[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Why I Don't Use PGP...



The best way to integrate PGP into other software is a tough
question.  There are so many different ways in which people read
and send mail.

A lot of people receive their mail on some other machine, often
a multi-user machine.  So, the first question is, should the mail
be crypted there, or should it be crypted on your personal machine.
The second choice is preferable from the security point of view,
but that means that you need to download at least your PGP mail
in order to decrypt it, and it means you have to compose your
mail on your home machine before encrypting, uploading, and sending.

(Phil Zimmermann had an idea for multi-user systems in which the
RSA portion of the decryption, which involves your secret key, would
be done on your personal machine, then the decrypted session key
would be uploaded to the multi-user machine and the IDEA decryption
done on the message itself.  This way you only have to upload and
download a couple hundred bytes regardless of the length of the
message.  This would require PGP to be integrated into a terminal
program.)

If you _do_ download your mail before reading it, you could get in
the habit of downloading _all_ of your mail into a big file, then
running a word processor or some more specialized program to
read the messages, one at a time, and compose replies.  Then, when
you were done, you could upload and send the replies.

If you worked in this mode, which probably few people do, you could
integrate PGP by running it on the downloaded mail file before running
your WP to read it.  I have a Perl script which runs PGP on a file,
finding the PGP messages in it, decrypting them, and replacing them
_in_the_file_ with their decrypted versions.  (Normally PGP outputs
its decrypted contents to another file, which is a little inconvenient.)
This can make PGP pretty transparent for decryption if you actually
read your mail in this way.

Another possibility is to use a WP or mail reading program which has
a "filter" mode, one which lets you pass incoming or outgoing mail
through some program, and replace the mail with the results of that
program.  I don't know which programs can do this.  A lot of Unix
programs can, like VI and EMACS, but I don't know about PC's or other
home machines.  PGP has a filter mode which is designed to be used with
WP's which can do this.  There have been a couple of messages on
alt.security.pgp which have advice on using PGP with various Unix mail
reading programs.  Mark Riordan's soon-to-be-released RIPEM program
(an alternative, incompatible, RSA public-key program) has some ideas
in its manual on how to use its filter mode with Unix mail, which mostly
apply to PGP as well.

One other point: regarding a Mac port: There have been at least a couple
of messages on alt.security.pgp over the past couple of months from
people who have successfully compiled the PGP sources under Think C
on the Mac.  However, as a Unix/PC program, it ends up using a character
window for I/O, which you type into just like you would on a PC.
This is unacceptable for Macs, so nobody has released one of these.
Still, compared to what Tim has to do, it would be an improvement.  I
think people should release their executables which work like this as
an interim crutch version until the real Mac version is available.

Hal
[email protected]