On Sun, 2009-02-01 at 14:14 -0500, gerry_lowry (alliston ontario canada)
wrote:
I live under the cloud of the virus a.k.a. Windows [XP, Vista, Server 2003,
Server 2008].
Ok let me just skip a possibly flame war triggering comment on how
windows and cryptologic security can go hand in hand ;-)
I do not like your indenting :P
QUESTION # 1: There seems to currently exist TWO forces in the PGP universe:
(a) GPG -- GnuPG (OpenPGP initiative)
(b) PGP -- PGP Corporation.
These are probably THE main players, but we have quite some other
implementations.
To what extent are their goals aligned? More
specifically, since (b) is a corporation
which is driven by the profit motive and (a)
would like to make a reasonable living
but is likely more open than the average
corporate culture, it's likely more in the
interested of (b) to succeed in being universal
but not too universal, i.e., to some
degree, (b) could grab more market share by
being somewhat proprietary.
Well at least they've managed to work together on the standard so I'd
say that there's a good relationship.
But David, Hal, Jon and Werner could answer this probably better =)
OTOH, it's possible AFAIK that (a) could not
succeed without being 100%
compatible with (b).
I don't think so,.. as especially in the Linux/OpenSource community
nearly everybody use gnupg. Please don't interpret this as if I wouldn't
like PGP or its staff). Is there a Linux version of pgp, at all?
http://pgp.mit.edu/ has been around for many
years.
This is only one of many keyersers.
OTOH, I almost never receive even PGP
signed e-mails. I spoke with a senior I.T.
person recently who was
not even aware of PGP technology.
Well,... I won't comment on this...
To what extent is GPG/PGP technology being used
by e-mail users?
I'm guessing it must be less than 1% based on
the many 1000's of
e-mails that I have received each month over the
last decade.
It's quite widespread in the OpenSource community, and you should not
forget that OpenPGP is far more than just email.
Look e.g. at the Debian project which signs all its packages via
OpenPGP.
Of course the usage depends on the community which you're part of.
In the last time X.509 advanced more and more, and especially stuff like
Thawte's wot or CACert.
But these provide by far less security IMHO.
In general they depend on a single root with their limited strict
hierarchical PKI.
Which means effectively, everything depends on the root cert.
If this is somehow compromised,... game's over.
It's even worse, as most people have never received the root cert in a
secure way (just downloaded it from the web, or shipped with the
browser, et cetera)
And to come back to these two, CACert and thawte, already two people
(two assurers with the necessary points) can forge an identity.
So apart from military solutions, proprietary standards or rarely-used
PKIs you can right now only choose between:
-OpenPGP
-something X.509 based (e.g. CMS, S/MIME)
And IMHO it's clear, which one of the two provides (or can provide)
security and which one not (that much).
(I think this has the potential to start a flame war ^^)
Just my 0.02€,
--
Christoph Anton Mitterer
Ludwig-Maximilians-Universität München
christoph(_dot_)anton(_dot_)mitterer(_at_)physik(_dot_)uni-muenchen(_dot_)de
mail(_at_)christoph(_dot_)anton(_dot_)mitterer(_dot_)name
smime.p7s
Description: S/MIME cryptographic signature