PGP is dead but most users don't know it?

PGP is dead but most users don't know it?

Post by David Sternligh » Wed, 31 Dec 1997 04:00:00



In a post to another list, a highly experienced and knowledgeable observer
makes the argument that PGP is dead but the PGP community doesn't yet realize it.

One pillar of his argument is that among significant hardware and software
corporations only Qualcomm supports PGP (excluding from the count, of course,
Pretty Good Privacy Inc. or its successor), while S/MIME is supported by just
about everyone else--IBM, DEC, Apple, Netscape, Microsoft, etc. etc.
(excluding from the count, of course, RSADSI).

Another pillar of his argument is that Pretty Good Privacy Inc. was just
barely rescued from bankruptcy.

I'd source him directly, but the arguments above have nothing to do with the
persona making them, and that might be an interference for some in addressing
substance. (No, I'm not talking about myself as the source.)

Comments on substance?

David

 
 
 

PGP is dead but most users don't know it?

Post by Ed Sto » Wed, 31 Dec 1997 04:00:00



Quote:> In a post to another list, a highly experienced and knowledgeable observer
> makes the argument that PGP is dead but the PGP community doesn't yet realize it.
<snip>
> Comments on substance?

I'll make a comment on context, to wit, I believe that one who makes the
stated argument is likely to have established himself with Mr. Sternlight as
a highly experienced and knowledgeable observer, independent of other
qualifications. ;-)

On substance, calling PGP "dead" is not very specific. If "dead" means, no
one uses it, or fewer and fewer people are using it, I have seen no evidence
for that, and I invite those who may have such evidence to provide it. If
"dead" means weak and easily breakable, I have seen no evidence that that is
the case, and I invite those who may have such evidence to provide it. If
"dead" means that it does not come bundled, like the Galician font, on 30
million copies of general purpose web browser software, then it is correct.

But strong crypto on a web browser's email program reminds me of an associate
who looked into developing a mass market high-performance kit for Hondas. He
kept citing how many Hondas were on the road, and of course, he was right.
;-)

If numbers are going to be used to establish superiority, the Hondas are
superior to Porsche, Wynonna's recordings are superior to Pavaroti's, and
Tractor Pulls are superior to Ballet. I think there is room for many to
succeed, for different users and different uses. It is the choice that
important.

Quote:

> David

--
-------------------------------
Ed Stone

remove "-birdname" spam avoider
-------------------------------

 
 
 

PGP is dead but most users don't know it?

Post by Topher Belkn » Wed, 31 Dec 1997 04:00:00


On Tue, 30 Dec 1997 12:17:54 -0800, David Sternlight


>In a post to another list, a highly experienced and knowledgeable observer
>makes the argument that PGP is dead but the PGP community doesn't yet realize it.

I would assume that the 'life' of a piece of software would be
measured by the amount that it is used.  With that metric, the above
makes no sense.  So, what metric should be used?  

Quote:>One pillar of his argument is that among significant hardware and software
>corporations only Qualcomm supports PGP (excluding from the count, of course,
>Pretty Good Privacy Inc. or its successor), while S/MIME is supported by just
>about everyone else--IBM, DEC, Apple, Netscape, Microsoft, etc. etc.
>(excluding from the count, of course, RSADSI).

I suspect that it will be supported if the users (of all encryption
software) demand it (with obvious caveats for Microsoft).

I would say that the usage of encryption in e-mail etc. is in it
infancy and that the potential for growth is huge.  I would predict
that eventually at least 90% of all (non-spam) email will be
encrypted.  Given that, it would seem a little early to accurately
predict the eventual outcome, to say nothing of a single winner.  A
similar prediction made about WWW browsers at the (to me) same stage
in its growth would have made mosaic the big winner.

Quote:>Another pillar of his argument is that Pretty Good Privacy Inc. was just
>barely rescued from bankruptcy.

Since it is now owned by a healthy company, it hardly seems a good
basis for a prognosis of ill-health.  If he was saying that it was
unprofitable, that is another question, though I suspect that the same
could be said of any encryption program at the moment.

Quote:>I'd source him directly, but the arguments above have nothing to do with the
>persona making them, and that might be an interference for some in addressing
>substance. (No, I'm not talking about myself as the source.)

