PGP 9.5 (Win32) impressions

Thread: PGP 9.5 (Win32) impressions

Search this list only Search all lists
PGP 9.5 (Win32) impressions
	2006-10-17 03:25:00

Just a quick note--after Richard Stoddard started asking about his PGP 8.1, I decided I'd take a look at PGP 9.5 for Windows, just to make sure my knowledge on it was up to date. 1. TEST ENVIRONMENT All testing was done on a MacBook Pro running Windows XP Professional SP2 + all the latest security updates as of today, running through BootCamp. 2. DOWNLOAD AND INSTALLATION PGP 9.5's download and installation process is still onerous. PGP is privacy software. Why should I have to give my phone number to PGP Corporation before they'll allow me to download PGP? Once downloaded, installation was straightforward, except that it required a reboot. This probably says more about Windows than it does about PGP, but it's still obnoxious. Rebooting should be a rare occasion, not a whenever-you-install-something thing; and if Microsoft's not going to fix this problem, application providers should do what they can to fix it themselves. 3. WHAT HAPPENED TO MY KEYS? After importing my private keys, I was surprised to discover PGP had changed their preferred hash algorithm to... drumroll, please... SHA-1. This, I confess, was a head-scratcher. After all, wasn't it PGP's Jon Callas who said last year that we all needed to move away from SHA-1? Key 0xFEAF8109 has as cipher preferences Blowfish, 3DES, the AESen, and CAST5, in that order. AES256 is my third-choice algorithm. PGP 9.5 decided it needed to become my first-choice algorithm. In other words, PGP 9.5 cheerfully ignores the way _you_ want your keys to be, and forces you to import them in a way _it_ thinks your keys should be. This is terribly broken behavior. 4. WHY ARE RIPEMD-160 and SHA-1 STILL THE DEFAULTS? When I clicked on the menu option to change algorithms, the only other thing I could change it to was RIPEMD-160, which isn't much of a win. In order to enable SHA256, SHA384 and SHA512 support, I had to explore through menus. 5. CONFUSING MENUS There was an "Edit" option at the end of the hash algorithm selection menu which I ignored for some time, thinking that I was already editing my hash preferences. Well, I was... but that's not what the Edit option does. The Edit option is misnamed, in that it's used to determine what hash algorithms are available. This, not to put too fine a point on it, is nonsense. Why should I have to explore through a menu to find hash algorithms, figure out which ones I want and which ones I don't, etcetera, etcetera? Good human interface design says that the default behavior should be the one most broadly useful to the userbase. This would appear to be SHA256. 6. MISNAMED ALGORITHMS The hash algorithms are also, amazingly enough, _misnamed_. They're called SHA-2-256, SHA-2-384 and SHA-2-512, as opposed to their real NIST-approved names. This may seem like a small thing, but I've already been getting questions from people about "so what's the difference between SHA-256 and SHA-2-256?". It would be nice if PGP Corporation could use the correct terms for algorithms. It doesn't seem like that's asking too much. 7. STILL DOESN'T WORK WITH THUNDERBIRD Opening up a message in Thunderbird and selecting "Current Window -> Decrypt & Verify" gives me an error message about how PGP can't cut and paste from the window. 8. SIZE Edsger W. Dijkstra, a computer scientist of phenomenal renown, famously remarked there are only two ways to write correct programs: you can write programs that are so simple they are obviously correct, or you can write programs that are so complex they have no obvious failings. PGP 9.5 is a _36 Mb_ compressed download. Compare this to GnuPG, which for all the binaries (source and documentation not included) comes out to 1.5 Mb. PGP 9.5 is 25 times the size of GnuPG 1.4.5. That means it has 25 times the room for errors, bugs, and whatnot. __._,_.___ Messages in this topic (1) Reply (via web post) \| Start a new topic . __,_._,___
