Re: Babel (Re: on the state of PGP compatibility)
-- On 1 Apr 2002 at 8:49, Curt Smith wrote: > And James, although the best standard may win, a lack of viable > alternatives is unhealthy. We have an oversupply, not an undersupply, of viable alternatives. The reason for all the collisions and incompatibilities is feature creep, and the reason for feature creep is that people actually do want features. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG puD3/Kt5AL3eomyNNzJU/0wvAuptW67fqq98AG/6 4VLTXt8WDT7UcHmJFMp1U0RPw6cCIGB6KAQx/hD0V
Re: Babel (Re: on the state of PGP compatibility)
On Monday, April 1, 2002, at 12:09 PM, Marcel Popescu wrote: > > I advocate secure messaging using very strong public keys, > in combination with moderately strong session keys. > > This prevents casual easedropping by unintended recipents, > without jeapardizing national and international security. Those who voluntarily use weak keys are seldom the persons sought by national governments. So the issue is whether use of weak keys will be mandated by governments. And for those who are (perhaps temporarily) of the frame of mind that the U.S. Government is not the Enemy, remember the very, very long list of governments and similar entities that have oppressed people. It's useful to remember that the use of "moderately strong" (= weak) keys by freedom fighters in Burma, Rhodesia, Romania, the former and pressent USSR/whatever, and at many times in the past (and current) history of the U.S. would have exposed these freedom fighters to arrest, torture, imprisonment, and death. Since I haven't published my "Enemies of the State" list in a while, here it is again: (I sent this out about 10 days before 9/11, so the reference to UBL/OBL is perhaps ironic. Doesn't change a word of what I wrote, though.) Many of those who have been quibbling about whether "freedom fighters" are terrorists, or whether Osama bin Laden is or is not a FF, etc., are MISSSING THE BIG PICTURE. Take the long view, the more agnostic view. Whether one likes the actions of bin Laden or Pablo Escobar or James Jesus Angleton is not the point Privacy and untraceability tools will be used by many who are seeking to evade others. Some we are taught in American schools are heroes, some we are taught are villains. Here's a list I distributed some years ago at a CFP Conference: (the paper is still available at Prof. Froomkin's site, http://www.law.miami.edu/~froomkin/articles/tcmay.htm ) Appendix: Who are those Bad Guys, anyway? Depending on which nation one is in, which regime is in power, and other factors, here are some of the enemies of the people the laws against strong crypto and the banning of digital cash are intended to crush: Enemies of the People, the opposition party, the Resistance, friends of the Bad Guys, family members of the Bad Guys, conspirators, Jews, Catholics, Protestants, atheists, heretics, schismatics, heathens, leftists, rightists, poets, authors, Turks, Armenians, Scharansky, Solzhenitsyn, refuseniks, Chinese dissidents, students in front of tanks, Branch Davidians, Scientologists, Jesus, Gandhi, Nelson Mandela, African National Congress, UNITA, Thomas Jefferson, Patrick Henry, colonial rebels, patriots, Tories, Basque separatists, Algerian separatists, secessionists, abolitionists, John Brown, draft opponents, communists, godless jew commies, fellow travellers, traitors, capitalists, imperialist lackeys, capitalist roaders, anarchists, monarchists, Charlie Chaplin, Galileo, Joan of Arc,, Martin Luther, Martin Luther King, Malcolm X, Stokely Carmichael, civil rights workers, Students for a Democratic Society, Weathermen, Margaret Sanger, birth control activists, abortionists, anti-abortionists, Michael Milken, Robert Vesco, Marc Rich, Nixon's Enemies, Hoover's enemies, Clinton's enemies, Craig Livingstone's high school enemies, Republicans, Democrats, labor organizers, corporate troublemakers, whistleblowers, smut peddlers, pornographers, readers of "Playboy," viewers of images of women whose faces are uncovered, Amateur Action, Jock Sturges, violators of the CDA, alt.fan.karla-homulka readers, Internet Casino customers, Scientologists, Rosicrucians, royalists, Jacobins, Hemlock Society activists, Jimmy Hoffa, John L. Lewis, Cesar Chavez, opponents of United Fruit, land reformers, Simon Bolivar, Robin Hood, Dennis Banks, American Indian Movement, Jack Anderson, Daniel Ellsberg, peace activists, Father Berrigan, Mormons, Joseph Smith, missionaries, Greenpeace, Animal Liberation Front, gypsies, diplomats, U.N. ambassadors, Randy Weaver, David Koresh, Ayotollah Khomeini, John Gotti, Papists, Ulstermen, IRA, Shining Path, militia members, tax protestors, Hindus, Sikhs, Lech Walesa, Polish labor movement, freedom fighters, revolutionaries, Ben Franklin, Thomas Paine, and "suspects". --Tim May "That government is best which governs not at all." --Henry David Thoreau
