The future of PGP..

**Apex** · June 30, 2002, 07:14

I find it very strange that NAI tried to sell something that was free myself. However I am greatful I have a copy of their PGP Corporate Desktop Suite. Has some nice options.........

In fact its a bit like their firewall product, Gauntlet.....looked alot like freeware to me too.

However they did manage to sell Gauntlet off to Secure Computing in Minneapolis........I feel bad for anyone wanting support on it now.

**veruus** · June 30, 2002, 17:20

If anything, anyplace that intends to use encryption will most likely have someone in house who knows about it or have access to someone (a contractor or consultant perhaps) who does. GPG immeditately comes to mind. The great thing about it is that it can be used on the server side for scripting and whatnot) and the client side to handle email messages or encrypted files. This assumes some ability on that luser's part but there are some pretty good tools out there for use with GPG.

**blackwave** · June 30, 2002, 17:27

Originally posted by SigningiS
If anything, anyplace that intends to use encryption will most likely have someone in house who knows about it or have access to someone (a contractor or consultant perhaps) who does.

I know of several places that use a central type of cert management that allows the keys to be saved and recreated at a later date.. I think this is the worst thing that anyone could do with PKI.. because all someone needs is the admin's key and the whole system has been compromise.. PKI should exist in a decentralized existence.

**blackwave** · July 2, 2002, 14:03

http://newsforge.com/newsforge/02/07...6.shtml?tid=21

Zimmermann to Network Associates: Sell PGP back to me, or open-source it
excerpt:

Tuesday July 02, 2002 - [ 09:27 AM GMT ]
Topic - Privacy - - by Bruce Tober -
Philip R. Zimmermann, author of encryption program Pretty Good Privacy, is suggesting current owner Network Associates open-source PGP's code as one alternative to the program dying on the vine at the company. "I would strongly prefer PGP be Open Source compared with the current scenario, because right now it's locked in intellectual property prison and no one can get it," he says. "Open Source would be much better."

**TheWatcher** · July 10, 2002, 07:53

Originally posted by blackwave

I know of several places that use a central type of cert management that allows the keys to be saved and recreated at a later date.. I think this is the worst thing that anyone could do with PKI.. because all someone needs is the admin's key and the whole system has been compromise.. PKI should exist in a decentralized existence.

I agree with regarding decentralize existence of key server though the question is how you will get the other users key?

Anyone know about this site www.keyserver.com? Are they affiliate in openpgp.org?

**blackwave** · July 10, 2002, 08:51

Originally posted by TheWatcher
I agree with regarding decentralize existence of key server though the question is how you will get the other users key?

There are several public key servers out there on the net that allow you to insert or extract a key based on keywords, etc. Though it does take a while for them to synchronize... but it works :) Since the private keys are generated and kept locally(on drive, floppy, usb toke, whatever) there is no worries about someone else using your private key...

**TheWatcher** · July 10, 2002, 09:02

Thanks man.

**blackwave** · July 10, 2002, 09:08

Originally posted by TheWatcher
Thanks man.

http://www.keyserver.com/ is another example of a public keyserver.

For more private keyservers you can use Hushmail's excellent set of HushTools https://www.hushtools.com/hushtools/...blic-key.html?<?=SID?> which is what I use more than not since I have several hushmail accounts, and Hushmail provides seamless integration with this 'secure' web mail service and OpenPGP standard support.

**TheWatcher** · July 10, 2002, 09:38

www.ziplip.com is worth to mention regarding securing your message.

the receiving end don't need to be a member to read encrypted message, this is cool. I've been using this free web mail for more than a year.

Before ziplip.com, I've used hushmail too.

**blackwave** · July 10, 2002, 09:51

Originally posted by TheWatcher
Before ziplip.com, I've used hushmail too.

I used to use ziplip a long time ago too, but stopped after reading this(has this changed as far as you know?):
Check Section: Web-Based Encrypted E-Mail(a few other web mail service reviews, inclusive)
http://www.counterpane.com/crypto-gram-9908.html

ZipLip <https://www.ziplip.com/zlplus/home.jsp> is different. Both parties do not need an account to communicate. The sender logs onto the ZipLip Web site and, using SSL, sends a message to someone else. ZipLip then sends the recipient a message telling him that your message is waiting. The recipient then logs onto ZipLip to receive the message. Encryption, outside the two SSL connections, is completely optional.

ZipLip won't identify the encryption algorithm used, which is enough to discount them without further analysis. But they do something even stupider; they allow the sender to create an encryption key and then give the recipient a "hint" so that he can guess it. ZipLip's own Web site suggests: "The name of the project we're working on," or "The restaurant where we had dinner last night." Maybe there are 100,000 restaurants, so that's a 17-bit key.

The threats here are serious. Both the sender and receiver need to verify their SSL connections, otherwise there is no security. The ZipLip server is a major attack target, both because many messages will not be encrypted, and because those that are will have keys weakened by the requirement that both parties remember them.

On the plus side, ZipLip claims a policy of deleting all mail 24 hours after delivery, which provides a level of lawyer-proofing that HushMail does not have...if they implement it properly.

**TheWatcher** · July 10, 2002, 10:33

They already updated some of their approach though I still can't tell what algorithm they are using right now :D

I haven't tried to sniff my message yet using ziplip. I will try sometime after attending conference this weekend.

**TheWatcher** · July 10, 2002, 11:13

blackwave,

they think you're AWOL ...

http://forums.netstumbler.com/showth...9068#post19068

check this out.

**blackwave** · July 10, 2002, 12:03

Originally posted by TheWatcher
blackwave,
they think you're AWOL ...

Hahaha, yes I know :) I am a fickle-script.

**TheWatcher** · July 10, 2002, 12:31

give them some sign ... that you still exist... hahaha

**blackwave** · July 10, 2002, 12:36

Originally posted by TheWatcher
give them some sign ... that you still exist... hahaha

I did!... I posted something around the second page after I was spotted on late night IRC, and gave the word to spread that I have risen... :)

The future of PGP..

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment