RE: NAI pulls out the DMCA stick
[EMAIL PROTECTED] writes: On 27 May 2002 at 19:56, Peter Gutmann wrote: [EMAIL PROTECTED] writes: My impression is that S/MIME sucks big ones, because it commits one to a certificate system based on verisign or equivalent. I'll say this one more time, slowly for those at the back: What you're criticising is PEM circa 1991, not S/MIME. Things have moved on a bit since then. You need a certification authority. Every one you deal with has to acknowledge whatever certification authority gave you your certificate. [etc etc - standard description of original 10-year-old PEM certification model] No, as I said before, what you're describing is PEM circa 1991, not S/MIME. In the S/MIME model, anyone can issue certs (just like PGP), including yourself. In addition, many large CAs will issue certs in any name to anyone, so even if you don't want to do your own keys a la PGP you can still get a Verisign cert which behaves like a PGP key. Rather than wasting all this bandwidth in a lets-bash-S/MIME-by-pretending- it's-still-PEM debate (what is it with this irrational fear of S/MIME?), I'd be more interested in a serious discussion on which key-handling model is less ineffective, WoT or X.509-free-for-all. At the moment both of them seem to work by using personal/direct contact to exchange keys, with one side pretending to be WoT-based (although no-one ever relies on this) and the other pretending to be CA-based (although no-one ever relies on this [0]). The end result is that they're more or less the same thing, the only major differentiating factor being that most X.509-using products don't allow you to distribute your own certs the way PGP does. Peter. [0] With my earlier caveat about exceptions for government orgs who have been instructed to rely on it, or else.
RE: NAI pulls out the DMCA stick
[EMAIL PROTECTED] writes: My impression is that S/MIME sucks big ones, because it commits one to a certificate system based on verisign or equivalent. I'll say this one more time, slowly for those at the back: What you're criticising is PEM circa 1991, not S/MIME. Things have moved on a bit since then. Peter.
RE: NAI pulls out the DMCA stick
Curt Smith [EMAIL PROTECTED] writes: 1. How do you create a X.509 signing hierarchy? Grab whatever crypto software you feel most comfortable with that does X.509 and start cranking out certs. 2. Can you add additional algorithms (ie. Twofish)? Certs are for public-key algorithms, so Twofish would never appear in there (well, I guess you could certify a Twofish key, but I'm not sure what the point would be). 3. Is a relavent developer reference is available for X.509? You have to distinguish between the X.509 format and tools to use X.509. I assume you're after a manual for the tools, rather than RFC 3280, for the same reason that most PGP users don't start by reading RFC 2440. In that case, refer to the docs for your crypto toolkit. Peter.
Re: S/MIME and web of trust (was Re: NAI pulls out the DMCA stick)
Eric Murray [EMAIL PROTECTED] writes: Additionally, there is nothing that prevents one from issuing certs that can be used to sign other certs. Sure, there are key usage bits etc but its possible to ignore them. It should be possible to create a PGP style web of trust using X.509 certs, given an appropriate set of cert extensions. I proposed some very simple additions to X.509 which would allow you to use the certs in the same way as PGP keys a year or two back. Unfortunately the PKIX WG chair is about as open to PGP-style additions to X.509 as some PGP people are towards S/MIME. (You can also do PGP using X.509 certs, I've been doing that for awhile just out of sheer bloody-mindedness :-). Peter.
RE: NAI pulls out the DMCA stick
On 27 May 2002 at 19:56, Peter Gutmann wrote: [EMAIL PROTECTED] writes: My impression is that S/MIME sucks big ones, because it commits one to a certificate system based on verisign or equivalent. I'll say this one more time, slowly for those at the back: What you're criticising is PEM circa 1991, not S/MIME. Things have moved on a bit since then. You need a certification authority. Every one you deal with has to acknowledge whatever certification authority gave you your certificate. Interaction with big public certification authorities is impractically painful for most users. If you uses S/MIME, you need a Thawte or Verisign certificate, and the guy you are trying to work with is never going to get a Thawte or Verisign certificate.
RE: NAI pulls out the DMCA stick
[EMAIL PROTECTED] writes: On 27 May 2002 at 19:56, Peter Gutmann wrote: [EMAIL PROTECTED] writes: My impression is that S/MIME sucks big ones, because it commits one to a certificate system based on verisign or equivalent. I'll say this one more time, slowly for those at the back: What you're criticising is PEM circa 1991, not S/MIME. Things have moved on a bit since then. You need a certification authority. Every one you deal with has to acknowledge whatever certification authority gave you your certificate. [etc etc - standard description of original 10-year-old PEM certification model] No, as I said before, what you're describing is PEM circa 1991, not S/MIME. In the S/MIME model, anyone can issue certs (just like PGP), including yourself. In addition, many large CAs will issue certs in any name to anyone, so even if you don't want to do your own keys a la PGP you can still get a Verisign cert which behaves like a PGP key. Rather than wasting all this bandwidth in a lets-bash-S/MIME-by-pretending- it's-still-PEM debate (what is it with this irrational fear of S/MIME?), I'd be more interested in a serious discussion on which key-handling model is less ineffective, WoT or X.509-free-for-all. At the moment both of them seem to work by using personal/direct contact to exchange keys, with one side pretending to be WoT-based (although no-one ever relies on this) and the other pretending to be CA-based (although no-one ever relies on this [0]). The end result is that they're more or less the same thing, the only major differentiating factor being that most X.509-using products don't allow you to distribute your own certs the way PGP does. Peter. [0] With my earlier caveat about exceptions for government orgs who have been instructed to rely on it, or else.
Re: S/MIME and web of trust (was Re: NAI pulls out the DMCA stick)
Eric Murray [EMAIL PROTECTED] writes: Additionally, there is nothing that prevents one from issuing certs that can be used to sign other certs. Sure, there are key usage bits etc but its possible to ignore them. It should be possible to create a PGP style web of trust using X.509 certs, given an appropriate set of cert extensions. I proposed some very simple additions to X.509 which would allow you to use the certs in the same way as PGP keys a year or two back. Unfortunately the PKIX WG chair is about as open to PGP-style additions to X.509 as some PGP people are towards S/MIME. (You can also do PGP using X.509 certs, I've been doing that for awhile just out of sheer bloody-mindedness :-). Peter.
RE: NAI pulls out the DMCA stick
[EMAIL PROTECTED] writes: My impression is that S/MIME sucks big ones, because it commits one to a certificate system based on verisign or equivalent. I'll say this one more time, slowly for those at the back: What you're criticising is PEM circa 1991, not S/MIME. Things have moved on a bit since then. Peter.