Well, the persona is important if you are going to claim him to be
'highly experienced and knowledgable'.  

Quote:>Comments on substance?

It is a little thin.   For instance, this is the first I have heard on
this forum, that PGP Inc. was in jeopardy of bankruptcy.  Do you have
any more information on that?  Also have any of the above companies
said that they would _not_ support PGP, especially if it is part of
the IETF spec?

At what point does it get to fuzzy to tell who won anyway,  are we
talking about algorithms, or formats, or programs?  If the exact PGP
format and algorithms are adopted by everyone, but PGP Inc. goes
bankrupt did they win?  Is PGP dead?

Topher

 
 
 

PGP is dead but most users don't know it?

Post by Chuc » Wed, 31 Dec 1997 04:00:00


I'll take a bite on this.  I think that the problem is that PGP is
stronger encryption than S/MIME.  With the export restrictions being
what they are is one big hinderance for PGP.  S/MIME is a standard of
encryption that is apparently weak enough to export and therefore
companies can use one standard for everything.

Also for new users there are several reasons they do not use it.  First
they do not think that encryption is something that they need.  Second,
if they do want encryption they will use what is at hand(S/MIME)
figuring that it is good enough.  If it weren't the company wouldn't put
it in.  New users of the net may not be aware that there is another
way.    Third, and the clincher, is the learning curve.  You actually
have to do some reading to figure out how to use it.

So while PGP may never be an internet standard, it will not die until it
is proved that it is useless.

Chuck


> In a post to another list, a highly experienced and knowledgeable
> observer
> makes the argument that PGP is dead but the PGP community doesn't yet
> realize it.

> One pillar of his argument is that among significant hardware and
> software
> corporations only Qualcomm supports PGP (excluding from the count, of
> course,
> Pretty Good Privacy Inc. or its successor), while S/MIME is supported
> by just
> about everyone else--IBM, DEC, Apple, Netscape, Microsoft, etc. etc.
> (excluding from the count, of course, RSADSI).

> Another pillar of his argument is that Pretty Good Privacy Inc. was
> just
> barely rescued from bankruptcy.

 
 
 

PGP is dead but most users don't know it?

Post by Greg Hennes » Thu, 01 Jan 1998 04:00:00




Quote:>In a post to another list, a highly experienced and knowledgeable observer
>makes the argument that PGP is dead but the PGP community doesn't yet realize it.

Is this similar to the argument that Apple is dead, but the Apple
community doesn't yet realize it
 
 
 

PGP is dead but most users don't know it?

Post by David Sternligh » Thu, 01 Jan 1998 04:00:00


In my previous post I offered the views of another. In this one I add my own views.

Topher Belknap wrote:

> On Tue, 30 Dec 1997 12:17:54 -0800, David Sternlight
> <da...@sternlight.com> wrote:

> >In a post to another list, a highly experienced and knowledgeable observer
> >makes the argument that PGP is dead but the PGP community doesn't yet realize it.

> I would assume that the 'life' of a piece of software would be
> measured by the amount that it is used.  With that metric, the above
> makes no sense.  So, what metric should be used?

> >One pillar of his argument is that among significant hardware and software
> >corporations only Qualcomm supports PGP (excluding from the count, of course,
> >Pretty Good Privacy Inc. or its successor), while S/MIME is supported by just
> >about everyone else--IBM, DEC, Apple, Netscape, Microsoft, etc. etc.
> >(excluding from the count, of course, RSADSI).

> I suspect that it will be supported if the users (of all encryption
> software) demand it (with obvious caveats for Microsoft).

Almost no one with significant money "demands" a particular crypto package.
And much (if not most) of PGP use is via "free" users, who thus carry little
marketplace weight in vendor decision making. I have the sneaking suspicion
(this is not an assertion nor do I have any data) that when the historical
data is finally seen, PGP's full-package sales will be found to be derisory
compared to the size of the free user base, and not enough to justify an
acceptable-return-on-investment commercial operation at scale. After all, if
it were otherwise why would the Pretty Good Privacy Inc. stockholders have
sold out at this relatively early date in their corporate history, and for
what some readers here have felt was so little?

> I would say that the usage of encryption in e-mail etc. is in it
> infancy and that the potential for growth is huge.

