[OT] CLI for noobies: The keys to GnuPG

Clinton MacDonald yellowdog-general@lists.terrasoftsolutions.com
Thu Jul 1 20:00:01 2004 

Ray:

Thanks for *trying* to explain more to me about encryption technology 
(that you did not succeed is entirely due to my limited understanding).

R. Hirschfeld wrote:
> You can get opportunistic transport-level encryption of email by
> enabling STARTTLS in your MTA.

I don't know what any of this means, but it sounds as if I would have to 
be my own ISP for this to be effective. Certainly, I would be unable to 
send an encrypted e-mail to my Mom with this technology unless her 
e-mail client already had the guts of it enabled. And, what if Mom were 
an AOL user?

> For sensitive messages you probably still want end-to-end
> application-level encryption. A recent commercial version of PGP
> ("PGP Universal") is apparently designed to be user-transparent but
> all I know about it is what's in their press release.

I think that the problem with this is that it is commercial (and I am 
not trying to start an Open Source versus Commercial Software flame war 
here). In this day and age, computer end-users expect their e-mail 
clients to be *free*, in the sense that it comes with their system 
(Apple's Mail.app or Microsoft Outlook Express), or that it is supplied 
by their corporate IT people (Microsoft Outlook). Heck, even AOL's 
pitiful mail offering is "free" with the AOL service (I'm not knocking 
AOL here -- it's great for the home user set who still want and need the 
training wheels). Commercial PGP will not be able to take over the 
Internet Universe unless it could be supplied with every e-mail client 
on this planet, including Ximian Evolution, Mozilla, Thunderbird, or 
Albrecht's Balsa (I think the PGP folks are missing a very large 
clue-train here by not releasing their technology as open source, then 
earning money on the back-end). Unless I can expect my recipient to have 
a cryptographically enabled e-mail client, there is no reason for me to 
bother sending it.

For this reason, I believe Albrecht is on the right track: there will 
have to be an open standard for encrypted e-mail, just as there is for 
attachments, etc. I believe, however, for encrypted and signed e-mail to 
become commonplace, it will require a big software developer -- probably 
one that is also an operating system developer -- to come up to the 
plate on encryption. Microsoft could do it, but unless they do it 
*exactly* right, it will be a flop (for example, if the implementation 
requires us to trust Microsoft with credit card information, or require 
an expensive upgrade of Exchange Server, it will be a failure because 
Microsoft has not earned that kind of trust). Apple has a stronger track 
record of doing things exactly right, but I would be surprised if they 
saw encryption as a priority. Sigh.

Again, it's all just my opinion, unencumbered by the facts!

Best wishes,
Clint

-- 
Dr. Clinton C. MacDonald | <mailto:clint DOT macdonald AT sbcglobal DOT net>