RE: NAI pulls out the DMCA stick
Curt Smith [EMAIL PROTECTED] writes: 1. How do you create a X.509 signing hierarchy? Grab whatever crypto software you feel most comfortable with that does X.509 and start cranking out certs. 2. Can you add additional algorithms (ie. Twofish)? Certs are for public-key algorithms, so Twofish would never appear in there (well, I guess you could certify a Twofish key, but I'm not sure what the point would be). 3. Is a relavent developer reference is available for X.509? You have to distinguish between the X.509 format and tools to use X.509. I assume you're after a manual for the tools, rather than RFC 3280, for the same reason that most PGP users don't start by reading RFC 2440. In that case, refer to the docs for your crypto toolkit. Peter.
RE: NAI pulls out the DMCA stick
On 27 May 2002 at 19:56, Peter Gutmann wrote: [EMAIL PROTECTED] writes: My impression is that S/MIME sucks big ones, because it commits one to a certificate system based on verisign or equivalent. I'll say this one more time, slowly for those at the back: What you're criticising is PEM circa 1991, not S/MIME. Things have moved on a bit since then. You need a certification authority. Every one you deal with has to acknowledge whatever certification authority gave you your certificate. Interaction with big public certification authorities is impractically painful for most users. If you uses S/MIME, you need a Thawte or Verisign certificate, and the guy you are trying to work with is never going to get a Thawte or Verisign certificate.
Re: NAI pulls out the DMCA stick
On Fri, 24 May 2002, Eric Murray wrote: 3. Is a relavent developer reference is available for X.509? X.509 is an ITU/T standard, which means, among other things, that they charge money for copies. You can find copies on the net though. Depending on how good your local library is, they may be able to get you a copy on interlibrary loan. I managed to get ahold of a copy of X9.19 that way. If ITU works anything like the ABA, they'll charge you about $4/page to get one of these from them (at least that's the rate X9.19 came to). PKCS and other online sources seem your best bet for this by far. -J
Re: S/MIME and web of trust (was Re: NAI pulls out the DMCA stick)
-- Having been the verisign guy at a couple of companies, it appears to me that the administrative costs of both models are unacceptably high. The hierarchical verisign model is useful when one wishes to verify that something comes from a famous and well known name -- that this software really is issued by Flash, that this website really does belong to the Bank of America. In this case, however, only famous and well known names need their keys from verisign. No one else needs one. When one wishes to know one is really communicating with Bob, it is best to use the same channels to verify this is Bob's key, as one used to verify that Bob is the guy one wishes to talk to. The web of trust, and Verisign, merely get in the way. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG xkCkA0o8/Z61jfLQ1GxttqqvOUL5cRcKXhnoSRp2 4530ol1PGEfGac3Gmk2JosCmoRLyj96HAEp0EUGLT
Re: S/MIME and web of trust (was Re: NAI pulls out the DMCA stick)
On Fri, May 24, 2002 at 04:40:36PM -0700, Eric Murray wrote: Additionally, there is nothing that prevents one from issuing certs that can be used to sign other certs. Sure, there are key usage bits etc but its possible to ignore them. The S/MIME aware MUAs do not ignore the trust delegation bit. Therefore you can not usefully sign other certs with a user grade certificate from verisign et al. If you make your own CA key (with the trust delegation bit set) and self-sign it, S/MIME aware MUAs will also flag signatures made with it as invalid signatures because your self-signed CA key is not signed by a CA in the default trusted CA key database. It should be possible to create a PGP style web of trust using X.509 certs, given an appropriate set of cert extensions. If Peter can put a .gif of his cat in an X.509 cert there's no reason someone couldn't represent a web of trust in it. While it is true that you can extend X.509v3 I don't see how useful it would be to add a WoT extension until it got widely deployed. Recipient MUAs will at best ignore your extensions, and worse will fail on them until support for such an extension is deployed. I view the chances of such an extension getting deployed as close to nil. The S/MIME MUA / PKI library / CA cartel has a financial incentive to not deploy it -- as they view it as competition to the CAs business. Adam
Re: NAI pulls out the DMCA stick
On Fri, 24 May 2002, Eric Murray wrote: 3. Is a relavent developer reference is available for X.509? X.509 is an ITU/T standard, which means, among other things, that they charge money for copies. You can find copies on the net though. Depending on how good your local library is, they may be able to get you a copy on interlibrary loan. I managed to get ahold of a copy of X9.19 that way. If ITU works anything like the ABA, they'll charge you about $4/page to get one of these from them (at least that's the rate X9.19 came to). PKCS and other online sources seem your best bet for this by far. -J
RE: NAI pulls out the DMCA stick
On Fri, 24 May 2002 17:13:18 +1200 (NZST), Peter Gutmann [EMAIL PROTECTED] said: contrary [EMAIL PROTECTED] writes: As long as you obtain your S/MIME certificate from an apporved CA, using an approved payment method and appropriate identification. The only CA-issued certs I've ever used were free, and under a bogus name. Usually I just issue my own. You really need to find a better strawman than this if you want to criticise S/MIME. Peter. OK, likewise. But I guess my point (if I had one) is that regardless of technical, usage, privacy and trust issues there is also one of linkage between a nym and meatspace. With pgp, it's easy to generate a new keypair, label or sign it anyway I care to, and exchange and use it for a single interaction. Relatively easy. (Joe Sixpack-'O-Bass-Ale) S/MIME certificates (by which I may just mean commercial CA's) seem mostly directed at strong authentication for commerce, and lean heavily toward linking to a credit card, driver's license number, or credential. This is a Good Thing for cryptography and for commerce, but not for 'nymity. Also not for undeclared privacy which is privacy that occurs below the attention threshold and without the permission of the censors. -- contrary [EMAIL PROTECTED] -- Access all of your messages and folders wherever you are! http://fastmail.fm - Get your mail using the web or your email software
RE: NAI pulls out the DMCA stick
-- On 23 May 2002 at 0:24, Lucky Green wrote: Tell me about it. PGP, GPG, and all its variants need to die before S/MIME will be able to break into the Open Source community, thus removing the last, but persistent, block to an instant increase in number of potential users of secure email by several orders of magnitude. My impression is that S/MIME sucks big ones, because it commits one to a certificate system based on verisign or equivalent. I have been the verisign administrator at several companies, and there is no way that bird will fly. The verisign system is just barely tolerable for identifying authorized web sites and software. For identifying individuals, forget it. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG CXACCdVytBDJ5TDVZ2+IV9xP4c3QRpRxP+JoLBdL 4w44ULlzkb4jKH9nuzpy/Mlxl8CctM+OYZoZEhO8H
Re: why OpenPGP is preferable to S/MIME (Re: NAI pulls out the DMCA stick)
-- On 23 May 2002 at 21:58, Adam Back wrote: This won't achieve the desired effect because it will just destroy the S/MIME trust mechanism. S/MIME is based on the assumption that all CAs are trustworthy. Anyone can forge any identity for clients with that key installed. S/MIME isn't really compatible with the web of trust because because of the two tier trust system -- all CAs are assumed trustworthy and all users are not able to sign anything. Or to say the same thing in slightly different words, all CAs are perfectly and equally trustworthy, and all users are untrustworthy. This system is inherently authoritarian. Because that authority must be restricted for it to be useful, it is inherently a pain in the ass to administer, with inherently high administrative costs. Like socialism, S/MIME results in bureacracy, delay, expense, and inefficiency. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG USL5cv1ggEyWtLV5o70QlHagEAxDOVzR+aGoGJyG 4r/H3bXgCwZ3aRF4U6H7Adat9jD9PjCxb1FPSgQpk
RE: NAI pulls out the DMCA stick
While we are on the subject of issuing your own X.509 certificates: 1. How do you create a X.509 signing hierarchy? 2. Can you add additional algorithms (ie. Twofish)? 3. Is a relavent developer reference is available for X.509? --- Peter Gutmann [EMAIL PROTECTED] wrote: ... So issue your own. Honestly, why would anyone want to *pay* some random CA for this? ... = end LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com
