(All addresses except Cypherpunks elided.) On Sunday, March 31, 2002, at 09:08 AM, Adam Back wrote: > So I was trying to decrypt this stored mail sent to me by a GPG user, > and lo pgp6.x failed to decrypt it. > .... > So I try an older gpg I had installed, and it fails because it doesn't > .... > So I go fetch GPG from www.gnupg.org, but it still doesn't contain > ... > So then I try pgp5.x but the binary is using dynamic libraries that .... > So my last hope is pgp2.x, but some buggy pgp variant has left my > So, for now, give up. I guess it's cheaper to just send the original > author an email ask him if he remembers that idea he sent me 4 months > ago and have him send me it in clear text to be sure! > > What a nightmare! Try that sequence on a novice user and they give up > before they get past the first GPG faq with rant about algorithm > patents. > > We've really got to do something about the compatibility problems.
A good rant/summary about the current Tower of Babel situation. The beauty of the early days (perhaps two years) of early versions of PGP was that all versions basically interoperated well. Of course, people wanted more features, more integration with popular mail packages, more flexibility in choosing algorithms, and more compliance with the shifting sands of the patent world. Creeping feature-itus plus the perceived need to be "fully legal" added to the confusion. (The fact that PGP became a commercial product added in many ways to the chaos and babelization. Others can speak to the exact reasons for this, but I would offer these: NAI's requirement that algorithms and patents be free of entanglements, the proliferation of new versions without full backward compatibility, the on again/off again availability of inexpensive personal use versions, and the "diaspora" of developers once they departed NAI. Very ironic that one of the main "Down with RSADSI--RSA should be free!" chants of the early years of PGP had to do with RSA allegedly charging too much for products like MailSafe. Hence the irony of the new exorbitant pricing structure for what's left of PGP.) And so now PGP (or GPG) use is utterly balkanized, utterly useless. I used to think that most of the "Cypherpunks program" outlined in the first several meetings in 1992 was still unaccomplished, with only the most trivial of the building blocks available. Now not even those trivial building blocks are truly available, as Adam's rant so dramatically shows. Is there a solution? I would think that a "keep it simple, stupid" strategy is needed: Forget the hooks into popular mailers (Eudora, Outlook, Entourage), forget the "OS X versions of GPG," forget the Red Hat, Mandrake, SuSE, Windows XP, etc. versions. Just concentrate on a simple engine, using the cleanest C code possible. Use utterly standard I/O. (I never minded cutting an encrypted message to the clipboard--something now available in all systems, I believe--and then decrypting the clipboard contents, etc. This meant there didn't need to be "Eudora 3.1" and "Outlook Express 2.5" versions.) Drop the flexible palette of crypto algorithms. Get back to basics. And release programs which don't have to be compiled by users! Just some thoughts, from someone who no longer even tries to decrypt GPG or PGP or Bass-O-Matic messages sent to him. --Tim May "A complex system that works is invariably found to have evolved from a simple system that worked ...A complex system designed from scratch never works and cannot be patched up to make it work. You have to start over, beginning with a working simple system." -- Grady Booch
