Forum Post
Index > Security > Open source alternative to PGP

Author/Date Open source alternative to PGP
fReT
01/04/2002 11:28pm
It seems that Network Associates has halted furthur development of PGP.

This means that some other solution needs to be found. If the slashdot article I've link it discuss' the possibility of using GnuPG as an alternative.

If there is enough support for something like that I'll write a plugin for it. But I'd like to see some consensus before doing the work.

What do you people think?
netean
02/04/2002 6:15am
I'm a bit sketchy on the real difference between the two implimentations - I always presumed that gnupgp is "compatible" with current versions of pgp (i.e can read and write keys and encrypt/decrypt to the same specs?)- is that not the case?

in real terms to us (the users) how would any change affect us?

(please ignore my post in the plugin forum about pgp - as I didn't see this one before I posted there... sorry!)
netean
02/04/2002 6:34am
hmm just been to the gnupgp site...not a lot of windows front ends there (suprise suprise!)

downloaded and installed winpt though, which I actually found much easier to install and get running with valid keys than any of the Network Associates versions I've used to far.

From my brief look at it, gnupgp would seem a good way to go, but from my point of view the best option would be fully integrate scribe with gnupgp - i.e. with scribe acting as a front end of for gnupgp - But that seems like a lot of work?

--
2b honest I can't believe NAI's stance on this, just as the world is beginning to get a bit more paranoid about snooping and privacy they go and ditch the de-facto standard. Wierd!
fReT
02/04/2002 7:07am
GnuPG... well if the feature's are the same then is don't see why the current plugin can be ported over and nothing changes.

I do however have this truely evil idea that involves making the plugin pretty much transparent. For instance, outgoing filter plugins have the ability to automatically change the email before it's sent. So one could write an "Auto Encrypt" plugin that a) can be associated with only certain users and b) requires no user intervention to make it work.

However a normal manual version is a good place to start.

I just don't like the idea of writing to an API that is not being maintained.

On NA giving up on PGP, it makes a lot of sense if your paranoid (like me). Governments are always trying to limit the spread of good encryption, and I think they are putting pressure on the encryption market to give up. Which seems to be happening as we type :(

So if I made encryption easy peasy... transparent and all... maybe I'd get a visit from some black hats. Oh the fun.

I need me a glock. Or 2.
netean
05/04/2002 5:31am
the transparency for pgp sounds a really great idea, but only as long as you can turn it off (either on a individual mail version, or on a person by person basis- which I'm sure you'd be doing anyway!)

Sadly there seems to be still a lot of confusion and fear associated with pgp and pgp encrypted emails with the general public.

IMO more mail clients (especially outlook express should come with pgp support built in - both encrypting and decrypting) that way I'm sure more people would see that it is actually a good thing to use/have!
mute
23/04/2002 2:26am
From what I've seen of NAI's (now defunct?) PGP, it used an odd escrow key system that could be compromised to make anyone the escrow key holder. Yuck. Of course that could've been massive FUD, but the paperwork looked good. Does GPG / OpenPGP use a remote-authority + escrow system by default, or do you choose a (local, probably within your house ;)) key authority and manually accept/revoke keys? Hmm... that's a heavy question to ask here, maybe I should just ask, do you know of any good online references I could check out?
Andreas
09/05/2002 8:00pm
I definitely vote for GNUPG support. On it's own the
GNUPG is good, and with WinPG it allows for easy encryption / decryption of the clipboard. It would be great to have the crypto methods available without having to use the clipboard.
Eric
27/11/2002 3:54am
My first thought was GNUPG is the right way to go due to sheer popularity. Who wants to potentially deal with two key-ring systems?

I occasionally use my email providers web interface to send/receive email, especially at work, or when I'm on the road. I could only use GNUPG from my home PC, unless my email provider added support. I certainly wouldn't use it at work, since my keys would not be safe.

I searched my email providers forum (which is very active, and more technical than you'd normally expect) and there were a lot of fairly recent messages about PGP support, and discussions on how could they keep your private keys private when they're uploaded to the server etc. They also mentioned S/MIME, but nobody brought up GNUPG.

Personally I'm more interested in seeing you add SSL support because I'm more worried about sending my password than my email text in cleartext. SSL encrypts both, it just doesn't address the issue of the recipients identity.
Michael
04/12/2002 6:16am
I certainly favor the use of GNUPG if it would finally be easier to use for anyone.
I already stopped to use the NAI crap versions for obvious reasons (and the move of Schneier to leave that bunch underlines my decision), but would really vote for more support of the GNUPG approach where also fRet will not have to fear visits from blackhats any longer ;o) - though I agree on the assumption that governments discourage encryption usage (only because it is more of a hustle to handle the mails + it may makes you a suspect right away). Common consensus seems to run towards 'Hei, using encryption, sure got something to hide' - that's why a lot more people ought to start using encryption in order to make it a more common thing - and the only way to achieve this is by facilitating its use. Again: a GNUPG plugin of whatever kind would be highly appreciated for my favorite mail client here.
fReT
10/06/2003 1:55am
There is now a GnuPG plugin.

At long bloody last ;)
dunxd
22/10/2003 5:15am
I want to be able to run GnuPG with iScribe off of a keyring drive so I can use it in any internet cafe. I tried installing the windows version of GnuPG into the folder Scribe is installed in, but it doesn't work - where is Scribe looking?

Do I have to set a Path variable for gnupg?
Reply