Re: NAI pulls out the DMCA stick
1. How do you create a X.509 signing hierarchy? by issuing other people's keys with a subordinate CA certificate.?
Re: NAI pulls out the DMCA stick
On Thu, 23 May 2002 10:34:22 -0400, Adam Shostack said: Is there any Open source implementation of the protocol? Well, there is a Free Software implementation called NewPG which provides a backend called gpgsm - very similar to gpg. It is currently under development but we already exchanged encrypted messages with proprietary implementations. This backend will eventually be included with gpg. It does not yet work for Windows but making it work won't be very difficult. Like gpg, gpgsm does not handle the MIME encapsulation because this is something a MUA can handle much better. We have support for KMail and Mutt in the works and adding it to Sylpheed will be easy. See: http://www.gnupg.org/aegypten/ I don't suggest to use S/MIME; however in some domains (law conforming digital signatures) there is currently no alternative for it. Salam-Shalom, Werner
RE: NAI pulls out the DMCA stick
contrary [EMAIL PROTECTED] writes: As long as you obtain your S/MIME certificate from an apporved CA, using an approved payment method and appropriate identification. The only CA-issued certs I've ever used were free, and under a bogus name. Usually I just issue my own. You really need to find a better strawman than this if you want to criticise S/MIME. Peter.
RE: NAI pulls out the DMCA stick
Curt Smith [EMAIL PROTECTED] writes: Certificate Authorities issue certificates complete with CA imposed expiration dates and usage limitations. (I prefer independent systems with unrestricted certificates) So issue your own. Honestly, why would anyone want to *pay* some random CA for this? Certificate Authorities match individuals to keys (Thanks, but no thanks) And PGP doesn't? Anyway, X.509 certs can be as anonymous as PGP keys. Certificate Authorities can revoke certificates at anytime (CA-driven DOS attack) Most implementations ignore revocation, and in any case it's not an issue if you issue your own. Peter.
RE: NAI pulls out the DMCA stick
On Fri, 24 May 2002 17:13:18 +1200 (NZST), Peter Gutmann [EMAIL PROTECTED] said: contrary [EMAIL PROTECTED] writes: As long as you obtain your S/MIME certificate from an apporved CA, using an approved payment method and appropriate identification. The only CA-issued certs I've ever used were free, and under a bogus name. Usually I just issue my own. You really need to find a better strawman than this if you want to criticise S/MIME. Peter. OK, likewise. But I guess my point (if I had one) is that regardless of technical, usage, privacy and trust issues there is also one of linkage between a nym and meatspace. With pgp, it's easy to generate a new keypair, label or sign it anyway I care to, and exchange and use it for a single interaction. Relatively easy. (Joe Sixpack-'O-Bass-Ale) S/MIME certificates (by which I may just mean commercial CA's) seem mostly directed at strong authentication for commerce, and lean heavily toward linking to a credit card, driver's license number, or credential. This is a Good Thing for cryptography and for commerce, but not for 'nymity. Also not for undeclared privacy which is privacy that occurs below the attention threshold and without the permission of the censors. -- contrary [EMAIL PROTECTED] -- Access all of your messages and folders wherever you are! http://fastmail.fm - Get your mail using the web or your email software
RE: NAI pulls out the DMCA stick
-- On 23 May 2002 at 0:24, Lucky Green wrote: Tell me about it. PGP, GPG, and all its variants need to die before S/MIME will be able to break into the Open Source community, thus removing the last, but persistent, block to an instant increase in number of potential users of secure email by several orders of magnitude. My impression is that S/MIME sucks big ones, because it commits one to a certificate system based on verisign or equivalent. I have been the verisign administrator at several companies, and there is no way that bird will fly. The verisign system is just barely tolerable for identifying authorized web sites and software. For identifying individuals, forget it. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG CXACCdVytBDJ5TDVZ2+IV9xP4c3QRpRxP+JoLBdL 4w44ULlzkb4jKH9nuzpy/Mlxl8CctM+OYZoZEhO8H
Re: why OpenPGP is preferable to S/MIME (Re: NAI pulls out the DMCA stick)
-- On 23 May 2002 at 21:58, Adam Back wrote: This won't achieve the desired effect because it will just destroy the S/MIME trust mechanism. S/MIME is based on the assumption that all CAs are trustworthy. Anyone can forge any identity for clients with that key installed. S/MIME isn't really compatible with the web of trust because because of the two tier trust system -- all CAs are assumed trustworthy and all users are not able to sign anything. Or to say the same thing in slightly different words, all CAs are perfectly and equally trustworthy, and all users are untrustworthy. This system is inherently authoritarian. Because that authority must be restricted for it to be useful, it is inherently a pain in the ass to administer, with inherently high administrative costs. Like socialism, S/MIME results in bureacracy, delay, expense, and inefficiency. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG USL5cv1ggEyWtLV5o70QlHagEAxDOVzR+aGoGJyG 4r/H3bXgCwZ3aRF4U6H7Adat9jD9PjCxb1FPSgQpk
Re: NAI pulls out the DMCA stick
On Fri, May 24, 2002 at 12:07:48PM -0700, Curt Smith wrote: While we are on the subject of issuing your own X.509 certificates: 1. How do you create a X.509 signing hierarchy? Do a web search on openssl certificate authority. 2. Can you add additional algorithms (ie. Twofish)? Yes, if the libraries you use support them. Note that twofish, being a symetric algorithm, would not be used in certificates. Public key and hashes only. 3. Is a relavent developer reference is available for X.509? X.509 is an ITU/T standard, which means, among other things, that they charge money for copies. You can find copies on the net though. Being ITU/T also means that the standard is written in a format and style that is designed to be incomprehensible as possible. This keeps the professional meeting-goers who write these things from having to search for honest work. The documents get progressively less understandable over time, so its best to start with the 1988 version. PKCS#6 explains X.509 as well and is easier to understand. Peter Gutman's X.509 Style Guide is quite comprehsnsible and also pretty funny after you have spent time trying to decipher X.509 or any other X.whatever standard. Peter also has a neat utility called dumpasn.1 which you will want if you start diddling X.509 certs. Openssl is probably the most common library for doing cert stuff these days. Unfortunately the docs for Openssl are pretty much non-existent and the ASN.1 code is particularly difficult to understand. Eric
