SDA.
--
Eric Murray http://www.lne.com/ericm ericm at lne.com PGP keyid:E03F65E5
Security consulting: secure protocols, security reviews, standards, smartcards.
