Re: BSD licensed gnupg replacement question
Maximo Pech [mak...@gmail.com] wrote: I already knew an answer (not the only one) could be write it. What others did you have in mind? Thank you for bringing the most important software project of modern time to our attention. We will now begin writing it for you. ??? Do you have any idea how abusrd this is? No I don't, if you don't mind please explain why that's absurd. That's completely subjective and also it is a problem that has more work behind than the problem I think there is with the non existence of bsd tools like gnupg on *base* not on ports and not openssl. It's not subjective. It's history. SSH.COM became the standard for people who need to manage hundreds of thousands of keys with a rolled-out package. OpenSSH became the GOLD standard because EVERYONE ELSE uses it and it has a very high quality track record. I can only imagine that SSH was conceived as telnet + PGP. PGP was its own standard, improved and turned into a commercial product and now nobody even remembers exactly what it does. Do you use PGP? GnuPG? This part is subjective. How useful is PGP to you? What I say is simply that it would be cool if by default on the *base* system OpenBSD had a tool called opgp, opengp, puffypg or whatever, to encrypt files like gnupg does and I was wondering why it does not exist if OpenBSD cares a lot about cryptography. OpenBSD's push was to more tightly integrate crypto into all parts of the system where it might prove to be useful. One big part of this is the inclusion of the OpenSSL package for userland apps. Another was the creation of OpenSSH. And another was the OCF which allows the kernel to use crypto in all manner of operations. And it does. OpenBSD was really the first full free IPsec stack with a complete free OS and key management all working out of the box with photurisd and later isakmpd. It was more advanced, at the time. Along came OCF, which the framework that other BSDs built on and improved for their kernel crypto subsystems. It was ported to linux as a significant improvement to their prior kernel crypto tools. OCF is no longer the last word. Processors now include direct crypto transforms, so this area is changing again. But nobody had a sane asynchronous framework for crypto performed in the kernel context (for disk, network, memory crypto operations) prior to OCF. These are major things that took lots of time and money, DoD funding even. And it was accomplished under the OpenBSD project, and crypto accelerator support was merged with OpenSSL and benefits everyone now, kernel and userland. That is why OpenBSD is proud of crypto. Not because we care about encrypting files. Although, you can use OpenS! SL+OCF accelerators to do that too, if you wish. Well, with the information you have given me so far, I think the answer is something like nobody has written it because we have more important things to do and nobody believes there is a real need for that. Am I right? Yeah. Essentially, if you wanted to clean up netpgp and port it over to take full advantage of openssl+OCF, that would fit right in the plan. But otherwise, you're missing the history here. Work done is driven by desire and finances. Just like everything else in life. The absurdity is in not understanding the magnitude at which OpenBSD attempted to integrate crypto into everday computing life, just because the solution you imagined isn't part of the base52.tgz.
Re: BSD licensed gnupg replacement question
1: I'm not sure there are no developers that would like to see this in base, but they could have other priorities; wanting something not necessarily means having (time) to do the work. The important difference is that you don't hear them. I find gpg useful. I think the main barrier would be that anything in base is audited to a higher degree than ports so this would be a much larger commitment than it may seem when much more appreciated things without alternatives like KMS could be worked on. -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) ___
Re: BSD licensed gnupg replacement question
You can use S/MIME with openssl as alternative to PGP. On Thu, Dec 06, 2012 at 01:10:17PM -0600, Maximo Pech wrote: It's incredible for me that OpenBSD, an operating system that claims to have integrated cryptography (yes I know that the cryptography is on the core OS layers) doesn't have in the base system a tool like gnupg, and even more incredible, that there isn't a single production ready, gnupg-like, BSD licensed tool out there (I don't have the skills and time to program one myself). I'd like to know your thoughts about this.