S/MIME and web of trust (was Re: NAI pulls out the DMCA stick)
On Fri, May 24, 2002 at 11:17:08AM -0700, [EMAIL PROTECTED] wrote: -- On 23 May 2002 at 0:24, Lucky Green wrote: Tell me about it. PGP, GPG, and all its variants need to die before S/MIME will be able to break into the Open Source community, thus removing the last, but persistent, block to an instant increase in number of potential users of secure email by several orders of magnitude. My impression is that S/MIME sucks big ones, because it commits one to a certificate system based on verisign or equivalent. It uses X.509, which is supposed to be a hierarchical certificate system. Verisign is just the dominant X.509 CA. But as others have pointed out, its possible to become one's own X.509 CA and issue oneself certs. Netscape and IE browsers will accept certs from completely made up CAs. You might have to click on a few do you really want to do this dialog boxes but that's it. All you need is a copy of Openssl and directions off a web site.. Additionally, there is nothing that prevents one from issuing certs that can be used to sign other certs. Sure, there are key usage bits etc but its possible to ignore them. It should be possible to create a PGP style web of trust using X.509 certs, given an appropriate set of cert extensions. If Peter can put a .gif of his cat in an X.509 cert there's no reason someone couldn't represent a web of trust in it. Each user would self-sign their cert. Or self-sign a CA cert and use that to sign a cert, same thing. Trust would be indicated by (signed) cert extensions that indicate I trust Joe Blow X amount as a signer of keys. Each time you added a trust extension you would generate a new cert using the same key. Each trust extension would indicate the entity, their key id (hash of public key), and the degree of trust. When you added a trust extension you'd give a copy of the enw cert to the entity you just added. They can then append these certs onto their cert when they authenticate to someone. When authenticating, you verify the other guys cert, something he signed with his private key, then all the other people's certs that he sends in addition to his own, all of which attest to his trustworthiness. Ideally, you also trust some of the same people, so you now have their signed statements attesting to a degree of trust in the new guy. [note, there's probably a conceptal flaw in this since I'm loopy from allergy drugs today and probably not thinking as clearly as I think I am, so be polite when you point out my error. In any case, the point is that its possible to do a web of trust in x.509, not that I have a fully formed scheme for implementing it] Since all this is in X.509, S/MIME MTAs accept it (unless they are programmed to not accept self-signed CAs, in which case your MTA is a slave to Verisign et. al). You'd need an external program to verify the web of trust, but that's about it. And to be honest, exactly zero of the PGP exchanges I have had have actually used the web of trust to really verify a PGP key. I've only done it in testing. In the real world, I either verify out of band (i.e. over the phone) or don't bother if the other party is too clueless to understand what I want to do and getting them to do PGP at all has already exausted my paticnce. But why bother? Even if I could do this X.509 web of trust tomorrow, no one besides a few crypto-geeks would use it. People just don't give a shit about other people reading their email. Most people can't even be bothered to use a decent password or shred their credit-card statements. Only criminals have anything to hide, right? -- Eric
Re: NAI pulls out the DMCA stick
-BEGIN PGP SIGNED MESSAGE- Lucky Green [EMAIL PROTECTED] writes: PGP, GPG, and all its variants need to die before S/MIME will be able to break into the Open Source community, thus removing the last, but persistent, block to an instant increase in number of potential users of secure email by several orders of magnitude. Your confidence in this is not universally shared. Can you please make the case again? Pointers would be fine. -BEGIN PGP SIGNATURE- Version: 2.6.3ia Charset: noconv iQBVAwUBPOzSFfPsjZpmLV0BAQHFeQH/btnBBUdbfdpt1+rJ/d8Q7LhdPylsl+aM AxwJL5cy7645npVdPlIczUc7FkyhcVSe3/WI5D3MR4j8GW4NyDtXWw== =qxZa -END PGP SIGNATURE-
Re: NAI pulls out the DMCA stick
On Thu, May 23, 2002 at 12:24:00AM -0700, Lucky Green wrote: | Adam wrote: | Which is too bad. If NAI-PGP went away completely, then | compatability problems would be reduced. I also expect that | the German goverment group currently funding GPG would be | more willing to fund UI work for windows. | | Tell me about it. PGP, GPG, and all its variants need to die before | S/MIME will be able to break into the Open Source community, thus | removing the last, but persistent, block to an instant increase in | number of potential users of secure email by several orders of | magnitude. Are you claiming that S/mime no longer has the enourmous compatability problems it used to have? Is there any Open source implementation of the protocol? Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: NAI pulls out the DMCA stick
At 10:34 AM -0400 5/23/02, Adam Shostack wrote: On Thu, May 23, 2002 at 12:24:00AM -0700, Lucky Green wrote: | Adam wrote: | Which is too bad. If NAI-PGP went away completely, then | compatability problems would be reduced. I also expect that | the German goverment group currently funding GPG would be | more willing to fund UI work for windows. | | Tell me about it. PGP, GPG, and all its variants need to die before | S/MIME will be able to break into the Open Source community, thus | removing the last, but persistent, block to an instant increase in | number of potential users of secure email by several orders of | magnitude. Are you claiming that S/mime no longer has the enourmous compatability problems it used to have? Is there any Open source implementation of the protocol? Try http://www.imc.org/imc-sfl/index.html. For some definitions of open source, it qualifies. -- -- Marshall Marshall Clow Idio Software mailto:[EMAIL PROTECTED] My name is Bobba Fett. You killed my father, prepare to die!
