-- What email encryption is actually in use? When I get a PGP encrypted message, I usually cannot read it -- it is sent to my dud key or something somehow goes wrong. When I send a PGP encrypted message in reply, stating the problem, I seldom receive an answer, suggesting that the recipient cannot decrypt my message either. Kong encrypted messages usually work, because there is only one version of the program, and key management is damn near non existent by design, since my experience as key manager for various companies shows that in practice keys just do not get managed. After I release the next upgrade, doubtless fewer messages will work.
The most widely deployed encryption is of course that which is in outlook -- which we now know to be broken, since impersonation is trivial, making it fortunate that seemingly no one uses it. Repeating the question, so that it does not get lost in the rant. To the extent that real people are using digitally signed and or encrypted messages for real purposes, what is the dominant technology, or is use so sporadic that no network effect is functioning, so nothing can be said to be dominant? The chief barrier to use of outlook's email encryption, aside from the fact that is broken, is the intolerable cost and inconvenience of certificate management. We have tools to construct any certificates we damn well please, though the root signatures will not be recognized unless the user chooses to put them in. Is it practical for a particular group, for example a corporation or a conspiracy, to whip up its own damned root certificate, without buggering around with verisign? (Of course fixing Microsoft's design errors is never useful, since they will rebreak their products in new ways that are more ingenious and harder to fix.) I intended to sign this using Network Associates command line pgp, only to discover that pgp -sa file produced unintellible gibberish, that could only be made sense of by pgp, so that no one would be able to read it without first checking my signature. I suggest that network associates should have hired me as UI design manager, or failing, that, hired the dog from down the street as UI design manager. Presumably the theory underlying this brilliant design decision was that in the bad old days, a file produced under unix woudl not verify under windows because of trivial differences such as the fact the whitespace is expressed slightly differently. Here is a better fix, one that I implemented in Kong: Define several signature types with the default signature type ignoring those aspects of the message that are difficult for the user to notice, so that if a message looks pretty much the same to the user, it has the same signature, by, for example, canonicalizing whitespace and single line breaks, and treating the hard space (0xA0) the same as the soft space. (0x20), and so on and so forth. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG OmUO5eB/pLnuFIgCU2splCvKO4x0U1Ik31pVFPaU 49B5UrVKc5ETzoxGcfl+q9ltoh61l4ncSyE+R5h6P