I agree. But I think a 30-million or more installed base already for S/MIME
(and each copy with royalties paid to RSADSI by the software vendor) tells the
story. How many royalty-paid copies of PGP are out there in the Eudora pro
package? How many copies of the full commercial PGP package have PGPI2 sold?

>  I would predict
> that eventually at least 90% of all (non-spam) email will be
> encrypted.  Given that, it would seem a little early to accurately
> predict the eventual outcome, to say nothing of a single winner.

You may be right.

>  A
> similar prediction made about WWW browsers at the (to me) same stage
> in its growth would have made mosaic the big winner.

Mosaic was not a commercial product and indeed was a near-first iteration. As
soon as a better product came out it vanished, for all practical purposes.
This discussion isn't about freeware (as I understand the original writer's
contention) but about commercial success in the marketplace. I think there
will always be free copies of PGP available, and there may even eventually be
free stand-alone versions of SMIME 3 (though I doubt it since that has to be
bound in with productivity software to be really useful).

Even there, how long can free PGP users resist the massive penetration of
S/MIME in the marketplace installed base? More and more PGP users will
discover that they cannot communicate securely with, or authenticate traffic
from users who "turn on" what they already have. More and more, I think PGP
will become marginalized to small, niche networks where it is most useful.

> >Another pillar of his argument is that Pretty Good Privacy Inc. was just
> >barely rescued from bankruptcy.

> Since it is now owned by a healthy company, it hardly seems a good
> basis for a prognosis of ill-health.  If he was saying that it was
> unprofitable, that is another question, though I suspect that the same
> could be said of any encryption program at the moment.

He was saying just that, as I understand it. And it cannot be said for RSADSI,
which (as I understand it) is not only happily profitable and busily
collecting royalties for many products (including S/MIME) but also is
expanding and running a major crypto research lab out of their cash flow. They
have huge and rapidly growing world-wide attendance at their annual conference
(which costs about a thousand bucks to go to, excluding transportation). Did
PGPI2 even have such a conference?

I think a brief visit to the SEC data base will tell the story on both Pretty
Good Privacy Inc. and RSADSI, though I haven't the time to do that. Perhaps
our skillful researcher and pointer-catcher, Ed Stone, would like to take on
this task.

As to the current owners of PGP, as I understand it (and please correct me if
I'm wrong), they said they bought it to use incorporated in their own
specialized products. While they won't (and probably cannot) turn away service
and support for the existing product line, whether they'll push it with any
vigor and what that will accomplish remains to be seen. Of course I wish them
success--competition is always good for all parties, and there are important
applications where web-of-trust is appropriate. But I don't see them competing
successfully against Netscape and Microsoft in mail markets.

> >I'd source him directly, but the arguments above have nothing to do with the
> >persona making them, and that might be an interference for some in addressing
> >substance. (No, I'm not talking about myself as the source.)

> Well, the persona is important if you are going to claim him to be
> 'highly experienced and knowledgable'.

That was just my throat-clearing. Please ignore it--it has nothing to do with
the substance of this discussion.

> >Comments on substance?

> It is a little thin.   For instance, this is the first I have heard on
> this forum, that PGP Inc. was in jeopardy of bankruptcy.  Do you have
> any more information on that?  Also have any of the above companies
> said that they would _not_ support PGP, especially if it is part of
> the IETF spec?

Beats me. Bankrupt is bankrupt and is an event in the here and now, not in the
"might be someday". There is a limit to which arms-length capitalists will go
in pouring money into a company, and Pretty Good Privacy Inc.'s backers
weren't the committed creators of PGP, but rather "ordinary" high-tech
capitalists with the conventional decision rules about sunk costs being sunk
(bygones being bygones) aka not throwing good money after bad. And they can
read events, markets, and cash flow statements as well as the next man. As I
warned almost a year ago, once Netscape and Microsoft committed to S/MIME
rather than PGP, the game was pretty much over once they delivered on that
commitment (as they have). My position then, as it is in this paragraph, is
that of a business economist and not a partisan of one approach or another.

Don't get me wrong. I LIKE PGP for many purposes, and use it where I think it
appropriate. But liking isn't the same as business success, as any Beta home
VCR buyer can tell you.

