On Fri, 10 Oct 1997, Jon Callas wrote:
In the course of all the discussion here, I have seen a number of implicit attitudes and assumptions that irritate me. This is a short rant to air my irritation.
I would hate to see your *long* rants ...................:^)
The first thing that bugs me is what I'm calling Crypto-Correctness. I don't know a single person on cypherpunks who is against privacy, or is against the notion that in the information society, keeping and bearing crypto is an inalienable human right. Politically, I'm a Lockeian, and put privacy up there with Locke's basic trio of life, liberty, and property. As part of this, I fight the stupid notion that because there are bad people out there, rights should be abridged.
I express it as private information is my property and I should have whatever means necessary to protect it. And as crypto can be directly used only as a shield and not a sword, there are no reasonable arguments against me using it.
I believe that the central thesis of crypto-freedom is that it doesn't matter if a document is on paper or in a text file; it doesn't matter if a conversation is on the phone or in a restaurant. The medium doesn't matter. My papers and effects have the same protection on a disk as on paper itself.
This is really unexplored. I would extend rights in the physical world into cyberspace. And you are right [in an elided section] that corporations or businesses aren't thought of. Most of the arguments against intellectual property is toward releasing it where it is free, but there is an equal or greater threat of charging for the information without paying royalties. There are vandals, but there are also thieves.
We all know that deployment is the key. But real deployment means deploying to people who don't know how their toaster works, too. If we don't solve this problem, we'll get hit with the backlash. Just you wait, once crypto becomes trendy, there will be a Time cover story with some headline like, "How Much Privacy is Enough? Who's Really After You, Anyway?" and in it will be sob stories about how people lost their passphrases, were blackmailed by employees (ask me, I have real-world tales of this), or can't decrypt their backups. Congress will have hearings, and they aren't going to be fun to watch. Is trying to head this eventuality off (yes, I believe it's inevitable) really the work of Satan?
No, but I don't know if your solutions are real. Does PGP 5.5 prevent encrypting non-CAK, then reencrypting CAK to pass through the mailers? GAK/CAK has lots of technical problems, and I don't know that you have solved them. You assume that someone like the boss in the Dilbert cartoon is going to make this all work (or will they write the corporate passphrase on their deskpad)? I tend to be neutral to CAK, except that I can't think of an easy way to create something that is not snake-oil (i.e. that is easy, doesn't compromise security if the CAKeepers are dunces, and insures that data encrypted is accessible by the TTPs).
The last thing that really, really bugs me is the hostility that's directed towards PGP Inc. because now we're an Inc.
We put out a freeware product, hoping people will upgrade to the for-pay version. If you're thinking of your own startup, let me give you some investment advice: the crowd who thinks the X-files is a documentary doesn't upgrade to the for-pay version.
The windows versions I have seen don't allow me to select algorithms (they default to CAST, so how do I get 3DES or IDEA), and neither did the Linux version - the beta segfaulted on at least one combination of algorithms. Are all these little problems fixed? And if so, you had to modify the source, so is there a diff file you are going to publish much less a press release saying what is or is not fixed (I see the part about batch-friendly, but is that there yet, and how would I use that - you could put your manuals online). I can't even buy a license for the scanned version which I can at least fix these problems. I would pay the $49 for the license to use a working Linux version. Maybe you should add a license issuing page to your server so I can click and get an digitally signed HTML license (with a physical one to be mailed later if needed). But for now my choice is to take a chance on the $49 downloadable version (will it be another $49 for a half-fixed version, and another $49 when the IETF finishes with the spec and 6.0 meets it?). Does anything happen differently if it has problems and I report them? By the way, I can't even download it - your server requires switching to a port our firewall doesn't let through (9999) which I emailed your webmaster about three months ago. There are other common alternate ports that are allowed. So I can't even really get the $49 version, I must pay $79 (or spend an hour creating an IP tunnel to a recognized US DNS-IP address which is what I did last time - I might do that for the freeware version but not to purchase something). So I don't know if any of the problems in the freeware or betas are fixed, and I can't even download it from your website. Some hostility to the "Inc." might be from your consumer relations more than your philosophy. --- reply to tzeruch - at - ceddec - dot - com ---