Re: BSD licensed gnupg replacement question
On Thu, Dec 6, 2012 at 8:36 PM, Dustin Fechner d...@hush.com wrote: On 12/06/2012 08:10 PM, Maximo Pech wrote: that there isn't a single production ready, gnupg-like, BSD licensed tool out there (I don't have the skills and time to program one myself). NetBSD has netpgp, which is BSD licensed: https://en.wikipedia.org/wiki/Netpgp Actually, did anyone on this list ever have a deeper look at it or compared it with GNUPG? Reyk
Re: BSD licensed gnupg replacement question
Reyk Floeter writes: On Thu, Dec 6, 2012 at 8:36 PM, Dustin Fechner d...@hush.com wrote: On 12/06/2012 08:10 PM, Maximo Pech wrote: that there isn't a single production ready, gnupg-like, BSD licensed tool out there (I don't have the skills and time to program one myself). NetBSD has netpgp, which is BSD licensed: https://en.wikipedia.org/wiki/Netpgp Actually, did anyone on this list ever have a deeper look at it or compared it with GNUPG? http://marc.info/?l=openbsd-portsm=13538616225w=2
Re: BSD licensed gnupg replacement question
2012/12/9 Nico Kadel-Garcia nka...@gmail.com On Fri, Dec 7, 2012 at 4:24 PM, Chris Cappuccio ch...@nmedia.net wrote: Maximo Pech [mak...@gmail.com] wrote: I said I can't code that. If you already knew the answer was write it, then you asked the wrong question. I already knew an answer (not the only one) could be write it. I know that gnupg is in the ports tree, but it just seems strange to me that it isn't on the base system, because for me it sounds logical that if one of the key points of openbsd is cryptography, it would have a bsd tool like gnupg. The netpgp thing looks very cool, I didn't know about it. Do you have any idea how abusrd this is? No I don't, if you don't mind please explain why that's absurd. So my question is why there isn't a tool like that on base, I'm asking out of curiosity, maybe some historical, reason, technical... I'm not trying to point this as a fault, I just want to understand better the fact that gnupg or a bsd licensed equivalent isn't in the base system. The original PGP program was mostly public domain. As time went on, it went to a highly restrictive license. GnuPG, and later, NetPGP represent the people who had desires to fix that problem. If you want to do it again, nobody will stop you. OpenSSH and OpenBSD IPsec represent the OpenBSD solutions to the quality and licensing problems in those areas. OpenSSH is still the gold standard, OCF/IPsec, maybe not. PGP worked, was public domain, encrypts files, and solved one problem. Network layer encryption is an entirely different, and for many, a much more important problem. That's completely subjective and also it is a problem that has more work behind than the problem I think there is with the non existence of bsd tools like gnupg on *base* not on ports and not openssl. What I say is simply that it would be cool if by default on the *base* system OpenBSD had a tool called opgp, opengp, puffypg or whatever, to encrypt files like gnupg does and I was wondering why it does not exist if OpenBSD cares a lot about cryptography. Well, with the information you have given me so far, I think the answer is something like nobody has written it because we have more important things to do and nobody believes there is a real need for that. Am I right?
Re: BSD licensed gnupg replacement question
On 12/10/12 21:45, Maximo Pech wrote: ... Well, with the information you have given me so far, I think the answer is something like nobody has written it because we have more important things to do and nobody believes there is a real need for that. Am I right? I have lived a long time and never used PGP, GNUpg, NetPGP...whatever on my own systems. Never had a reason to, never had the desire to. Got a task at work where this may be requested, and in that case, it's because they are doing it wrong, trying to make e-mail into a secure communications channel. In my mind, e-mail is a non-secure communications channel, and I'm not fond of trying to bolt-on gadgets to make non-secure things look secure. You seem to have a problem you expect all of us to have that requires a PGP-equivalent to solve. Apparently, we don't all share this problem. You have not told us what this problem is you are trying to solve...but in general, naming the tool rather than naming the problem you are attempting to solve is bad process. You are coming in as if you are trying to sound high-and-mighty and pointing out what fools we are for not having (yet again) reinvented your favorite tool in base. You have yet to make a case for: 1) why such a tool should be in base, when obviously no developers seem to think it should be. 2) why such a tool should be reinvented Yet Again, when there are multiple varying degrees of free implementations out there already. 3) why you care. What are you doing that could possibly be improved drastically by a BSD-licensed PGP implementation in base? In fact, your question appears to misunderstand the /reason/ we would want a BSD licensed anything in base -- it isn't over a my license is better than your license pissing match, it's about what you could DO with that. The GNU license on GNUgp puts limitations on your ability to modify and redistribute it in a commercial product. Being that PGP is sorta a standardized product...do you want people distributing modified versions of PGP? anyone who has reason to do that will find plenty of crypto libraries and tools in OpenBSD, they won't need to tear apart and rebuild a PGP tool. Yes, the OpenBSD project cares a lot about cryptography, but using it where it makes sense using as few tools as possible to do it right. Hey, why don't we have a crypto-ls? It's really important! What if someone is looking over your shoulder when you do an 'ls'? Nick.
