Re: Anyone know what became of the Gaim-E Project?
> You could say, if when evaluating signed content you find any > of these failing, it's a clue to be even more prudent. That > is, a strategy of teaching the prudence skill, and then adding: > what are activators to be alert for? This presupposes that (a) there exist a significant number of people who are qualified to teach, and (b) there exists a large number of people who want to learn. I don't agree with either presupposition. OpenPGP does not do what many (most, it seems) of its users think it does; and many (most, it seems) users are just fine with that state of ignorance. You guys who are willing to put in the work, change your minds, think critically? You guys are angels. Don't ever change. I just wish you weren't in the minority. (The preceding is applicable to a lot of life, and not just OpenPGP.) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Anyone know what became of the Gaim-E Project?
On Tue, 4 Nov 2008, Robert J. Hansen wrote: . . . signatures. They're very useful when you have: * a correct signature * from a validated key * belonging to someone you trust If any of those three conditions fail, I think digital signatures are pretty much useless. Given how specific and exacting the "useful" conditions are, I think the only conclusion to draw is that in the general case digital signatures are magic crypto fairy dust. Sprinkle a little on and you're safe from identity theft, message fraud and other tampering! Pay no attention to the man behind the curtain! You could say, if when evaluating signed content you find any of these failing, it's a clue to be even more prudent. That is, a strategy of teaching the prudence skill, and then adding: what are activators to be alert for? Ie, in this environment, crypto signatures give some activators, and are definitely better than nothing. Like in the animal kingdom, rustling sounds from the grass over there is an activator for the deer to be more prudent. :-) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Anyone know what became of the Gaim-E Project?
On Mon, 2008-11-03 at 09:58 -0600, Kevin Hilton wrote: > What value do signatures serve then however other than to provide data > authentication but not sender authentication? YASD (Yet Another Subtle Distinction). Signatures make it possible for the sender to be authenticated. However, the sender still has to take concrete steps so the recipient can enjoy sender authentication. I like to put small personal details in my signed messages; if I talk about "hey, I really enjoyed lunch the other day" and the recipient didn't have lunch with me, that's a clear sign some kind of sender games have been played. That's an example of what I'm talking about here. > How can you be sure in > any case that if you get an unsigned transmission, that the data is > secure, was altered, or that a signature was just mistakingly not > appended? You can't. A bad signature conveys the exact same information as an absent signature. Maybe the message was tampered with; maybe it wasn't; maybe it was tampered with innocently; maybe it wasn't; maybe... etc. The only information a bad signature conveys is that someone -- perhaps the original sender, and perhaps someone else -- attempted to do a signature operation. The informational content of that fact is pretty much zero. > So in the best case scenario if the private keys are kept truly > private and secure, the signature mechanism works as designed. In > unideal circumstances however, this "trust" mechanism falls apart > however. Seems like somewhat of a quandary? Yep. Like I said, I generally don't buy digital signatures. When used correctly by people who understand the subtleties of what they can and cannot do, digital signatures can be very useful. The rest of the time I think they're a distraction. A few years ago over on PGP-Basics, one list member was adamant that signatures should be used for _everything_, regardless of whether the recipients had validated your key, met you, or formed any opinion on whether you were trustworthy. Speaking the Sweet Voice of Reason did not dissuade this person, so John Moore, John Clizbe and I did a small experiment. I created a keypair, removed the passphrase from it, and shared it with John and John. We did not upload it to the keyservers. We then used this keypair to sign all of our traffic to the list... all three of us, using the exact same key. It was months before anyone noticed. Few people cared that our messages kept on getting flagged as "no key available" and the key wasn't on the keyserver. What people cared about was that it was signed, and as long as it was signed, that was enough. Now, remember, PGP-Basics is a pretty clueful group. It's very newbie friendly, but there are a lot of people there who have years of experience using OpenPGP. If they didn't notice the subterfuge, what chance does a normal user have? For all I know, someone on this mailing list could be repeating that experiment right now. If so, I'm totally blind to it. This just goes to show that I'm no more observant than anyone else. ... So yeah. I am not a believer in the usefulness of digital signatures. They're very useful when you have: * a correct signature * from a validated key * belonging to someone you trust If any of those three conditions fail, I think digital signatures are pretty much useless. Given how specific and exacting the "useful" conditions are, I think the only conclusion to draw is that in the general case digital signatures are magic crypto fairy dust. Sprinkle a little on and you're safe from identity theft, message fraud and other tampering! Pay no attention to the man behind the curtain! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Signature semantics (was Re: Anyone know what became of the Gaim-E Project?)