PGP 9.5 (Win32) impressions
	2006-10-17 06:29:07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Robert J. Hansen wrote: > Just a quick note--after Richard Stoddard started asking about his PGP > 8.1, I decided I'd take a look at PGP 9.5 for Windows, just to make sure > my knowledge on it was up to date. >; <snip> > 2. DOWNLOAD AND INSTALLATION > > PGP 9.5's download and installation process is still onerous. PGP is > privacy software. Why should I have to give my phone number to PGP > Corporation before they'll allow me to download PGP? > The cynic in me says "so the NSA knows";. <snip> > 3. WHAT HAPPENED TO MY KEYS? >; > After importing my private keys, I was surprised to discover PGP had > changed their preferred hash algorithm to... drumroll, please... SHA-1. > > This, I confess, was a head-scratcher. After all, wasn't it PGP's Jon > Callas who said last year that we all needed to move away from SHA-1? > I suspect that the left hand doesn't know what the right hand is doing. > Key 0xFEAF8109 has as cipher preferences Blowfish, 3DES, the AESen, and > CAST5, in that order. AES256 is my third-choice algorithm. PGP 9.5 > decided it needed to become my first-choice algorithm. > > In other words, PGP 9.5 cheerfully ignores the way _you_ want your keys > to be, and forces you to import them in a way _it_ thinks your keys > should be. This is terribly broken behavior. > Haven't we talked about PGP Corp. doing this sort of thing before? Well, I remember saying something similar back in January when we were talking about PGP 9.0.4. I wrote: <quote> > Now I know why people don't use PGP anymore. The software doesn't trust >; the user, hence the users don't trust the software. > </quote> <snip> > 6. MISNAMED ALGORITHMS > <snip> > It would be nice if PGP Corporation could use the correct terms for > algorithms. It doesn't seem like that's asking too much. >; ... and they're still calling DSA "DSS" and ElGamal "Diffie-Hillman", right? > > 7. STILL DOESN'T WORK WITH THUNDERBIRD > > Opening up a message in Thunderbird and selecting "Current Window -> >; Decrypt & Verify" gives me an error message about how PGP can't cut and > paste from the window. > That's very odd. GPGShell works in the "view source" mode and (sometimes) works in the "message pane" mode so long as you select the right bit of the screen. The "sometimes" is presumably to do with what Thunderbird does with the message when it renders it. >; > 8. SIZE > > Edsger W. Dijkstra, a computer scientist of phenomenal renown, famously > remarked there are only two ways to write correct programs: you can > write programs that are so simple they are obviously correct, or you can > write programs that are so complex they have no obvious failings. > > PGP 9.5 is a _36 Mb_ compressed download. > That's bigger than the Subversion repository for GPG 1.4.5, which is only about 25MB; even once everything is compiled it's still only 45MB. > Compare this to GnuPG, which for all the binaries (source and > documentation not included) comes out to 1.5 Mb. > > PGP 9.5 is 25 times the size of GnuPG 1.4.5. That means it has 25 times >; the room for errors, bugs, and whatnot. > And GUI-ness! Oh and probably it's whole disk encryption stuff as well, or is that elsewhere? - -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4-svn4208:IDEA-TIGER192-DSA2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRTR4MyIkramx4GSWAQh+zwf/VrOfZANV7Ym1D6HfmU7XB08QAPn6rsxt VZI9iEYcm8T2v4xrKiQQ3YQt70F/JwoddMxQYuoS99iK+rw1y7Hue/HM/5MMWpBh KxevXa/BhgUbKk60JyMbi6U0jWNV8JtOL7e+2UhS1NJRZTI6vruDzFeRGsqvFxCN 8lnupmS3;LEHXEcsBU1PwOYMsx9Zk1SK5yxhrMCo4b0vj0/uUKPPhuFq1UqbcOrDL 9BKGzATp4y8GoWKDwLNYgxtlu9HL4895QO7U+THUtYBz7W5+;+RSvW93;wxwme6kKR +IxfaUj7kHOhOhBDteVnsOAxcVxnE8y/BwnSvFHhtLwgMzcqFHkOXQ== =pIto -----END PGP SIGNATURE----- __._,_.___ Messages in this topic (2) Reply (via web post) \| Start a new topic . __,_._,___
PGP 9.5 (Win32) impressions
	2006-10-17 06:40:04