RE: NAI pulls out the DMCA stick
Greetings, On Thu, 23 May 2002 00:24:00 -0700, Lucky Green [EMAIL PROTECTED] said: Adam wrote: Which is too bad. If NAI-PGP went away completely, then compatability problems would be reduced. I also expect that the German goverment group currently funding GPG would be more willing to fund UI work for windows. Tell me about it. PGP, GPG, and all its variants need to die before S/MIME will be able to break into the Open Source community, thus removing the last, but persistent, block to an instant increase in number of potential users of secure email by several orders of magnitude. As long as you obtain your S/MIME certificate from an apporved CA, using an approved payment method and appropriate identification. IIRC Thawte has a procedure for authenticating their free certificates by proxy: A Thawte certificate holder certifies that s/he has seen the credentials of some other certificate holder, in absence of a physical Bank or Notary Public. Both the certifier and certified gain points by this validation process. Here's to hoping, --Lucky Indeed. -=c=- -- contrary [EMAIL PROTECTED] -- http://fastmail.fm - One of many happy users: http://www.fastmail.fm/docs/quotes.html
RE: NAI pulls out the DMCA stick
Although I also hope for widespread e-mail encryption, I feel that S/MIME introduces more problems than it resolves. Certificate Authorities issue certificates complete with CA imposed expiration dates and usage limitations. (I prefer independent systems with unrestricted certificates) Certificate Authorities match individuals to keys (Thanks, but no thanks) Certificate Authorities can revoke certificates at anytime (CA-driven DOS attack) These are in addition to compatibility and security issues. --- Lucky Green [EMAIL PROTECTED] wrote: Adam wrote: Which is too bad. If NAI-PGP went away completely, then compatability problems would be reduced. I also expect that the German goverment group currently funding GPG would be more willing to fund UI work for windows. Tell me about it. PGP, GPG, and all its variants need to die before S/MIME will be able to break into the Open Source community, thus removing the last, but persistent, block to an instant increase in number of potential users of secure email by several orders of magnitude. Here's to hoping, --Lucky PS. end used to trunkate postings eliminating attached spam - does anyone know how to do this these days? end = end LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com
why OpenPGP is preferable to S/MIME (Re: NAI pulls out the DMCA stick)
Certificate authorities also can forge certificates and issue certificates in fake names if asked by government agencies. S/MIME is too much under central control by design to be a sensible choice for general individual use. The central control is doubtless primarily motivated by the hopes of turning a profit selling certificates to allow people to exchange secure email etc. OpenPGP's WoT provides a superset of S/MIME's hierarchically controlled answer to identification and trust -- you can still have CAs with OpenPGP, plus you can cross check and peer-to-peer certify people you wish to interact with and so not need to trust some untrustworthy and generally incompetent organisation. (Verisign for example issued someone a microsoft code signing cert). Adam On Thu, May 23, 2002 at 09:46:34AM -0700, Curt Smith wrote: Although I also hope for widespread e-mail encryption, I feel that S/MIME introduces more problems than it resolves. Certificate Authorities issue certificates complete with CA imposed expiration dates and usage limitations. (I prefer independent systems with unrestricted certificates) Certificate Authorities match individuals to keys (Thanks, but no thanks) Certificate Authorities can revoke certificates at anytime (CA-driven DOS attack) These are in addition to compatibility and security issues.
Re: why OpenPGP is preferable to S/MIME (Re: NAI pulls out the DMCA stick)
On Thu, May 23, 2002 at 07:10:01PM +0100, Adam Back wrote: | Certificate authorities also can forge certificates and issue | certificates in fake names if asked by government agencies. S/MIME is | too much under central control by design to be a sensible choice for | general individual use. So what if we create the Cypherpunks Root CA, which (either) signs what you submit to it via a web page, or publish the secret key? We then get the Cypherpunks Root CA key added to the browsers--it can't be that hard, the US postal service managed it... Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: why OpenPGP is preferable to S/MIME (Re: NAI pulls out the DMCA stick)
On Thu, 23 May 2002, Adam Back wrote: On Thu, May 23, 2002 at 03:05:49PM -0400, Adam Shostack wrote: So what if we create the Cypherpunks Root CA, which (either) signs what you submit to it via a web page, or publish the secret key? This won't achieve the desired effect because it will just destroy the S/MIME trust mechanism. S/MIME is based on the assumption that all CAs are trustworthy. Which is, of course, a major flaw. S/MIME is of some value for internal corporate email for companies who can run their own CA. (The sort of people who used to be Xcert's customers.) S/MIME is of very little value outside of a closed intranet environment, for the simple reason that public CAs are mostly incompetent, untrustworthy, or both. -MW-
RE: NAI pulls out the DMCA stick
Curt Smith [EMAIL PROTECTED] writes: Certificate Authorities issue certificates complete with CA imposed expiration dates and usage limitations. (I prefer independent systems with unrestricted certificates) So issue your own. Honestly, why would anyone want to *pay* some random CA for this? Certificate Authorities match individuals to keys (Thanks, but no thanks) And PGP doesn't? Anyway, X.509 certs can be as anonymous as PGP keys. Certificate Authorities can revoke certificates at anytime (CA-driven DOS attack) Most implementations ignore revocation, and in any case it's not an issue if you issue your own. Peter.
Re: NAI pulls out the DMCA stick
-BEGIN PGP SIGNED MESSAGE- Lucky Green [EMAIL PROTECTED] writes: PGP, GPG, and all its variants need to die before S/MIME will be able to break into the Open Source community, thus removing the last, but persistent, block to an instant increase in number of potential users of secure email by several orders of magnitude. Your confidence in this is not universally shared. Can you please make the case again? Pointers would be fine. -BEGIN PGP SIGNATURE- Version: 2.6.3ia Charset: noconv iQBVAwUBPOzSFfPsjZpmLV0BAQHFeQH/btnBBUdbfdpt1+rJ/d8Q7LhdPylsl+aM AxwJL5cy7645npVdPlIczUc7FkyhcVSe3/WI5D3MR4j8GW4NyDtXWw== =qxZa -END PGP SIGNATURE-
Re: NAI pulls out the DMCA stick
At 12:43 AM 05/22/2002 -0400, R. A. Hettinga wrote: At 11:49 PM -0400 on 5/21/02, Luis Villa wrote, on FoRK: Well, yes, but you seem to be implying some sinister motive that not all of us are reading between the lines clearly enough to see :) I mean, otherwise, this just seems like a fairly garden-variety silly use of the DMCA by a large software company. What am I missing? Not much. -BEGIN PGP UNSIGNED MESSAGE NAI is trying to sell off the remains of PGP Inc., and rather than try to get money for a twisted empty shell of a dot-com-era software company, they're probably hoping to have a less-empty shell by maximizing the remaining value of their intellectual property. So yes, it's in Bob's second category of history. :-) -BEGIN PGP UNSIGNED MESSAGE
RE: NAI pulls out the DMCA stick
Adam wrote: Which is too bad. If NAI-PGP went away completely, then compatability problems would be reduced. I also expect that the German goverment group currently funding GPG would be more willing to fund UI work for windows. Tell me about it. PGP, GPG, and all its variants need to die before S/MIME will be able to break into the Open Source community, thus removing the last, but persistent, block to an instant increase in number of potential users of secure email by several orders of magnitude. Here's to hoping, --Lucky
Re: NAI pulls out the DMCA stick
On Thu, May 23, 2002 at 12:24:00AM -0700, Lucky Green wrote: | Adam wrote: | Which is too bad. If NAI-PGP went away completely, then | compatability problems would be reduced. I also expect that | the German goverment group currently funding GPG would be | more willing to fund UI work for windows. | | Tell me about it. PGP, GPG, and all its variants need to die before | S/MIME will be able to break into the Open Source community, thus | removing the last, but persistent, block to an instant increase in | number of potential users of secure email by several orders of | magnitude. Are you claiming that S/mime no longer has the enourmous compatability problems it used to have? Is there any Open source implementation of the protocol? Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: NAI pulls out the DMCA stick
At 10:34 AM -0400 5/23/02, Adam Shostack wrote: On Thu, May 23, 2002 at 12:24:00AM -0700, Lucky Green wrote: | Adam wrote: | Which is too bad. If NAI-PGP went away completely, then | compatability problems would be reduced. I also expect that | the German goverment group currently funding GPG would be | more willing to fund UI work for windows. | | Tell me about it. PGP, GPG, and all its variants need to die before | S/MIME will be able to break into the Open Source community, thus | removing the last, but persistent, block to an instant increase in | number of potential users of secure email by several orders of | magnitude. Are you claiming that S/mime no longer has the enourmous compatability problems it used to have? Is there any Open source implementation of the protocol? Try http://www.imc.org/imc-sfl/index.html. For some definitions of open source, it qualifies. -- -- Marshall Marshall Clow Idio Software mailto:[EMAIL PROTECTED] My name is Bobba Fett. You killed my father, prepare to die!