On Mon, Nov 03, 2008 at 06:38:08PM -0500, Robert J. Hansen wrote: >> which is fairly wide open to whatever meaning >> anyone wants to apply to it (that's a feature, not a bug). > > Right, and this much doesn't bother me. It's when people start > ascribing meaning to bad signatures, or the nonexistence of signatures, > that I begin to get frustrated. A bad signature doesn't mean the message > was tampered with -- the alteration could have been in the signature and > not the message itself, just to name one possibility. Indeed. The alteration also may or may not be malicious. The most common alteration I've ever seen are mail programs that break the signature via word-wrap or the like. (Hence the frequent "Does my signature verify now?" message chains on some crypto mailing lists). David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Anyone know what became of the Gaim-E Project?
On Monday 03 November 2008, Robert J. Hansen wrote: > > Fair enough, but I think all these examples rely on faulty or > > insufficient metadata. For instance if the from, to, cc, bcc and > > subject headers were included in the sealing, things like this > > would not happen. (Not sure exactly what headers pgp-mime does > > include much less s/mime). > > How is Alice supposed to know what metadata is necessary? Alice > isn't omniscient. Even if Alice puts in metadata A, B and C, Bob > will just use an attack that relies on the non-presence of metadata > D. It's not Alice, but Charlie who needs to know what metadata he needs to trust that the message was meant for him. If this metadata is not present he should ignore the message or ask Alice for confirmation. Alice might have made the attack possible, but it's Charlie who has fallen for the attack. He's to blame, not Alice. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Anyone know what became of the Gaim-E Project?
On Nov 3, 2008, at 4:08 PM, David Picón Álvarez wrote: From: "Robert J. Hansen" <[EMAIL PROTECTED]> To turn the "I love you" example into an attack, consider this: Alice sends Bob a message saying "Remember, you need to deliver the product at midnight." Bob, who doesn't want responsibility for delivering the product, cuts-and-pastes Alice's message and sends it on to Charlie, forging it as being from Alice. Charlie receives a message that seems to be from Alice, has a meaningful message, and has a valid signature from a trusted key. Charlie delivers the product at midnight. The next day Alice sees the product was delivered, and sends Bob a message saying "thank you for delivering the product, the check is in the mail." Fair enough, but I think all these examples rely on faulty or insufficient metadata. For instance if the from, to, cc, bcc and subject headers were included in the sealing, things like this would not happen. (Not sure exactly what headers pgp-mime does include much less s/mime). Both PGP/MIME and S/MIME are built over MIME, and have the same metadata protection. Specifically, none of the mail headers are included. This is not a flaw - it's just not how MIME handles this sort of thing (with some headers covered, and some not). If you want to protect an message, you protect the entire thing as a message/ rfc822 object which is completely covered. Think of it as treating the message you are protecting as an attachment to another message. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Signature semantics (was Re: Anyone know what became of the Gaim-E Project?)
which is fairly wide open to whatever meaning anyone wants to apply to it (that's a feature, not a bug). Right, and this much doesn't bother me. It's when people start ascribing meaning to bad signatures, or the nonexistence of signatures, that I begin to get frustrated. A bad signature doesn't mean the message was tampered with -- the alteration could have been in the signature and not the message itself, just to name one possibility. The flaw isn't in OpenPGP, but rather in the popular conception (or, in this case, misconception) of it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Seals (was Re: Anyone know what became of the Gaim-E Project?)