Re: Babel (Re: on the state of PGP compatibility)
From: "Curt Smith" <[EMAIL PROTECTED]> > I am developing a free program and simple > specification - http://www.opencrypto.com Hmm... Delphi programmer. That's a plus :) The minus is in these lines (nevermind the typos, although this is your presentation page, so you could have used a spellchecker): I advocate secure messaging using very strong public keys, in combination with moderately strong session keys. This prevents casual easedropping by unintended recipents, without jeapardizing national and international security. It is the best stategy to gain the acceptance of world governments and win the support of patriotic-minded citizens and corporations, thereby protecting free speech and privacy for the masses, as technology, business, and government erode anonymity. I feel that the new U.S. cryptography regulations regarding distribution of open source cryptography are reasonable, and encourage cryptography programmers to support these rules and promote similar relaxed regulation internationally.
Re: Babel (Re: on the state of PGP compatibility)
sMIME will always be hampered by Certificate Authority issues. PGP is large and complex. Version problems are bound to increase as some users will remain divided between PGPdesktop, PGPfreeware, and OpenPGP. Still others will want historic versions or ckt builds. Older versions are limited by key sizes and algorithm selections, while newer versions are prone to version problems. Simple 3rd Party options are important and must always be available.. I am developing a free program and simple specification - http://www.opencrypto.com - that integrates public key crypto into a basic SMTP program. I agree with Tim that it is perhaps best to settle on a single assymetric algorithm (RSA/DH/EC) and a single symmetric algorithm (3DES/AES/2FISH). Perhaps as every 2 to 5 years the algorithms could be replaced or key lengths increased (if necessary), without adding a extensive feature or significant complexity. And James, although the best standard may win, a lack of viable alternatives is unhealthy. --- [EMAIL PROTECTED] wrote: > On 31 Mar 2002 at 10:03, Tim May wrote: > > And so now PGP (or GPG) use is utterly balkanized, utterly > > useless. > > > > [...] > > > > Is there a solution? I would think that a "keep it simple, > > stupid" strategy is needed: Forget the hooks into popular > > mailers (Eudora, Outlook, Entourage), forget the "OS X > > versions of GPG," forget the Red Hat, Mandrake, SuSE, > > Windows XP, etc. versions. > > If PGP options have grown beyond human comprehension, perhaps > everyone could use my software, which is as simple as you can > get with a windows interface. > > http://www.echeque.com/Kong > > However, I predict that most people will wind up using > RFC2440 (OpenPGP) compliant code. > > An RFC and source code is far from "utter balkanization" and > utter uselessness. > > In due course, the best standard will win. > > --digsig > James A. Donald > 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG > uR++DP8NV5KuKFCaDraZEp6VTZQcmTqZI5aotgTD > 4KXzf6dt2b3+U2MX665Iy8h+EFpHj6Vw0HKjMhvoy > __ Do You Yahoo!? Yahoo! Greetings - send holiday greetings for Easter, Passover http://greetings.yahoo.com/
Re: Babel (Re: on the state of PGP compatibility)
-- On 31 Mar 2002 at 10:03, Tim May wrote: > And so now PGP (or GPG) use is utterly balkanized, utterly > useless. > > [...] > > Is there a solution? I would think that a "keep it simple, > stupid" strategy is needed: Forget the hooks into popular > mailers (Eudora, Outlook, Entourage), forget the "OS X versions > of GPG," forget the Red Hat, Mandrake, SuSE, Windows XP, etc. > versions. If PGP options have grown beyond human comprehension, perhaps everyone could use my software, which is as simple as you can get with a windows interface. http://www.echeque.com/Kong However, I predict that most people will wind up using RFC2440 (OpenPGP) compliant code. An RFC and source code is far from "utter balkanization" and utter uselessness. In due course, the best standard will win. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG uR++DP8NV5KuKFCaDraZEp6VTZQcmTqZI5aotgTD 4KXzf6dt2b3+U2MX665Iy8h+EFpHj6Vw0HKjMhvoy