Re: why OpenPGP is preferable to S/MIME (Re: NAI pulls out the DMCA stick)
On Thu, 23 May 2002, Adam Back wrote: On Thu, May 23, 2002 at 03:05:49PM -0400, Adam Shostack wrote: So what if we create the Cypherpunks Root CA, which (either) signs what you submit to it via a web page, or publish the secret key? This won't achieve the desired effect because it will just destroy the S/MIME trust mechanism. S/MIME is based on the assumption that all CAs are trustworthy. Which is, of course, a major flaw. S/MIME is of some value for internal corporate email for companies who can run their own CA. (The sort of people who used to be Xcert's customers.) S/MIME is of very little value outside of a closed intranet environment, for the simple reason that public CAs are mostly incompetent, untrustworthy, or both. -MW-
Re: NAI pulls out the DMCA stick
At 03:03 PM 5/21/2002 -0700, Meyer Wolfsheim wrote: NAI is now taking steps to remove the remaining copies of PGP from the Internet, not long after announcing that the company will not release its fully completed Mac OS X and Windows XP versions, and will no longer sell any copies of its PGP software. Wonder is this will affect pgpi.com? steve
RE: NAI pulls out the DMCA stick
Perhaps there is a conflict of interest issue as well? NAI Labs is comprised of more than 100 dedicated scientific and academic professionals in four locations in the Unites States, and is entirely funded by government agencies such as: the Department of Defense's (DoD) Defense Advanced Research Projects Agency (DARPA), the National Security Agency (NSA), and the United States Army. From http://www.nai.com/naicommon/aboutnai/aboutnai.asp --- Lucky Green [EMAIL PROTECTED] wrote: ... LOL. Nothing new here. NAI has been dutifully sending cease-and-desist letters to the well-known PGP mirror site for years. The mirror sites just as dutifully have tossed said notices into the trash can upon receipt. This has been going on for over 5 years. ... --Lucky LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com
Re: NAI pulls out the DMCA stick
Disk encryption can always be augmented by physical security, however communication encryption is dependent on available encryption tools and legal rights. If quality tools are not available, then individuals and businesses will not use them. As long as communication encryption is not widespread, crypto rights will be vulnerable to attack as a special interest issue vs public safety. Of course privacy and other pillars of democracy seem to be special interest issues as well. --- [EMAIL PROTECTED] wrote: -- On 21 May 2002 at 15:03, Meyer Wolfsheim wrote: NAI is now taking steps to remove the remaining copies of PGP from the Internet, not long after announcing that the company will not release its fully completed Mac OS X and Windows XP versions? Not a problem -- we have too many communication encryption programs already. Still a bit weak on disk encryption programs, and of course, we have no transaction software. We may suspect that someone is leaning on the big boys not to provide encryption to the masses, but if so, it is a bit late. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG X6j99VDvTvGmFGh1D3CQg9dK9SHeYpD48/ZPZgHz 4BH3f/B8/u/XrQuUz6UmSd7Vb0Xyl7FKwywwFfFdN = End. LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com
Re: NAI pulls out the DMCA stick
On Wed, May 22, 2002 at 01:00:54AM -0700, Lucky Green wrote: | Most likely, this Peter Beruk is new at his job, has not yet figured out | that C-level management at NAI wants copies of PGP floating about the | Net, but needs to of course protect their trademarks and copyrights by | dutifully sending letters which then in turn will be ignored. So while | this Beruk guy is supposed to send out those letters, he isn't actually | supposed to do anything that takes down the sites. Again, I suspect he | is just new at his job. He'll figure it out in due time. Which is too bad. If NAI-PGP went away completely, then compatability problems would be reduced. I also expect that the German goverment group currently funding GPG would be more willing to fund UI work for windows. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
RE: NAI pulls out the DMCA stick
Meyer Wolfsheim wrote: NAI is now taking steps to remove the remaining copies of PGP from the Internet, not long after announcing that the company will not release its fully completed Mac OS X and Windows XP versions, and will no longer sell any copies of its PGP software. Do we still believe this was a pure cost-cutting measure? From: http://crypto.radiusnet.net/archive/pgp/index.html Date: Thu, 9 May 2002 13:01:40 -0500 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Network Associates, Inc. DMCA Notice [ The following text is in the iso-8859-1 character set. ] [ Your display is set for the US-ASCII character set. ] [ Some characters may be displayed incorrectly. ] DMCA NOTICE OF INFRINGING MATERIAL LOL. Nothing new here. NAI has been dutifully sending cease-and-desist letters to the well-known PGP mirror site for years. The mirror sites just as dutifully have tossed said notices into the trash can upon receipt. This has been going on for over 5 years. Most likely, this Peter Beruk is new at his job, has not yet figured out that C-level management at NAI wants copies of PGP floating about the Net, but needs to of course protect their trademarks and copyrights by dutifully sending letters which then in turn will be ignored. So while this Beruk guy is supposed to send out those letters, he isn't actually supposed to do anything that takes down the sites. Again, I suspect he is just new at his job. He'll figure it out in due time. --Lucky
Re: NAI pulls out the DMCA stick