On Mon, Nov 03, 2008 at 10:23:08PM +0100, David Pic?n ?lvarez wrote: > From: "Ingo Kl?cker" <[EMAIL PROTECTED]> > "There's a slight problem with the seal analogy. The seal has to be > broken before one can read the letter and once the seal has been broken > it does no longer prove anything." > > I was referring to seals as in http://en.wikipedia.org/wiki/Seal_(device) > and not in the sense of closing a letter with glue. The kind of seals you > stamp on the letter (or other documents like laws) itself. It's true that > these seals could also be used to impress over a closed envelope and > assure confidentiality, so that once opened they could not be used to > verify again. That would be the equivalent of opaque signing, where you > encrypt first and sign later. Rather offtopic, but I read an interesting paper on seals a while back (I'm afraid I don't recall where offhand). Seals never really assured confidentiality. A person who wanted to open a letter would just make a mold of the seal, melt it free, read the letter and then re-make the seal using the mold. The countermeasure was to use multiple colors in the seal so that melting it free would mix up the colors so the new seal wouldn't look right. The catch was that you'd have to send a drawing of how the first seal looked using a different communications channel so the recipient could compare... David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Anyone know what became of the Gaim-E Project?
Fair enough, but I think all these examples rely on faulty or insufficient metadata. For instance if the from, to, cc, bcc and subject headers were included in the sealing, things like this would not happen. (Not sure exactly what headers pgp-mime does include much less s/mime). How is Alice supposed to know what metadata is necessary? Alice isn't omniscient. Even if Alice puts in metadata A, B and C, Bob will just use an attack that relies on the non-presence of metadata D. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Signature semantics (was Re: Anyone know what became of the Gaim-E Project?)
On Mon, Nov 03, 2008 at 05:23:32PM +0100, David Pic?n ?lvarez wrote: > As far as I'm concerned signature semantics are indeed a bit problematic, > not the least reason being that it isn't really the user who signs, but a > piece of software, ideally by the agency of the user, but in actuality > this is in itself hard to verify. I think an idea is that digital > signatures should rather be regarded as seals, like in the ancient days > when documents were authenticated that way. The reason I think this is a > better metaphor is it follows more closely the reality of digital > signing: it authentifies that the document passed through the hands of > the seal-holder, but was not necessarily authored by them; it gives a > clear feel of what happens when you lose your privkey (same as when you > lose a seal, anyone can seal with it); and it detaches the idea of > signing (which often implies active consent) from sealing (which is more > like a mechanical act), which is good because a digital seal can end up > there by accident (for instance if someone does not compromise your keys > but compromises your mail client, they might be able to get you to send > something with your seal). OpenPGP (properly) does not get very involved in the meaning of a signature. Regular signatures, in fact, are defined in RFC-4880 as "This means the signer owns it, created it, or certifies that it has not been modified." which is fairly wide open to whatever meaning anyone wants to apply to it (that's a feature, not a bug). > Where I have a difference is in the I love you example. Clearly you could > send the unsealed data (plaintext, whatever) to someone else and end up > in trouble, but the reasonable thing to do would be to send the document > sealed by the original sender, as you received it, same as when you > forward an e-mail the headers are on top indicating it does not come from > you, so the example is, I think, a bit contrived and inapplicable. The problem with a seal or a signature that it doesn't say anything about the intended recipient of the message. It's very easy for someone to forward the message elsewhere as a man-in-the-middle. An example using OpenPGP in particular: Alice sends Baker the signed "I love you" message. Baker then forwards it to his rival Charlie. Charlie sees a signed message from Alice, without any indication that he is not the real recipient, and proceeds to make a fool of himself. Encryption doesn't help this situation as (in most cryptosystems), the encryption is a wrapper around the signature. So Alice creates this: "I love you" and signs it: Alice_sign( "I love you" ) now encrypts it to Baker: Encrypt_Baker( Alice_sign( "I love you" ) ) Baker gets it, and decrypts it: Alice_sign( "I love you" ) Then encrypts it again to Charlie: Encrypt_Charlie( Alice_sign( "I love you" ) ) One lesson that can be learned from this is that the signed portion of a message should contain sufficient context so that the message cannot be repurposed in this fashion. Also, Alice should know better than to trust Baker. The cad. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Anyone know what became of the Gaim-E Project?