Re: BSD licensed gnupg replacement question
On Mon, Dec 10, 2012 at 10:20:08PM -0500, Nick Holland wrote: | On 12/10/12 21:45, Maximo Pech wrote: | ... | Well, with the information you have given me so far, I think the answer is | something like nobody has written it because we have more important things | to do and nobody believes there is a real need for that. Am I right? | | | I have lived a long time and never used PGP, GNUpg, NetPGP...whatever on | my own systems. Never had a reason to, never had the desire to. Got a | task at work where this may be requested, and in that case, it's because | they are doing it wrong, trying to make e-mail into a secure | communications channel. In my mind, e-mail is a non-secure | communications channel, and I'm not fond of trying to bolt-on gadgets to | make non-secure things look secure. There's a fallacy here. IP is a non-secure communications channel. Using tools like IPsec or SSH can secure your communications over such a non-secure channel. There's nothing wrong with bolting that on (well, it could be argued that ipsec is a layering violation, but that's another subject entirely). There's a use for tools like pgp - it solves secure communications in a different way than ipsec/ssh do, for when your requirements are different. Also, pgp can be used for more than just e-mail (much like ssh can be used for more than just 'secure remote logins'; don't dismiss a solution because you've not run into a problem that's fixed by it yet. | You seem to have a problem you expect all of us to have that requires a | PGP-equivalent to solve. Apparently, we don't all share this problem. | You have not told us what this problem is you are trying to solve...but | in general, naming the tool rather than naming the problem you are | attempting to solve is bad process. Well, in all honesty, I think the problem PGP solves is quite well known and understood. If ten years ago people asked 'is there SMP in OpenBSD', you wouldn't have asked the same question, would you ? | You are coming in as if you are trying to sound high-and-mighty and | pointing out what fools we are for not having (yet again) reinvented | your favorite tool in base. You have yet to make a case for: | 1) why such a tool should be in base, when obviously no developers seem | to think it should be. | 2) why such a tool should be reinvented Yet Again, when there are | multiple varying degrees of free implementations out there already. | 3) why you care. What are you doing that could possibly be improved | drastically by a BSD-licensed PGP implementation in base? In fact, your | question appears to misunderstand the /reason/ we would want a BSD | licensed anything in base -- it isn't over a my license is better than | your license pissing match, it's about what you could DO with that. | The GNU license on GNUgp puts limitations on your ability to modify and | redistribute it in a commercial product. Being that PGP is sorta a | standardized product...do you want people distributing modified versions | of PGP? anyone who has reason to do that will find plenty of crypto | libraries and tools in OpenBSD, they won't need to tear apart and | rebuild a PGP tool. These are (imo) far better arguments. Here are some possible answers: 3: OpenBSD solutions tend to be better implementations (ssh.com vs OpenSSH) 2: See 3, but also so it can be put under a 'better' license allowing for 1. 1: I'm not sure there are no developers that would like to see this in base, but they could have other priorities; wanting something not necessarily means having (time) to do the work. The important difference is that you don't hear them. | Yes, the OpenBSD project cares a lot about cryptography, but using it | where it makes sense using as few tools as possible to do it right. | Hey, why don't we have a crypto-ls? It's really important! What if | someone is looking over your shoulder when you do an 'ls'? Now you're just being facetious ;) Paul 'WEiRD' de Weerd (who's using gnupg now but wouldn't mind something better (which, in the case of gnupg, can't be very hard) in either base or ports) -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Re: BSD licensed gnupg replacement question