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Alphax wrote: > The cynic in me says "so the NSA knows";. Given how popular paranoia is in crypto circles, you may want to avoid speculation like that unless you either (a) have evidence or (b) want to fan the flames of the tinfoil-hat crowd. Speaking for myself, I really dislike buying Reynolds Wrap in industrial quantities, so I'll skip any speculation. > I suspect that the left hand doesn't know what the right hand is doing. Not in this case. Callas is a senior executive in PGP Corporation. He definitely saw the 9.5 release candidate before it went to gold master. > Haven't we talked about PGP Corp. doing this sort of thing before? Yeah, it's a case of PGP Corporation not learning from their earlier mistakes. > ... and they're still calling DSA "DSS" and ElGamal "Diffie-Hillman", right? Diffie-Hellman. But yeah, just like they've done since PGP 5. I can understand them not changing that terminology, though, since they've had it for so long that fixing it would create more questions than it avoids. I was hoping to see them not repeat their mistakes this time around, though. But 9.0.x misnamed the hash algorithms, 9.5 still misnames them, so I expect the misnaming to continue indefinitely. They still mark SHA-1 as "Partially Deprecated", which _still_ makes no sense to me. It's partially deprecated? Great! For what purposes is it deprecated, and what purposes is it not deprecated? What does it mean to be 'partially deprecated'? Why is a partially deprecated algorithm the _default_ algorithm, when much better ones exist? Etc., etc., etc. All the same questions I had since PGP 9.0.x. > And GUI-ness! Oh and probably it's whole disk encryption stuff as well, >; or is that elsewhere? No idea. I wiped it from the system as soon as I could. It just doesn't give me the warm fuzzies. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJFNHrDAAoJELcA9IL+r4EJJkAH/3mWVdJ7RuYzPlpswDAunkmb UlA6CqBW9b7B8/AOLZkklC6XiSw7BnBpro98MSDn/gNleODz5TNi4N2o6wvW8FP/ VOyaqcnqzP3+5Vsut4HpzxTQQEGMuyne+rBiXbuP/CW9ETW2xQObWUsDdX+SbLCz AioEZS1JRmLLFb2TxfJk0wvcGRqp7BwRhG4Zdk99eUM7q0pZGhBTuqEqklVNWcrE JXPZnNqBR/pFrAGXb+/EuNFlTHHz78M3Zp+vMNqeX5HYq621fbjrht/4iEoNFQ97 IsvL906Q2+;Wh8tIwI8FQ23xR4yyOxzyZ1/uaJDENOmljl/uDPYXfAPhps/Rz3vE= =bAzY -----END PGP SIGNATURE----- __._,_.___ Messages in this topic (3) Reply (via web post) \| Start a new topic . __,_._,___
PGP 9.5 (Win32) impressions
	2006-10-17 14:50:47