From: "Robert J. Hansen" <[EMAIL PROTECTED]> To turn the "I love you" example into an attack, consider this: Alice sends Bob a message saying "Remember, you need to deliver the product at midnight." Bob, who doesn't want responsibility for delivering the product, cuts-and-pastes Alice's message and sends it on to Charlie, forging it as being from Alice. Charlie receives a message that seems to be from Alice, has a meaningful message, and has a valid signature from a trusted key. Charlie delivers the product at midnight. The next day Alice sees the product was delivered, and sends Bob a message saying "thank you for delivering the product, the check is in the mail." Fair enough, but I think all these examples rely on faulty or insufficient metadata. For instance if the from, to, cc, bcc and subject headers were included in the sealing, things like this would not happen. (Not sure exactly what headers pgp-mime does include much less s/mime). --David. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Anyone know what became of the Gaim-E Project?
From: "Ingo Klöcker" <[EMAIL PROTECTED]> "There's a slight problem with the seal analogy. The seal has to be broken before one can read the letter and once the seal has been broken it does no longer prove anything." I was referring to seals as in http://en.wikipedia.org/wiki/Seal_(device) and not in the sense of closing a letter with glue. The kind of seals you stamp on the letter (or other documents like laws) itself. It's true that these seals could also be used to impress over a closed envelope and assure confidentiality, so that once opened they could not be used to verify again. That would be the equivalent of opaque signing, where you encrypt first and sign later. --David. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Anyone know what became of the Gaim-E Project?
On Monday 03 November 2008, David Picón Álvarez wrote: > As far as I'm concerned signature semantics are indeed a bit > problematic, not the least reason being that it isn't really the user > who signs, but a piece of software, ideally by the agency of the > user, but in actuality this is in itself hard to verify. I think an > idea is that digital signatures should rather be regarded as seals, > like in the ancient days when documents were authenticated that way. > The reason I think this is a better metaphor is it follows more > closely the reality of digital signing: it authentifies that the > document passed through the hands of the seal-holder, but was not > necessarily authored by them; it gives a clear feel of what happens > when you lose your privkey (same as when you lose a seal, anyone can > seal with it); and it detaches the idea of signing (which often > implies active consent) from sealing (which is more like a mechanical > act), which is good because a digital seal can end up there by > accident (for instance if someone does not compromise your keys but > compromises your mail client, they might be able to get you to send > something with your seal). There's a slight problem with the seal analogy. The seal has to be broken before one can read the letter and once the seal has been broken it does no longer prove anything. This can even be a good thing because it would have prevented the "Remember, you need to deliver the product at midnight." attack described by Robert (unless Bob would have forwarded the sealed letter to Charlie without having read it). Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Anyone know what became of the Gaim-E Project?
Where I have a difference is in the I love you example. Clearly you could send the unsealed data (plaintext, whatever) to someone else and end up in trouble, but the reasonable thing to do would be to send the document sealed by the original sender, as you received it, same as when you forward an e-mail the headers are on top indicating it does not come from you, so the example is, I think, a bit contrived and inapplicable. To turn the "I love you" example into an attack, consider this: Alice sends Bob a message saying "Remember, you need to deliver the product at midnight." Bob, who doesn't want responsibility for delivering the product, cuts-and-pastes Alice's message and sends it on to Charlie, forging it as being from Alice. Charlie receives a message that seems to be from Alice, has a meaningful message, and has a valid signature from a trusted key. Charlie delivers the product at midnight. The next day Alice sees the product was delivered, and sends Bob a message saying "thank you for delivering the product, the check is in the mail." Presto, Bob gets paid for Charlie's work. Yes, attacks like these have been spotted in the wild. Schneier's blog covered one of them recently, an outfit that used attacks like these in connection with long distance trucking companies. Fascinating work, really. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Anyone know what became of the Gaim-E Project?
As far as I'm concerned signature semantics are indeed a bit problematic, not the least reason being that it isn't really the user who signs, but a piece of software, ideally by the agency of the user, but in actuality this is in itself hard to verify. I think an idea is that digital signatures should rather be regarded as seals, like in the ancient days when documents were authenticated that way. The reason I think this is a better metaphor is it follows more closely the reality of digital signing: it authentifies that the document passed through the hands of the seal-holder, but was not necessarily authored by them; it gives a clear feel of what happens when you lose your privkey (same as when you lose a seal, anyone can seal with it); and it detaches the idea of signing (which often implies active consent) from sealing (which is more like a mechanical act), which is good because a digital seal can end up there by accident (for instance if someone does not compromise your keys but compromises your mail client, they might be able to get you to send something with your seal). Where I have a difference is in the I love you example. Clearly you could send the unsealed data (plaintext, whatever) to someone else and end up in trouble, but the reasonable thing to do would be to send the document sealed by the original sender, as you received it, same as when you forward an e-mail the headers are on top indicating it does not come from you, so the example is, I think, a bit contrived and inapplicable. --David. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Anyone know what became of the Gaim-E Project?