Re: Babel (Re: on the state of PGP compatibility)
Tim writes: > I used to think that most of the "Cypherpunks program" outlined in the > first several meetings in 1992 was still unaccomplished, with only the > most trivial of the building blocks available. Now not even those > trivial building blocks are truly available, as Adam's rant so > dramatically shows. I use PGP 2.62, under DOS, on a machine not connected to the Net. Just because Bloatware PGP for Bloatware OS is the latest version, doesn't mean one cannot use the reliable uncomplicated earlier versions. And since Bloatware OS is the weak security link here, it really doesn't matter if you had a decent PGP to run on it, does it? Later bad code does not make earlier good code unavailable. -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division "Do What Thou Wilt Shall Be The Whole Of The Law"
Babel (Re: on the state of PGP compatibility)
(All addresses except Cypherpunks elided.) On Sunday, March 31, 2002, at 09:08 AM, Adam Back wrote: > So I was trying to decrypt this stored mail sent to me by a GPG user, > and lo pgp6.x failed to decrypt it. > > So I try an older gpg I had installed, and it fails because it doesn't > > So I go fetch GPG from www.gnupg.org, but it still doesn't contain > ... > So then I try pgp5.x but the binary is using dynamic libraries that > So my last hope is pgp2.x, but some buggy pgp variant has left my > So, for now, give up. I guess it's cheaper to just send the original > author an email ask him if he remembers that idea he sent me 4 months > ago and have him send me it in clear text to be sure! > > What a nightmare! Try that sequence on a novice user and they give up > before they get past the first GPG faq with rant about algorithm > patents. > > We've really got to do something about the compatibility problems. A good rant/summary about the current Tower of Babel situation. The beauty of the early days (perhaps two years) of early versions of PGP was that all versions basically interoperated well. Of course, people wanted more features, more integration with popular mail packages, more flexibility in choosing algorithms, and more compliance with the shifting sands of the patent world. Creeping feature-itus plus the perceived need to be "fully legal" added to the confusion. (The fact that PGP became a commercial product added in many ways to the chaos and babelization. Others can speak to the exact reasons for this, but I would offer these: NAI's requirement that algorithms and patents be free of entanglements, the proliferation of new versions without full backward compatibility, the on again/off again availability of inexpensive personal use versions, and the "diaspora" of developers once they departed NAI. Very ironic that one of the main "Down with RSADSI--RSA should be free!" chants of the early years of PGP had to do with RSA allegedly charging too much for products like MailSafe. Hence the irony of the new exorbitant pricing structure for what's left of PGP.) And so now PGP (or GPG) use is utterly balkanized, utterly useless. I used to think that most of the "Cypherpunks program" outlined in the first several meetings in 1992 was still unaccomplished, with only the most trivial of the building blocks available. Now not even those trivial building blocks are truly available, as Adam's rant so dramatically shows. Is there a solution? I would think that a "keep it simple, stupid" strategy is needed: Forget the hooks into popular mailers (Eudora, Outlook, Entourage), forget the "OS X versions of GPG," forget the Red Hat, Mandrake, SuSE, Windows XP, etc. versions. Just concentrate on a simple engine, using the cleanest C code possible. Use utterly standard I/O. (I never minded cutting an encrypted message to the clipboard--something now available in all systems, I believe--and then decrypting the clipboard contents, etc. This meant there didn't need to be "Eudora 3.1" and "Outlook Express 2.5" versions.) Drop the flexible palette of crypto algorithms. Get back to basics. And release programs which don't have to be compiled by users! Just some thoughts, from someone who no longer even tries to decrypt GPG or PGP or Bass-O-Matic messages sent to him. --Tim May "A complex system that works is invariably found to have evolved from a simple system that worked ...A complex system designed from scratch never works and cannot be patched up to make it work. You have to start over, beginning with a working simple system." -- Grady Booch