On Fri, Dec 7, 2012 at 4:24 PM, Chris Cappuccio ch...@nmedia.net wrote: Maximo Pech [mak...@gmail.com] wrote: I said I can't code that. If you already knew the answer was write it, then you asked the wrong question. I know that gnupg is in the ports tree, but it just seems strange to me that it isn't on the base system, because for me it sounds logical that if one of the key points of openbsd is cryptography, it would have a bsd tool like gnupg. The netpgp thing looks very cool, I didn't know about it. Do you have any idea how abusrd this is? So my question is why there isn't a tool like that on base, I'm asking out of curiosity, maybe some historical, reason, technical... I'm not trying to point this as a fault, I just want to understand better the fact that gnupg or a bsd licensed equivalent isn't in the base system. The original PGP program was mostly public domain. As time went on, it went to a highly restrictive license. GnuPG, and later, NetPGP represent the people who had desires to fix that problem. If you want to do it again, nobody will stop you. OpenSSH and OpenBSD IPsec represent the OpenBSD solutions to the quality and licensing problems in those areas. OpenSSH is still the gold standard, OCF/IPsec, maybe not. PGP worked, was public domain, encrypts files, and solved one problem. Network layer encryption is an entirely different, and for many, a much more important problem. SSH is the gold standard: OpenSSH is the popular and effective freeware version, which did solve a number of issues. The early history of SSH is interesting, and covered reasonably well at http://docstore.mik.ua/orelly/networking_2ndEd/ssh/ch01_05.htm.
Re: BSD licensed gnupg replacement question
Nico Kadel-Garcia [nka...@gmail.com] wrote: SSH is the gold standard: OpenSSH is the popular and effective freeware version, which did solve a number of issues. The early history of SSH is interesting, and covered reasonably well at http://docstore.mik.ua/orelly/networking_2ndEd/ssh/ch01_05.htm. Hunh? How does that change anything?
Re: BSD licensed gnupg replacement question
On 12/09/12 06:50, Nico Kadel-Garcia wrote: On Fri, Dec 7, 2012 at 4:24 PM, Chris Cappuccio ch...@nmedia.net wrote: ,,, OpenSSH and OpenBSD IPsec represent the OpenBSD solutions to the quality and licensing problems in those areas. OpenSSH is still the gold standard, OCF/IPsec, maybe not. PGP worked, was public domain, encrypts files, and solved one problem. Network layer encryption is an entirely different, and for many, a much more important problem. SSH is the gold standard: OpenSSH is the popular and effective freeware version, which did solve a number of issues. i.e., the better than gold standard. Thanks for the clarification. I agree completely. :) I've actually used an appliance which used ssh.com's SSH. I suspect I am in the vast minority in that regard. That particular manufacturer switched to OpenSSH in a later version of their products. I talked to them about why they used SSH.com's product (and had a separate license key in place just for it) rather than OpenSSH. It appears it was something of an internal question; no one still there was quite sure why they did that. Nick.
Re: BSD licensed gnupg replacement question
I said I can't code that. I know that gnupg is in the ports tree, but it just seems strange to me that it isn't on the base system, because for me it sounds logical that if one of the key points of openbsd is cryptography, it would have a bsd tool like gnupg. The netpgp thing looks very cool, I didn't know about it. So my question is why there isn't a tool like that on base, I'm asking out of curiosity, maybe some historical, reason, technical... I'm not trying to point this as a fault, I just want to understand better the fact that gnupg or a bsd licensed equivalent isn't in the base system. El jueves, 6 de diciembre de 2012, Martin Schröder escribió: 2012/12/6 Maximo Pech mak...@gmail.com javascript:;: I'd like to know your thoughts about this. Shut up and show us your code.