I'm going to try to steer this back onto a relevant topic Robert I love your "off the cuff feelings" about things. Its when you are at your best. Question: What value do signatures serve then however other than to provide data authentication but not sender authentication? How can you be sure in any case that if you get an unsigned transmission, that the data is secure, was altered, or that a signature was just mistakingly not appended? As a counter argument -- if the private key was stolen and a message signed using the stolen signature, it really doesn't act to prove sender authenticity either -- but I guess it does serve to prove data authenticity. So in the best case scenario if the private keys are kept truly private and secure, the signature mechanism works as designed. In unideal circumstances however, this "trust" mechanism falls apart however. Seems like somewhat of a quandary? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Anyone know what became of the Gaim-E Project?
The pidgin-encryption plugin provides encryption and authentication, but not deniability or perfect forward secrecy. If an attacker or a virus gets access to your machine, all of your past pidgin-encryption conversations are retroactively compromised. Further, since all of the messages are digitally signed, there is difficult-to-deny proof that you said what you did: not what we want for a supposedly private conversation!" This is increasingly off-topic from GnuPG; let's bring this thread to a close pretty soon. I don't buy OTR's hype, which is basically what you're quoting here. What they're saying is simple: if an attacker eavesdrops on your secured communications and gets copies of them, then if the attacker is able to compromise your box, the attacker can get your GnuPG key and use it to decrypt previously sent Gaim-E traffic. I also don't buy the argument that an OpenPGP signature is difficult to deny. Or, perhaps, the problem is that I _do_ buy the argument. Signature semantics are the most pernicious part of OpenPGP, if you ask me. I can count my hands the number of people I know whom I think have a good grip on signature semantics. A correct signature from a valid key belonging to a trusted party means the reader can feel confident the message is in the same state as the signer saw it. That's all. Nothing else. Imagine that Alice sends Bob a very short note. "I love you." Bob, who wants to gloat about his romantic victory to his archrival Charlie, forwards Alice's message on to Charlie... but Bob's mailer appends a signature to the message. Now Charlie has a signed message from Bob in which Bob appears to swear his love for Charlie. Major embarrassment ensues because everybody thinks the signature is proof that Bob wrote the message, when he actually didn't. The absence of a signature is also not proof of anything other than the absence of a signature. Imagine that I'm concerned about people forging my messages, so I make it a point to sign everything. A malicious undergrad, upset over the grade I gave, decides to ruin my reputation anyway by posting vitriolic, hate-filled messages to a white supremacist mailing list using my name. When the Dean summons me to explain my actions, I say "... but that's not me! I sign everything! I have a years-long history of signing everything!" The Dean, who is a smart mathematician, will say "ah, but perhaps you deliberately left your signature off these messages so you could deny them later if they surfaced. You understand that we have to open an investigation into you, Rob, correct?" So my objection to OTR's characterization of OpenPGP signatures as "difficult-to-deny proof" is that it's simply not so. The public misconceptions around signatures are so vast that I seriously doubt the utility of signatures. Most people don't understand them and don't especially want to, either. This message was sent using IMP, the Internet Messaging Program. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Anyone know what became of the Gaim-E Project?
