-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
gerry_lowry (alliston ontario canada) wrote:
Hello,
I'm calling myself a "newbie" with regards to PGP/GPG even though I've
through my own ignorance and incompetence orphaned keys back as far as
September 1997. One day my brain may, if I am lucky, reconnect with their
corresponding passphrases so that I can revoke them. I'm guessing there is a
very large number of orphaned keys in the PGP universe.
I've read about PGP in Chey Cobb's "Cryptography for Dummies" and PGP/GPG in
Michael W. Lucas' "PGP & GPG: email for the practical paranoid". Also, I've
used gnupg.pdf as a reference but have yet to digest all of its 148 pages.
I remember Cobb's book as being more weighted to X.509 and PKCS. Not read Lucas,
so I can't comment on it other than I recall it having a cover blurb by Len
Sassaman, who also posts here. I guess gnupg.pdf is fine if the v2.0
specifics are filtered out.
I live under the cloud of the virus a.k.a. Windows [XP, Vista, Server 2003,
Server 2008].
At one time, 70-75% of Enigmail downloads were Windows users.
I'm not one for Windows-bashing - I consider it "So-o-o-o-o-o Last Century" ;-)
gpg (GnuPG) 1.4.9
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7), AES192 (S8),
AES256 (S9), TWOFISH (S10)
Hash: MD5 (H1), SHA1 (H2), RIPEMD160 (H3), SHA256 (H8), SHA384 (H9),
SHA512 (H10), SHA224 (H11)
Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2), BZIP2 (Z3)
Although there are GUI environments available, for the present, I am sticking
with GnuPG and its various command line tools until I understand them
sufficiently to warrant investigating GUI tools. The former MIT GUI
distribution never integrated very well with Outlook Express, at least,
that was my experience. This is a second reason why I prefer command line
tools.
You're missing out on some good work and the chance to help push that work
by submitting user feedback.
The GPGshell front-end to GnuPG seems to be preferred by folks moving over from
or familiar with PGP Desktop.
Are you only interested in integration with OE? The PGP plugin, as I recall,
worked well with both Outlook and OE (PGP 8.1). GnuPG integration with Outlook
2003 is possible with the GPGol plugin bundled in GPG4Win. If switching mail
clients is an option, Thunderbird+Enigmail & GnuPG may work well for you (but
I'm biased).
QUESTION # 1: There seems to currently exist TWO forces in the PGP universe:
(a) GPG -- GnuPG (OpenPGP initiative)
(b) PGP -- PGP Corporation.
To what extent are their goals aligned? More specifically, since (b) is a
corporation which is driven by the profit motive and (a) would like to make a
reasonable living but is likely more open than the average corporate culture,
it's likely more in the interested of (b) to succeed in being universal but
not
too universal, i.e., to some degree, (b) could grab more market share by being
somewhat proprietary. OTOH, it's possible AFAIK that (a) could not succeed
without being 100% compatible with (b).
Two _major_ forces. I think there are something around fifteen different
implementations of the OpenPGP RFC. GnuPG and PGP just seem to have the largest
share of user awareness.
GnuPG succeeds quite well without being 100% compatible with PGP, and vice
versa. They each have differences.
An implementation is only required to implement the MUST portions of the
standard. What optional features or extensions they package is their choice.
QUESTION # 2: I have looked at http://www.biglumber.com/ ...
http://biglumber.com/x/web?va=1: "Total of 3190 listings (3107 people [442
with images], 83 events) in 79 countries and 1144 cities."
613 listings are expired; even if the 613 listings are NOT part of the 3190
listings, "biglumber" is not very much in use. http://pgp.mit.edu/ has been
around for many years. It's possibly a better indicator of how many keys
their are ... sadly, it does not appear to offer much in the way of
statistics.
2662848 on the SKS keyservers as of 14:45 today (1-Feb-2009 US/Central)
Sadly, the server code on pgp.mit.edu is way out of date. I don't believe it is
even being maintained. The PKS code is known to behave badly with certain
features of newer V4 keys. I've never heard that this was reliably fixed - some
servers were patched to not do damage, but I don't believe the patches were
well-distributed.
OTOH, I almost never receive even PGP signed e-mails. I spoke
with a senior I.T. person recently who was not even aware of PGP technology.
I'm never surprised by what Sr IT folks don't know. Never. Ever.
To what extent is GPG/PGP technology being used by e-mail users?
I'm guessing it must be less than 1% based on the many 1000's of
e-mails that I have received each month over the last decade.
A friend just posted this anecdote a couple days ago to the [GnuPG-Users] list:
+> At last year's USENIX, in a panel discussion, Dan Wallach of Rice
+> declared Enigmail the best thing going in terms of OpenPGP integration.
+> That's high praise coming from a very well-respected guy in computer
+> security.
+>
+> This was said as part of a sidebar he made about the difficulty in
+> getting 30+ Ph.Ds in computer science to all use PGP for a particular
+> mailing list. Some were using Evolution, some were using ancient PGP,
+> some were using modern PGP, some were using plugins, others were C&Ping
+> into a Microsoft Word document then using some weird Word PGP plugin,
+> some were using Enigmail, etc. He capped it off with an exasperated
+> sigh, then recommended Enigmail to people who needed OpenPGP
+> integration, as Enigmail gave the least troubles.
If CS professors with interest in computer security can't get OpenPGP working
within their own group, what do _you_ think are the chances for the "Average
User"?
I'll have more questions and I hope comments that you'll find useful later.
Could you please format them in a more friendly manner. Most folks seem to limit
line lengths to < 80 characters. It was a bit of a chore to rewrap your message.
You may also find the GnuPG-Users list (gnupg-users[AT]gnupg.org) and the Yahoo!
PGP-Basics group (PGP-Basics[AT]yahoogroups.com) helpful. In fact, both of those
are probably great places to continue this discussion.
Thank you for your opinions.
Thank you for your questions.
- --
John P. Clizbe Inet:John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or
mailto:pgp-public-keys(_at_)gingerbear(_dot_)net?subject=HELP
Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10-svn4907-2008-12-21 (Windows XP)
Comment: When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
Comment: Be part of the £33† ECHELON -- Use Strong Encryption.
Comment: It's YOUR right - for the time being.
Comment: Using GnuPG with SeaMonkey - http://enigmail.mozdev.org
iJwEAQECAAYFAkmGfh8ACgkQvh+YERi7NzqlFQP/RnpMd+EWwCV8iVfFZrwNmJGD
lV3HUSNE5htUCuCgWRkZnb/A8a3bd9obo6Cnn8T9h+eaK8qZ40mBbva+VkUrDvd/
yf7fz117I4eqz+e9hxnsmUxkX+/s79DTZ5HMNvuAKoc8avZiSdpheNoQB7sFnFj6
AT+mAsLfIGMxaRz7yLWIRgQBEQIABgUCSYZ+HwAKCRAdBKxKYI0qEDPmAJ4pD9zR
dEhyjUEDk8X9C3S6au42uwCgxEfC8f498iAzRnDeihb5FBdCgz0=
=MeVo
-----END PGP SIGNATURE-----