From: Andrew Loewenstern <andrew_loewenstern@il.us.swissbank.com>
Date: Wed, 19 Jul 95 13:08:21 PDT
To: "Robert A. Hayden" <hayden@krypton.mankato.msus.edu>
Subject: Re: "Hey Phil! Stop telling people *not* to use PGP!" (plus: "help mewith my PGP problems!") (fwd)
Message-ID: <9507192005.AA00307@ch1d157nwk>
MIME-Version: 1.0
Content-Type: text/plain


Robert A. Hayden writes:
>  I said it last week, and I'll say it again.  From a sociological
>  standpoint, it's those 10,000,000 computer-illiterate e-mail users
>  that we need to focus all of our efforts towards.  Those 5,000
>  literate people we really don't have to care about.
[...snip...]
>  Imagine if some people with REAL writing ability worked on some
>  programs...
[...snip...]
>  I think the politics of PGP is stagnated at about two years ago or
>  so.  The demographics are no longer accepting to long technical
>  rants.  Today's generation of net.user doesn't need 100% security
>  100% of the time, what they need is "good" security when they want
>  it, but in a way that they don't have to think much about.

This has been hashed over on the list many, many times in the past.  I  
suspect there are competent programmers out there who want to write  
easy-to-use interfaces for PGP (I know at least one), but there are problems.  
 To write a good GUI interface (with proper key-management features) on  
Windows or Mac, for instance, you need to have access to PGP's internal  
crypto routines as well as the routines for reading and writing PGP messages  
and key certificates.  The problem is that the PGP 2 code does not have the  
internal 'core' routines separated from it's command-line interface.

The answers are to either shell out to PGP (which, AFAIK, is what every  
interface except MacPGP does), hack the PGP 2 code, or use PGPTools.

Shelling out to PGP isn't going to cut it for a slick GUI package, especially  
if you want to have a decent key-management interface.  You could do it, but  
it will be slow and kludgy and you will have to change it all when PGP 3  
comes out.

Hacking PGP would be a major effort.  Additionally, there is risk of  
introducing a subtle flaw in the crypto routines.  However, the main killer  
is that PGP 3 is going to have a brand new key-ring format along with many  
other enhancements, fixes, and other changes to the crypto code.  All of the  
work will have to be done again to bring the interface up to date when PGP 3  
is released, which could be within 6 months (who knows?).

PGPTools is buggy and not supported.  Any effort to bring PGPTools up to a  
stable level would likely be thrown away when PGP 3 is released.

The real solution is that PGP 3 will have all of it's core routines in a  
separate library with a stable API specifically for the purpose of writing  
slick interfaces.  So basically all of the would-be PGP interface developers  
are waiting for beta releases of the library.  Unfortunately, this has been  
the situation for almost two years now.  By now the PGP 2 code could have  
been completely turned into a library with a clean API and no command-line  
interface remnants, but developers have been discouraged by the promise of  
PGP 3 coming out 'RSN'...


andrew
...still waiting for pgp 3 news...