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ——— — — — — — — · — — Was another beautiful day, 06-10-17, at 15:59:07 +0930, ——— when Alphax wrote: > That's bigger than the Subversion repository for GPG 1.4.5, which is > only about 25MB; even once everything is compiled it's still only 45MB. A 20 here. Once everything is compiled. - -- Mica ~~~ For personal mail please use my address as it is exactly given in my "From" field, otherwise it will not reach me. ~~~ GPG keys/docs/software at: http://blueness.port5.com/pgpkeys/ http://tronogi.tripod.com/pgp/pgpkeys/ OSs: Windows 98 SE Micro Lite Professional IVa Enterprise Millennium Windows XP(ee) Micro Lite Professional 1.6 Linuxes: Gentoo, Vector, Slackware, ZipSlack and Xandros -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6-svn-4217 <>o<> tiger192 i686 (MSYS/MinGW32) iQEVAwUBRTTtxbSpHvHEUtv8AQg3ywf/bx1VaNeYPX4q13ESaTAUMFJZ5ZSbR1No egd10flPnk1iRfdsE0PPFW1aN7qzkQfLJJwd8lPl7wb1fr/1CnjmXBDI9LaExDLZ 73ytwQhHLB9oWff4Y/518D4Oap8QnahM4lFKXwf8aj7oRTiBIa3c0Srbk5W9Op3q mbKWJc62bdWHaAcVbYGfHOEY1k1B425Kk7dgxWFxglGjRdBrciMrdf9J8oAQajMP IRI6SjRC6q8Bj25K+OocTDbTZ6CaSJ2WtY3WOvPQXyOhXqp1M91pNb/rW3oH6ZcM 0ZIFUBYon+O1DD9pfKWQrEKmVo/KPeqo6PI6I6W4dRznznQcPJSXWA== =Pa1L -----END PGP SIGNATURE----- __._,_.___ Messages in this topic (4) Reply (via web post) \| Start a new topic . __,_._,___
PGP 9.5 (Win32) impressions
	2006-10-19 16:45:34

Robert J. Hansen wrote: > 2. DOWNLOAD AND INSTALLATION > > PGP 9.5's download and installation process is still onerous. PGP is > privacy software. Why should I have to give my phone number to PGP > Corporation before they'll allow me to download PGP? > > Once downloaded, installation was straightforward, except that it > required a reboot. This probably says more about Windows than it does > about PGP, but it's still obnoxious. Rebooting should be a rare > occasion, not a whenever-you-install-something thing; and if Microsoft's > not going to fix this problem, application providers should do what they > can to fix it themselves. > Windows XP doesn't require a reboot after most program installations. Only major system changes necessitate a reboot. -- /_/ ( o.o ) > ^ < Meow! Key ID: 0x9C6CC3A3 Fingerprint: 5474 04A6 2BAC 7138 204A D61B 4246 59CB 9C6C C3A3 (Portable) Thunderbird 1.5.0.7 w/ Enigmail 0.94.1 __._,_.___ Messages in this topic (5) Reply (via web post) \| Start a new topic . __,_._,___
PGP 9.5 (Win32) impressions
	2006-10-19 18:28:06

Andrew Berg wrote: > Windows XP doesn't require a reboot after most program installations. > Only major system changes necessitate a reboot. There are two possibilities here. Either: * PGP changes the system so pervasively a reboot is required * PGP is not competently written so as to avoid a reboot Both options bother me. I don't want my system pervasively changed. The second option should be self-evident why it bothers me. __._,_.___ Messages in this topic (6) Reply (via web post) \| Start a new topic . __,_._,___
PGP 9.5 (Win32) impressions (OT split)
	2006-10-20 01:12:48

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Robert J. Hansen wrote: > Andrew Berg wrote: >> Windows XP doesn't require a reboot after most program installations. >> Only major system changes necessitate a reboot. > > There are two possibilities here. Either: > > * PGP changes the system so pervasively a reboot is required > * PGP is not competently written so as to avoid a reboot > > Both options bother me. I don't want my system pervasively changed. > The second option should be self-evident why it bothers me. > > > The installer was likely written to be compatible with earlier versions of Windows. Better to have an unnecessary reboot than a messed up install (which would cause a lot of effort wasted by PGP Corp. Customer Service) . - -- /_/ ( o.o ) > ^ < Meow! Key ID: 0x9C6CC3A3 Fingerprint: 5474 04A6 2BAC 7138 204A D61B 4246 59CB 9C6C C3A3 (Portable) Thunderbird 1.5.0.7 w/ Enigmail 0.94.1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: -- Comment: /_/ Comment: ( o.o ) Comment: > ^ < Meow! Comment: Key ID: 0x9C6CC3A3 Comment: Fingerprint: 5474 04A6 2BAC 7138 204A D61B 4246 59CB 9C6C C3A3 iD8DBQFFOCKPQkZZy5xsw6MRAswpAKCufe0MkP77pOHE+EfqUl2KVuTURACeMrqI qVW4OoUXYKAHar9cnctHwNA= =qqRs -----END PGP SIGNATURE----- __._,_.___ Messages in this topic (7) Reply (via web post) \| Start a new topic . __,_._,___
PGP 9.5 (Win32) impressions (OT split)
	2006-10-20 01:40:23