Putting it another way, the only arena in which PGP can have continuing
success, in my view (here I part company with the original commentator) is in
the "free" community. And that will require both an ongoing body of developers
willing to give away their time and effort, and a willingness of users to use
a pre- and post- crypto processor as competing offerings become more and more
tightly embedded in productivity software.

The cost to the end user of an integrated crypto capability is so low that it
seems free when embedded in (say) a Netscape and Microsoft product. At the
same time the royalty stream from the software vendor to the crypto firm is
massive. It's the same principle as gasolene profits as a percentage of the
pump price. It is the choices of the vendors that will count as long as the
users aren't so dissatisfied as to create an opening for Microsoft (say) as
against Netscape (say) to offer something different and take on the
compatibility issue as well. Again we're back to the Beta vs. VHS matter in
some respects.

That is why the original advocate cited the massive vendor adoption of S/MIME,
vs. only Qualcomm's adoption of PGP, as significant. Consider the royalties to
PGP from the number of copies of Eudora Pro out there. Now consider the
royalties to RSADSI from the number of copies of Netscape Communicator and
Microsoft Internet Explorer out there, plus other applications that use
S/MIME. It's a pretty dramatic story and what is more with the huge base of
NS/MS mail flowing out there, how long can Qualcomm resist before itself
adopting S/MIME?

And Qualcomm may not matter to this issue. From the rave reviews and reviewer
adoptions for Outlook Express (bundled with Explorer) as their mailer of
choice, Eudora Pro's PC market share must thereafter have taken a noticeable
drop. With the Mac release of Outlook Express soon to follow (Eudora owes part
of its success to the Mac market), another drop is sure to follow. And the
final nail in the coffin will be the new version of Microsoft Office, which
will include Outlook Express as a component.

> At what point does it get to fuzzy to tell who won anyway,  are we
> talking about algorithms, or formats, or programs?  If the exact PGP
> format and algorithms are adopted by everyone, but PGP Inc. goes
> bankrupt did they win?  Is PGP dead?

Beats me. If a tree falls in the forest and no one hears it, did it make a
sound? How many angels can dance on the head of a pin?

David

 
 
 

PGP is dead but most users don't know it?

Post by David Sternligh » Thu, 01 Jan 1998 04:00:00





> >In a post to another list, a highly experienced and knowledgeable observer
> >makes the argument that PGP is dead but the PGP community doesn't yet realize it.

> Is this similar to the argument that Apple is dead, but the Apple
> community doesn't yet realize it

Not clear.

1. Apple wasn't acquired to avoid bankruptcy. Compare with PGP which was acquired.
2. Apple makes the most powerful and most powerful per dollar mass market desktops
   and portables with the new G3 line. It is simply a better machine. Compare with
   PGP, which is a pre-and post-processor trying to compete with embedded software.
3. Apple is moving toward accessing the PC market base with its new Rhapsody
OS, in
   final development, that will run on both Macs and PCs. That OS is
technically
   superior to anything MS has. Compare with PGP, which uses intellectual
   property from RSADSI and ASCOM rather than its own and thus isn't able to
   use its own crypto algorithms as a marketing advantage.
4. Apple has a committed user base which has paid, and continues to pay for
its
   products.  Though smaller than the Intel platform user base, the sales volumes
   are among those considered major for most US corporations rather than being of
   "niche" levels. In fact the new Mac OS, OS8 topped the best-seller software lists
   a couple of months ago. Compare with PGP, most of whose base is freebies.
There is
   no such "leakage" of potential pay users, for Apple hardware and software.
5. Even Bill Gates has put money into Apple. I haven't seen RSADSI put any
money into
   PGP.
6. Bill Gates thought enough of the Apple OS to urge Apple to open it. When
they
   refused he pursued Windows, which borrowed so heavily from the Mac OS that Gates
   recently made a secret payment to Apple to settle Apple's intellectual
property
   lawsuit. In contrast it was PGP who used intellectual property from RSADSI, and
   if any payments are made they are from PGP to RSADSI and not vice-versa.

(Yes, I know the comment was intended to be a passing dig but the opportunity
to bring the matter back to reality was too juicy to let pass. It's not,
however, worth a thread beyond this point.)

David

 
 
 

PGP is dead but most users don't know it?