As others have mentioned there is another pidgin encryption technique: http://pidgin-encrypt.sourceforge.net/ . This project also seems to have stalled if I'm looking at the release dates as an appropriate indication. The OTR website specifically addresses this plugin with the following: "How is this different from the pidgin-encryption plugin? The pidgin-encryption plugin provides encryption and authentication, but not deniability or perfect forward secrecy. If an attacker or a virus gets access to your machine, all of your past pidgin-encryption conversations are retroactively compromised. Further, since all of the messages are digitally signed, there is difficult-to-deny proof that you said what you did: not what we want for a supposedly private conversation!" This explanation doesn't make a lot of sense to me. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Anyone know what became of the Gaim-E Project?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Robert J. Hansen wrote: >> Interesting concept, however looks as if the project was abandoned. > > It died due to lack of interest, mostly. Some IM protocols require > short message blocks; OpenPGP messages are usually quite long. Thus, > Gaim-E was never able to support as many protocols as Gaim/Pidgin itself > could. > > A different project, OTR, provides confidential instant messaging. I > have some minor quibbles with it, but all in all, OTR seems to be the > best thing going for IM confidentiality. There is also a Plug-In for Pidgin called RSA Encryption that provides seamless IM Encryption as well. JOHN ;) Timestamp: Sunday 02 Nov 2008, 23:09 --500 (Eastern Standard Time) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10-svn4845: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJDnmEAAoJEBCGy9eAtCsPi44IAI0G34gAc+2qheLPdkAdG0ay 8Bhg+ncfuJfZOp6JnnyXhd1bqamsFZl1A333zC41ncW47vZwpb1ETsF4sslxIyrp eOa61AIFPP2cWZoOshxfMNR5jb+OY0w5mtwdWBqXBMhHfR3x812dFltHesll19LZ EURXlvAU02NkNYoiP/hJRBQXk7Q/qCCmjBvoRLomkKHp3ttuBuJ9a0+/Zs5OE4+k EkOWIASmCMG8yfJ4ua4n+lLM0jJ2FHJ044yq/aXijMuPyfCKORE/AOcKaym42SSd I7KyI9kGzwiBK2QNjhVgPmtWUd+3rRELGNhgur7NdjLQASvIGF1Y48wSV+s1V+w= =LtVH -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Anyone know what became of the Gaim-E Project?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Robert J. Hansen escribió: >> Interesting concept, however looks as if the project was abandoned. > > It died due to lack of interest, mostly. Some IM protocols require > short message blocks; OpenPGP messages are usually quite long. Thus, > Gaim-E was never able to support as many protocols as Gaim/Pidgin itself > could. > > A different project, OTR, provides confidential instant messaging. I > have some minor quibbles with it, but all in all, OTR seems to be the > best thing going for IM confidentiality. Also, there is a plugin named Pidgin-Encryption http://pidgin-encrypt.sourceforge.net/ I don't know which one is better, but at least, there are things to provide encryption... Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJDnTkAAoJEMV4f6PvczxAq/wH/0TkjTIiXZWcz+snMwNMwOUK mNeyFO2uZk63Yl0Pq/9NYREtOUnegX4NG9EVkOoGVJt5acZiSSnFf21BJAE+EtaY 30cZ+5VycD0aHEhoNyRZAvKNAZkU2XBQ0VyN4cl7ktR1OpmnpzdRTL7PWpFMC913 jiAcTkByP/EJicWLjUgnt/8NkYtgw4VnkxUBlqR9OWVnRROCs04Wrh/795B5LEJy QumCgofYozI9sfHpIlj5LSpHjP/42IbkxZ8R6N0YsJNWnekrBA+MHcZmQLNr/p3c ohVYI/rbzFmu6C6wUZtZjK1tYoqFL3fIWcNOYyvwYXSDlNmR6It7nl4595sXpb4= =VJwC -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Anyone know what became of the Gaim-E Project?
> Interesting concept, however looks as if the project was abandoned. It died due to lack of interest, mostly. Some IM protocols require short message blocks; OpenPGP messages are usually quite long. Thus, Gaim-E was never able to support as many protocols as Gaim/Pidgin itself could. A different project, OTR, provides confidential instant messaging. I have some minor quibbles with it, but all in all, OTR seems to be the best thing going for IM confidentiality. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Anyone know what became of the Gaim-E Project?
Just wondering if anyone was familar with the Gaim-E project? Supposedly this was a plugin for the former IM client Gaim - now known as Pidgin -- that provided for encrypted IM communication using GnuPG.http://sourceforge.net/projects/gaim-e/ Interesting concept, however looks as if the project was abandoned. -- Kevin Hilton ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
