At 12:45 AM 9/22/97 -0500, snow wrote:
Ok, we write code. But as James S. Tyre pointed out, if the code is too difficult to use it will not be. And as Declan pointed out many/most people will not use the crypto if they must think about it. Writing the code is no longer enough. The code must be usable by the sheeple to work. How do we do that?
Pay someone to write easy to use interfaces to the crypto libraries already out there.
The code also has to do some good. Currently there are some gaping holes that I have not seen anyone cover very well. (At least not in a way that most users could actually use.) Take, for example, the average home user. They will most likely be running Windows 95 or Windows 3.1 on a PC (486 or pentagram processor). They connect to the net via TCP/IP over a dialup link. Now since Louie "tap'em all, let the FBI sort em out" Freeh may or may not have that 1% of the phone switch tapped, the part that travels over the phone is vulnerable. (Microsoft was working on an SSL enabled winsock.dll, but it has been dropped. (Any ideas why? *wink* *wink* *nudge* *nudge* *say no more*)) Even if the person uses PGP for all their mail, the sites they surf, the ftp sites they visit, and all the addresses they send mail to will still be visible to the prying eyes of anyone who has the resources to tap the phone line. This is something that needs to be covered. How about an ssl enabled PPP daemon, as well as the winsock layer to support it? Then you have to get ISPs to use it. IPSec does not (as far as I can tell) resolve this problem, not does it look like an option for the home user. (From what I have seen (and I may be wrong), the key distribution is tied to IP address. What about dynamic IP addresses?) Are there any of the IP encryption key exchange protocols that deal with dynamic IP? (And/or have a windows based client?) SSH is a possible option, but it requires a fair bit of knowledge and another site to connect to that has not been compromised and where you have a shell account. (Most ISPs do not support SSH. Some do not give you a shell account.) There is also the possibility of apps not talking through the IP tunnel and revealing unintended information. Mail is another hole. Eudora now distributes PGP 5.0 with the latest version. (This version does not do RSA keys. You can get the plug in to do those keys from PGP inc.) This is helpful, but there are many other plug-ins that need to be written. Support for remailers is lacking. Windows based code for Mixmaster is also a needed thing. A good interface would help immensely. (Private Idaho was a big step in the right direction. Integrated with a remailer people already use would be another big step forward.) I am sure that people can think of all sorts of other ideas for needed apps. But to make them usable for the "general public", the apps will be needed to be written for Windows. (As much as I hate to think about it...) --- | "That'll make it hot for them!" - Guy Grand | |"The moral PGP Diffie taught Zimmermann unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano@teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.ctrl-alt-del.com/~alan/ |alan@ctrl-alt-del.com|