-BEGIN PGP SIGNED MESSAGE- At 11:49 PM -0400 on 5/21/02, Luis Villa wrote, on FoRK: Well, yes, but you seem to be implying some sinister motive that not all of us are reading between the lines clearly enough to see :) I mean, otherwise, this just seems like a fairly garden-variety silly use of the DMCA by a large software company. What am I missing? Not much. A professor at Mizzou once taught us that there were three theories of history: the conspiracy theory, where people conspire to control events, succeed, and write history to hide the conspiracy; the fuck-up theory, where people fuck up, fix it, and write history to hide the fuck-up, and, the inevitable Hegelian synthesis (this was the Swinging Socialist '70's after all), the fucked-up conspiracy, where people conspire, fuck up, and then conspire to write history to hide them both -- and usually fuck that up too. So, no, I don't think that someone gave NAI The Briefing, and then they got fascist religion or something, compounded by the deaths of thousands of martyrs at the World Trade Center. Though, frankly, given how the libertarians were squeezed out by the statists at NAI (for good marketing reasons, nobody really cares, market wise, about privacy, much less strong cryptography for anything but their credit card numbers at the moment), I'm sure the only people left standing at the bar when they had last call for crypto at NAI were the people who, before NAI, relied on the Federales for a material, if not significant, portion of their profit margin. I just see this as the anti-climax to a giant fucked-up conspiracy to control crypto, and, in turn, it's the fuck-up that actually *makes* history, in the form of some poor copyright compliance schmuck, deep in the bowels of a cubicle-farm somewhere... Cheers, RAH -BEGIN PGP SIGNATURE- Version: PGP 7.5 iQEVAwUBPOshr8UCGwxmWcHhAQHbIgf8DIiLX3yWK/iDLqCRv8gPCeggV9inoWYD 3K9uZkr/CwYzdgiIkWnJLlM0rdi5T/bKGPyZbZFh73Rjm0TAMlHyIfDoa8RLogsY Pv6z1pY5C6uVvZ7NKtgt8zCcM8mga3d4lLoR5Pz3FyuRspNXb7nJjOXCbjl4QUNX EJQsA192OHfMcGTXbQIZnyEXOEohzSG8Cp1i2LrFJzXLahNGSj9m1Ay5RoAb4mDf oAsg6LrheIB5vRl2Ky2yVi4psOe3i1ezRTXuIE5bC/9/P6IixAu/W4UmEQ9rx+It h+VM6kRAPvJiYvLi2Op1DiapCcTso8eANhggd7j4ph+tWZhRPZRENA== =XZOu -END PGP SIGNATURE- -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: NAI pulls out the DMCA stick
At 03:03 PM 5/21/2002 -0700, Meyer Wolfsheim wrote: NAI is now taking steps to remove the remaining copies of PGP from the Internet, not long after announcing that the company will not release its fully completed Mac OS X and Windows XP versions, and will no longer sell any copies of its PGP software. Wonder is this will affect pgpi.com? steve
Re: NAI pulls out the DMCA stick
At 11:33 PM 5/21/02, you wrote: At 5:41 PM -0700 on 5/21/02, Joseph S. Barrera III wrote on FoRK: So what are they trying to do? I've totally not been following PGP, so I don't understand what they're doing. O, I don't kno It looks, to *me* at least, like they're trying to stamp out unauthorized copies of PGP on the net by threatening to send people to jail. What does it look like to *you*? Yes, using the DMCA hammer can attack unlicensed distribution, but like most things, it is not without other consequences. Whether or not those other consequences are more desired by NAI than simple protection of intellectual property is unknown. Potentially among those other consequences would be reduction of availability to novices of PGP (with slick GUI). Absence of new versions, as the MS Win OS moves older apps into incompatibility, essentially trends toward removing PGP from new systems as operated by the mass market. We are told that NAI wanted to sell the PGP entities but could not find an adequate buyer. I have seen no doc on how hard they tried, or what bids might have been in discussion. Others have said that NAI bought PGP from the gitgo to kill it. It appears that whatever NAI's motiviations, PGP, as packaged for the mass market novices, is being killed. While other versions are abundant, without a slick GUI and seamless integration into the mass email clients, they will not be abundantly adopted in the mass market. Stamping out the distribution of software that is no longer available for sale is of dubious immediate financial benefit to the copyright holder, thus they must be doing it either for future hopes for PGP (sale or re-marketing; not likely in my opinion), or for other, undisclosed reasons (liklihood unknown). Some say the State surveillance ops would prefer to have a smaller haystack in which to search for whatever needles them. Less encrypted traffic would appear to shrink the number and size of those haystacks. It could be accidental that NAI's business operations just happen to coincide with what benefits those ops. For those prefering conspiracy theories, NAI announced essentially the shutdown of PGP on March 5, 2002, and the company announced shortly thereafter On March 26, 2002, the Company announced that it was informed that the Staff of the SEC had commenced a Formal Order of Private Investigation into the Company's accounting practices during the 2000 fiscal year. Such notifications follow non-formal hints that the Formal Order will soon be announced. That appears to be a potential jail-time hammer, if one was needed. But it could simply be a protection of intellectual property rights for whatever business opportunity may unfold in the future. Or the accounting hammer. Or We are currently engaged in several research and development contracts with agencies of the U.S. government. The willingness of these government agencies to enter into future contracts with us depends in part on our continued ability to meet their expectations. Minimum fee awards for companies entering into government contracts are generally between 3% and 7% of the costs incurred by them in performing their duties under the related contract. However, these fee awards may be as low as 1% of the contract costs. Furthermore, these contracts are subject to cancellation at the convenience of the government agencies. Although we have been awarded contract fees of more than 1% of the contract costs in the past, minimum fee awards or cancellations may occur in the future. Reductions or delays in federal funds available for projects we are performing could also have an adverse impact on our government business. Contracts involving the U.S. government are also subject to the risks of disallowance of costs upon audit, changes in government procurement policies, required competitive bidding and, with respect to contracts involving prime contractors or government-designated subcontractors, the inability of those parties to perform under their contracts. Pick none, one or a few.