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Andrew Berg wrote: > The installer was likely written to be compatible with earlier > versions of Windows. Better to have an unnecessary reboot than a > messed up install (which would cause a lot of effort wasted by PGP > Corp. Customer Service) . This, too, is a competency issue. What, they're incapable of this? OSVERSIONINFO version; BOOL rv; ZeroMemory(&version, sizeof(OSVERSIONINFO)); version.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX); /* I hate this hack. / rv = GetVersionEx((OSVERSIONINFO)&version); if (! rv) { version.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); rv = GetVersionEx((OSVERSIONINFO)&version); if (!rv) return FALSE; } install_pgp_9_50(); / Win95, Win98, WinME */ if (version.dwPlatformId == VER_PLATFORM_WIN32_WINDOWS) reboot(); If they're not bothering to check if a reboot is needed, that doesn't reflect well upon them. If they simply don't care, that doesn't reflect well upon them. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJFOCkHAAoJELcA9IL+r4EJ18MIAIZtC83;CUOa9hyHI5iiw3/Dg eoUew1qSGIS4gpqg1/flafyCXiQHkoWaVpdZYv5DMo2wMp94kEj8Y2eiLYXHb4aY Al116P4vm2YN5JMVtXhZ70prD6okh6z4FMifykxGi4OWJpk/blFUGzZjjZ+XRd47 a0+UWq+wGQq/O3u26nHlSuPR3hvxltjSPxUgo+nPUcTowE9e5I9JUMGmLQKYxVPl lazFo9pwKeWKFt89KkTg1DimGrOj9Oxtf2yiz0f3p034tmlsQxLajNaWKz5C/t4s IJD3s6FyS15bH/teRFw6i/KVkqr2M50ykd+mRzDJ3kw/lWZXH9y0ZreD/SZg6w0= =0JT5 -----END PGP SIGNATURE----- __._,_.___ Messages in this topic (8) Reply (via web post) \| Start a new topic . __,_._,___
PGP 9.5 (Win32) impressions (OT split)
	2006-10-21 11:12:25

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Robert J. Hansen wrote: > If they're not bothering to check if a reboot is needed, that > doesn't reflect well upon them. If they simply don't care, that > doesn't reflect well upon them. I guess we just have differing opinions on the significance of a reboot prompt. - -- /_/ ( o.o ) > ^ < Meow! Key ID: 0x9C6CC3A3 Fingerprint: 5474 04A6 2BAC 7138 204A D61B 4246 59CB 9C6C C3A3 (Portable) Thunderbird 1.5.0.7 w/ Enigmail 0.94.1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: -- Comment: /_/ Comment: ( o.o ) Comment: > ^ < Meow! Comment: Key ID: 0x9C6CC3A3 Comment: Fingerprint: 5474 04A6 2BAC 7138 204A D61B 4246 59CB 9C6C C3A3 iD8DBQFFOgCYQkZZy5xsw6MRAsfGAKC6FNWBa7BUStqihPQ2oU/L86f1ZwCdGh00 sEXYL020SOsR8r+ORyD6lco= =ekqW -----END PGP SIGNATURE----- __._,_.___ Messages in this topic (9) Reply (via web post) \| Start a new topic . __,_._,___

[1-9]

about | contact Other archives ( Real Estate discussion Medical topics )