Post by Greg Hennes » Sat, 03 Jan 1998 04:00:00




Quote:>1. Apple wasn't acquired to avoid bankruptcy. Compare with PGP which
>was acquired.

There is no evidence prsented to show that PGP was acquired to avoid
bankruptcy.

Quote:>2. Apple makes the most powerful and most powerful per dollar mass
>   market desktops and portables with the new G3 line.

Dec ALPHA's are the most powerful.
 
 
 

PGP is dead but most users don't know it?

Post by Daniel M. Skatt » Sat, 03 Jan 1998 04:00:00





>>2. Apple makes the most powerful and most powerful per dollar mass
>>   market desktops and portables with the new G3 line.

>Dec ALPHA's are the most powerful.

   DEC Alphas are mass-market desktop computers? Boy, have *I* been
misinformed... ;-)

--
Daniel Mark Skatter <*> valen <at> netins <dot> net
http://www.netins.net/showcase/valen
PGP Key IDs: DSS/D-H -> 0xAD73D235 RSA -> 0x03E5B8F9
All PGP Keys accepted, DSS/D-H preferred

 
 
 

PGP is dead but most users don't know it?

Post by Steve Smi » Mon, 05 Jan 1998 04:00:00



>In a post to another list, a highly experienced and knowledgeable observer
>makes the argument that PGP is dead but the PGP community doesn't yet realize
> it.
>One pillar of his argument is that among significant hardware and software
>corporations only Qualcomm supports PGP (excluding from the count, of course,
>Pretty Good Privacy Inc. or its successor), while S/MIME is supported by just
>about everyone else--IBM, DEC, Apple, Netscape, Microsoft, etc. etc.
>(excluding from the count, of course, RSADSI).

Once a "standard" comes out, all the Big Guys automatically profess
their undying support for it.  Means squat without a firm *internal*
commitment to put product out there.  When another standard comes along,
they'll support that too.  What they really want to use depends on
internal requirements and politics -- things that aren't readily
observable outside the company.

Quote:>Another pillar of his argument is that Pretty Good Privacy Inc. was just
>barely rescued from bankruptcy.

Happens to the best of them.  Juggling cash flow, expenses, development
schedules, marketing projections, and investor expectations is *not*, as
the mathematicians say, a "solved problem".

Quote:>I'd source him directly, but the arguments above have nothing to do with the
>persona making them, and that might be an interference for some in addressing
>substance. (No, I'm not talking about myself as the source.)

Unfortunately, we can't divorce comments from who made them.  If the
"observer" was Phil Zimmerman, I'd say that PGP was dead and starting to
smell.  If it was Jim Bidzos, I'd take it as a disparaging comment on a
competitor, of no weight whatever.

*Your* prejudices are very much in favor of "integrated" software -- no
external programs needed.  This is fine -- when all the important parts
of the program do their jobs.  The integrated mail and news applications
with Netscape and Explorer are *vastly* inferior to separate programs.

Quote:>Comments on substance?
>David

I have never had anybody send me S/MIME signed mail or seen an S/MIME
signed news posting.  Plenty of PGP signatures, of course.  Getting a
"certificate" is a heck of a lot more complicated than generating a PGP
key, and the drones who simply use the software that comes with the
computer won't take the trouble to do either.  The biggest job is
getting the mythical "average user" to do anything about security at
all.

The name of the game is market share -- used, not necessarily paid for.  
(Look at the way Netscape and Microsoft are giving away browsers.)  
Right now, for e-mail, it's PGP all the way.  This can change, of course
(and probably will, at some point) but PGP is certainly not dead.

--

Agincourt Computing                             +1 (301) 681 7395
"Everything should be made as simple as possible, but no simpler."

 
 
 

PGP is dead but most users don't know it?

Post by Greg Hennes » Mon, 05 Jan 1998 04:00:00




Quote:>   DEC Alphas are mass-market desktop computers? Boy, have *I* been
>misinformed... ;-)

Dec sells about as many Alpha's as Apple sells mac's, and you can buy
Alphas in Comp USA (at least in the one near me you can) so it seems
safe to lable them about as mass market as Apple is.
 
 
 

PGP is dead but most users don't know it?