RE: NAI pulls out the DMCA stick
Perhaps there is a conflict of interest issue as well? NAI Labs is comprised of more than 100 dedicated scientific and academic professionals in four locations in the Unites States, and is entirely funded by government agencies such as: the Department of Defense's (DoD) Defense Advanced Research Projects Agency (DARPA), the National Security Agency (NSA), and the United States Army. From http://www.nai.com/naicommon/aboutnai/aboutnai.asp --- Lucky Green [EMAIL PROTECTED] wrote: ... LOL. Nothing new here. NAI has been dutifully sending cease-and-desist letters to the well-known PGP mirror site for years. The mirror sites just as dutifully have tossed said notices into the trash can upon receipt. This has been going on for over 5 years. ... --Lucky LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com
Re: NAI pulls out the DMCA stick
Disk encryption can always be augmented by physical security, however communication encryption is dependent on available encryption tools and legal rights. If quality tools are not available, then individuals and businesses will not use them. As long as communication encryption is not widespread, crypto rights will be vulnerable to attack as a special interest issue vs public safety. Of course privacy and other pillars of democracy seem to be special interest issues as well. --- [EMAIL PROTECTED] wrote: -- On 21 May 2002 at 15:03, Meyer Wolfsheim wrote: NAI is now taking steps to remove the remaining copies of PGP from the Internet, not long after announcing that the company will not release its fully completed Mac OS X and Windows XP versions? Not a problem -- we have too many communication encryption programs already. Still a bit weak on disk encryption programs, and of course, we have no transaction software. We may suspect that someone is leaning on the big boys not to provide encryption to the masses, but if so, it is a bit late. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG X6j99VDvTvGmFGh1D3CQg9dK9SHeYpD48/ZPZgHz 4BH3f/B8/u/XrQuUz6UmSd7Vb0Xyl7FKwywwFfFdN = End. LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com
Re: NAI pulls out the DMCA stick
-- On 21 May 2002 at 15:03, Meyer Wolfsheim wrote: NAI is now taking steps to remove the remaining copies of PGP from the Internet, not long after announcing that the company will not release its fully completed Mac OS X and Windows XP versions? Not a problem -- we have too many communication encryption programs already. Still a bit weak on disk encryption programs, and of course, we have no transaction software. We may suspect that someone is leaning on the big boys not to provide encryption to the masses, but if so, it is a bit late. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG X6j99VDvTvGmFGh1D3CQg9dK9SHeYpD48/ZPZgHz 4BH3f/B8/u/XrQuUz6UmSd7Vb0Xyl7FKwywwFfFdN
Re: NAI pulls out the DMCA stick
At 5:41 PM -0700 on 5/21/02, Joseph S. Barrera III wrote on FoRK: So what are they trying to do? I've totally not been following PGP, so I don't understand what they're doing. O, I don't kno It looks, to *me* at least, like they're trying to stamp out unauthorized copies of PGP on the net by threatening to send people to jail. What does it look like to *you*? :-). Are we having fun yet, boys and girls? Is there an echo in this room? This must be a closed universe, or something, 'cause I swear, I really do, I can see my own backside, wy out there in the distance. I must be imagining things, though. This couldn't be happening again... Right? Right? Sheesh... Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: NAI pulls out the DMCA stick
At 9:43 AM +0530 on 5/22/02, Udhay Shankar N wrote: Does this include the free versions at, e.g, http://www.pgpi.com/ ? If it does not, why should this make any great difference, apart from making NAI look like even bigger horse's asses than they already do? There's that, then. I suppose a perusal of the copyright notice for the free version might be in order. Offhand, I don't remember anything about the license... Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: NAI pulls out the DMCA stick
-BEGIN PGP SIGNED MESSAGE- At 11:49 PM -0400 on 5/21/02, Luis Villa wrote, on FoRK: Well, yes, but you seem to be implying some sinister motive that not all of us are reading between the lines clearly enough to see :) I mean, otherwise, this just seems like a fairly garden-variety silly use of the DMCA by a large software company. What am I missing? Not much. A professor at Mizzou once taught us that there were three theories of history: the conspiracy theory, where people conspire to control events, succeed, and write history to hide the conspiracy; the fuck-up theory, where people fuck up, fix it, and write history to hide the fuck-up, and, the inevitable Hegelian synthesis (this was the Swinging Socialist '70's after all), the fucked-up conspiracy, where people conspire, fuck up, and then conspire to write history to hide them both -- and usually fuck that up too. So, no, I don't think that someone gave NAI The Briefing, and then they got fascist religion or something, compounded by the deaths of thousands of martyrs at the World Trade Center. Though, frankly, given how the libertarians were squeezed out by the statists at NAI (for good marketing reasons, nobody really cares, market wise, about privacy, much less strong cryptography for anything but their credit card numbers at the moment), I'm sure the only people left standing at the bar when they had last call for crypto at NAI were the people who, before NAI, relied on the Federales for a material, if not significant, portion of their profit margin. I just see this as the anti-climax to a giant fucked-up conspiracy to control crypto, and, in turn, it's the fuck-up that actually *makes* history, in the form of some poor copyright compliance schmuck, deep in the bowels of a cubicle-farm somewhere... Cheers, RAH -BEGIN PGP SIGNATURE- Version: PGP 7.5 iQEVAwUBPOshr8UCGwxmWcHhAQHbIgf8DIiLX3yWK/iDLqCRv8gPCeggV9inoWYD 3K9uZkr/CwYzdgiIkWnJLlM0rdi5T/bKGPyZbZFh73Rjm0TAMlHyIfDoa8RLogsY Pv6z1pY5C6uVvZ7NKtgt8zCcM8mga3d4lLoR5Pz3FyuRspNXb7nJjOXCbjl4QUNX EJQsA192OHfMcGTXbQIZnyEXOEohzSG8Cp1i2LrFJzXLahNGSj9m1Ay5RoAb4mDf oAsg6LrheIB5vRl2Ky2yVi4psOe3i1ezRTXuIE5bC/9/P6IixAu/W4UmEQ9rx+It h+VM6kRAPvJiYvLi2Op1DiapCcTso8eANhggd7j4ph+tWZhRPZRENA== =XZOu -END PGP SIGNATURE- -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: NAI pulls out the DMCA stick
-- On 21 May 2002 at 15:03, Meyer Wolfsheim wrote: NAI is now taking steps to remove the remaining copies of PGP from the Internet, not long after announcing that the company will not release its fully completed Mac OS X and Windows XP versions? Not a problem -- we have too many communication encryption programs already. Still a bit weak on disk encryption programs, and of course, we have no transaction software. We may suspect that someone is leaning on the big boys not to provide encryption to the masses, but if so, it is a bit late. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG X6j99VDvTvGmFGh1D3CQg9dK9SHeYpD48/ZPZgHz 4BH3f/B8/u/XrQuUz6UmSd7Vb0Xyl7FKwywwFfFdN
Re: NAI pulls out the DMCA stick
At 5:41 PM -0700 on 5/21/02, Joseph S. Barrera III wrote on FoRK: So what are they trying to do? I've totally not been following PGP, so I don't understand what they're doing. O, I don't kno It looks, to *me* at least, like they're trying to stamp out unauthorized copies of PGP on the net by threatening to send people to jail. What does it look like to *you*? :-). Are we having fun yet, boys and girls? Is there an echo in this room? This must be a closed universe, or something, 'cause I swear, I really do, I can see my own backside, wy out there in the distance. I must be imagining things, though. This couldn't be happening again... Right? Right? Sheesh... Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
