Orthogonality and Disaster Recovery

Sun Oct 26 18:16:08 PST 1997

William H. Geiger III wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> In <34537A18.9FE77210 at sternlight.com>, on 10/26/97
>    at 09:13 AM, David Sternlight <david at sternlight.com> said:
> 
> >This seems to be a defense of a major failing of PGP. Rather than being a
> >complete package for a user function (encrypting and signing mail, for
> >example) it is a pre- and post-processor which requires a separate mailer
> >and newsreader. In fact this whole argument may be viewed as an attempt
> >to defend that failing of PGP. The failing is understandable since Phil
> >wanted to get something out there quickly and hadn't (and probably still
> >doesn't have) the resources and talents available to do a complete PGP
> >mailer/newsreader--much less be able to compete successfully with those
> >who DO do such mailers and newsreaders.
> 
> This is quite silly argument David,

Not at all. See below. You give yourself away by starting out this way.

> 
> Do all E-Mail vendors need to be cryptologist?? 

If the client's e-mail is to be secure, yes. But let's be accurate here. Phil
is not, nor has he ever been a cryptologist. He's a programmer who learned a
few things about crypto algorithms and copied existing work. His unique
contribution, if there was a technical one, was in key management. I haven't
studied enough cryptology to know if "web of trust" was copied too.

> Do all cryptologist need
> to be application vendors?? Obviously not.

Now that IS nonsensical because cryptology is a wide and deep art only a small
part of which has to do with mail applications themselves. In contrast, mail
applications to be secure must use encryption. There's some very muddy
thinking going on in your post.

> PGP is a tool much like a
> database is. The majority of vendors who develop apps that require a
> database do not go out and write their own, rather they use a database
> engine that is suited to their needs. 

Except for the occasional password protection, databases don't need encryption
to the extent e-mail does.

>Betreve doesn't try to develop every
> application that may use a database, instead they sell the database engine
> and let the application developers make the apps. The same is true for
> E-Mail vendors, they integrate PGP into their products. No need for PGP
> Inc, to develop their own E-Mail product.

You miss the point here. And you miss the many worked examples. RSA is selling
lots and lots of toolkits for lots and lots of money for in-line integration
into applications, not for pre- and post-processing. The former is the way to
go; the latter a kludge until something better comes along.

> 
> FWIW: I am quite confedent that if Phil wished to write an
> E-Mail/NewsReader he is quite capable of producing a better product than
> the peice of crap N$ has on the market.

You are losing it. First of all I doubt very much that Phil could do this. If
you look at the development time and staffing for good e-mail applications,
this is simply beyond his capabilites and he's never claimed otherwise. Second
of all, it's clear that you've not checked out the current Communicator mail
module if you call it a "piece of crap". You simply don't know what you're
talking about. Same for Internet Explorer, whose mail module has gotten rave
reviews and the best mail program yet and caused reviewers to switch from
Eudora. It, too has integrated crypto.

David