Post by David Sternligh » Mon, 05 Jan 1998 04:00:00




> >In a post to another list, a highly experienced and knowledgeable observer
> >makes the argument that PGP is dead but the PGP community doesn't yet realize
> > it.

> >One pillar of his argument is that among significant hardware and software
> >corporations only Qualcomm supports PGP (excluding from the count, of course,
> >Pretty Good Privacy Inc. or its successor), while S/MIME is supported by just
> >about everyone else--IBM, DEC, Apple, Netscape, Microsoft, etc. etc.
> >(excluding from the count, of course, RSADSI).

> Once a "standard" comes out, all the Big Guys automatically profess
> their undying support for it.  Means squat without a firm *internal*
> commitment to put product out there.  When another standard comes along,
> they'll support that too.  What they really want to use depends on
> internal requirements and politics -- things that aren't readily
> observable outside the company.

Your counter-argument won't stand a moment's empirical scrutiny since neither
MS or NS products have PGP built in and both have S/MIME built in.

Quote:

> >Another pillar of his argument is that Pretty Good Privacy Inc. was just
> >barely rescued from bankruptcy.

> Happens to the best of them.  Juggling cash flow, expenses, development
> schedules, marketing projections, and investor expectations is *not*, as
> the mathematicians say, a "solved problem".

Nevertheless this is indicative of market success. If we knew the sales
figures the argument might be even more conclusive.

Quote:

> >I'd source him directly, but the arguments above have nothing to do with the
> >persona making them, and that might be an interference for some in addressing
> >substance. (No, I'm not talking about myself as the source.)

> Unfortunately, we can't divorce comments from who made them.  If the
> "observer" was Phil Zimmerman, I'd say that PGP was dead and starting to
> smell.  If it was Jim Bidzos, I'd take it as a disparaging comment on a
> competitor, of no weight whatever.

It was an observer who was not associated with either party, and has been
known in the past, if anything, as a PGP fan and one of my occasionally vocal
critics. One may read his posts on the IETF-S/MIME mailing list archives.

Quote:

> *Your* prejudices are very much in favor of "integrated" software -- no
> external programs needed.  This is fine -- when all the important parts
> of the program do their jobs.  The integrated mail and news applications
> with Netscape and Explorer are *vastly* inferior to separate programs.

So you think automatic transmission in a car is a prejudice and not a market judgement?

Quote:

> >Comments on substance?

> >David

> I have never had anybody send me S/MIME signed mail or seen an S/MIME
> signed news posting.  Plenty of PGP signatures, of course.

Don't judge by the true believers. Of course those participating in a PGP
activist group are likely to use PGP. They aren't even a smudge on the
windshield of the market, size-wise, when it comes to paying. In contrast
there are well over 30 million (probably over 60 million by now) copies of
S/MIME out there in NS and MS software, each of which has been royalty-paid to
RSADSI by the vendor. And it is THAT cash flow which insures corporate
viability, funding for R&D, stockholder interest, and all the other things
that make long-term business success feasible.

Quote:>  Getting a
> "certificate" is a heck of a lot more complicated than generating a PGP
> key, and the drones who simply use the software that comes with the
> computer won't take the trouble to do either.  The biggest job is
> getting the mythical "average user" to do anything about security at
> all.

The install program on most modern browsers leads users by the hand through
this process. I agree that more public education is needed.

Quote:

> The name of the game is market share -- used, not necessarily paid for.

Nope. I have no doubt there are hundreds of thousands of free PGP users out
there. Not one penny went from them to PGP Inc. to fund new products, R&D,
marketing, salaries, etc. The argument that there is a huge installed base of
S/MIME but it doesn't count, made originally (as I recall by Ed Stone) is
bogus, since it ignores that each copy has had royalties paid from the vendor
to RSADSI.

There are many products which make for viable and even rich companies whose
premise is that you pay for something you don't use, or even hope not to use
(such as certain forms of insurance). So the "user" base argument is a red
herring. As long as the business structure of the software industry is what it
is, RSADSI has a sure thing and PGP a steep uphill fight as long as the major
vendors stay with the consortia they in fact helped found and fund (at least
in kind). Where are the major vendors who helped found and fund a PGP
consortium? This whole thing is a classic business case right out of the textbooks.