Re: BSD licensed gnupg replacement question
On Thu, Dec 06, 2012 at 13:10, Maximo Pech wrote: It's incredible for me that OpenBSD, an operating system that claims to have integrated cryptography (yes I know that the cryptography is on the core OS layers) doesn't have in the base system a tool like gnupg, and even more incredible, that there isn't a single production ready, gnupg-like, BSD licensed tool out there (I don't have the skills and time to program one myself). I'd like to know your thoughts about this. openssl can do pgp like things.
Re: BSD licensed gnupg replacement question
Maximo Pech [mak...@gmail.com] wrote: I said I can't code that. If you already knew the answer was write it, then you asked the wrong question. I know that gnupg is in the ports tree, but it just seems strange to me that it isn't on the base system, because for me it sounds logical that if one of the key points of openbsd is cryptography, it would have a bsd tool like gnupg. The netpgp thing looks very cool, I didn't know about it. Do you have any idea how abusrd this is? So my question is why there isn't a tool like that on base, I'm asking out of curiosity, maybe some historical, reason, technical... I'm not trying to point this as a fault, I just want to understand better the fact that gnupg or a bsd licensed equivalent isn't in the base system. The original PGP program was mostly public domain. As time went on, it went to a highly restrictive license. GnuPG, and later, NetPGP represent the people who had desires to fix that problem. If you want to do it again, nobody will stop you. OpenSSH and OpenBSD IPsec represent the OpenBSD solutions to the quality and licensing problems in those areas. OpenSSH is still the gold standard, OCF/IPsec, maybe not. PGP worked, was public domain, encrypts files, and solved one problem. Network layer encryption is an entirely different, and for many, a much more important problem.
BSD licensed gnupg replacement question
It's incredible for me that OpenBSD, an operating system that claims to have integrated cryptography (yes I know that the cryptography is on the core OS layers) doesn't have in the base system a tool like gnupg, and even more incredible, that there isn't a single production ready, gnupg-like, BSD licensed tool out there (I don't have the skills and time to program one myself). I'd like to know your thoughts about this.
Re: BSD licensed gnupg replacement question
On Thu, Dec 6, 2012 at 1:10 PM, Maximo Pech mak...@gmail.com wrote: It's incredible for me that OpenBSD, an operating system that claims to have integrated cryptography (yes I know that the cryptography is on the core OS layers) doesn't have in the base system a tool like gnupg, and even more incredible, that there isn't a single production ready, gnupg-like, BSD licensed tool out there (I don't have the skills and time to program one myself). I'd like to know your thoughts about this. http://www.openbsd.org/cgi-bin/cvsweb/ports/security/gnupg/
Re: BSD licensed gnupg replacement question
On 12/06/2012 08:10 PM, Maximo Pech wrote: that there isn't a single production ready, gnupg-like, BSD licensed tool out there (I don't have the skills and time to program one myself). NetBSD has netpgp, which is BSD licensed: https://en.wikipedia.org/wiki/Netpgp
Re: BSD licensed gnupg replacement question
2012/12/6 Maximo Pech mak...@gmail.com: I'd like to know your thoughts about this. Shut up and show us your code.
Re: BSD licensed gnupg replacement question
Maximo Pech wrote: It's incredible for me that OpenBSD, an operating system that claims to have integrated cryptography (yes I know that the cryptography is on the core OS layers) doesn't have in the base system a tool like gnupg, and even more incredible, that there isn't a single production ready, gnupg-like, BSD licensed tool out there (I don't have the skills and time to program one myself). I'd like to know your thoughts about this. No, I don't think you are going to want to know their thoughts on this. -- IS-IS sleeps. BGP peers are quiet. Something must be wrong.