Quote:> (Look at the way Netscape and Microsoft are giving away browsers.)
> Right now, for e-mail, it's PGP all the way.  This can change, of course
> (and probably will, at some point) but PGP is certainly not dead.

Doesn't matter as long as they pay RSADSI for each one. And their strategy is
to eventually dominate and then charge. Both NS and MS have the capital
resources to make such a strategy credible. PGP Inc did not, as we've seen.

This issue isn't about ideology, or taste, or even technology but about
economics and markets.

David

 
 
 

PGP is dead but most users don't know it?

Post by David Sternligh » Mon, 05 Jan 1998 04:00:00





> >   DEC Alphas are mass-market desktop computers? Boy, have *I* been
> >misinformed... ;-)

> Dec sells about as many Alpha's as Apple sells mac's,

I don't think so. Let's see the statistics, since you are making that claim.

David

 
 
 

PGP is dead but most users don't know it?

Post by Ron Hei » Tue, 06 Jan 1998 04:00:00



>So you think automatic transmission in a car is a prejudice and not a market judgement?

I think that if we want to use automobile analogies, then the radio is
closer to the mark than is the transmission.

Most cars come with a radio built in. Some of these are "standard", and cost
the purchaser nothing extra. Others are "premium" and cost something extra,
but have to be acquired with the vehicle, because the seller will not rip
them out. To get a vehicle without a radio requires purchasing a "custom
made" vehicle, waiting a long time, and (probably) paying more than if a
vehicle had been bought off the lot. However, even so, there is a fairly
active after-market in vehicle audio. Real audiophiles know that they can
get a sound system that suits their needs and tastes better than that
provided by the radio that came with the car.

Similarly, S/MIME comes built in to the more popular browsers. At this
point, they come "standard", and cost the purchaser nothing extra. Of
course, to actually use it, the user generally must pay (something, whether
time or money or both) extra. In either case, there is no way to get those
same browsers without it built in. You are forced to take S/MIME when you
get the modern browser. Even so, there is a fairly active after-market in
encryption software (e.g., PGP). People really interested in security
(should) know that they can get encryption software that suits their needs
and tastes better than that provided by the encryption software that came
with their browser.

--
Ron.

 
 
 

PGP is dead but most users don't know it?

Post by David Sternligh » Tue, 06 Jan 1998 04:00:00



> You are forced to take S/MIME when you
> get the modern browser. Even so, there is a fairly active after-market in
> encryption software (e.g., PGP). People really interested in security
> (should) know that they can get encryption software that suits their needs
> and tastes better than that provided by the encryption software that came
> with their browser.

There no evidence that the difference between S/MIME and PGP is related to
"people really interested in security". The two have different trust models,
each appropriate to different sets of circumstances. Security or an interest
in same is not the distinguishing issue.

In fact it can be argued that S/MIME is more secure in certain circumstances
(higher level certs having a known, published, and audited set of standards
for checking identites and indemnifying users) because PGP does not offer such
an existing capability (as do, for example, Verisign Class 2 certs and above).
Thus you know nothing about a PGP CA a priori unless and until each user
checks each one's standards by hand. What is more, such standards aren't
usually codified nor published in any convenient way, as they are for many
S/MIME CAs.

Finally, PGP's trust model contains a basic security flaw--nay, a piece of
pure unreason. That is the notion that because "n" people agree transitively,
and without any other evidence, someone is trustworthy. How many people do you
suppose once agreed that the earth was flat? How many still agree? (Note that
PGP makes no provision to take a vote on those who don't agree a key is
trustworthy--just that "n" do.). Frankly, this feature of PGP should have been
laughed out of the community of "people really interested in security" years
ago. Come to think of it, it was.

Finally, the world's most widely professionally accepted and acclaimed
non-governmental crypto security organization is not PGP Inc. but RSADSI, and
that outfit (with its partners) produces S/MIME and not PGP. You may prefer
Phil's Original Amateur Hour for certain features it offers, but please don't
try to suggest that "those who are really interested in security" prefer it.
In truth, as you know, Phil's Original Amateur Hour got its security
algorithms from RSADSI and ASCOM AG, rather than rolling its own, and even
more recently got Diffie-Hellmann from those once associated with RSADSI via PKP.

David