UrlBlogGrey

While reading the book 'Crypto' by Steven Levy, I became enamored with the idea of writing a tool to simplify the use of Pretty Good Privacy (PGP) to secure e-mail communications. I should have known better after having read about the pitfalls that dragged down PGP, RSA and others. I'm sure that the NSA is pleased with the outcome: the Common Access Card (CAC) has achieved widespread use in the U.S. Department of Defense with strong crypto for e-mail, while no such solutions exist in the public domain.

In any case, I came upon a nice set of cryptography APIs from Bouncy Castle for Java that perform common PGP operations such as key creation, signature verification, and stream encryption. Next, I set about to create a Java Swing GUI for creating a PGP keychain and key. This was pretty easy, but I have not been successful in verifying message signed using other PGP tools. Hopefully, I'll be able to solve the problem of verifying messages tomorrow. The next step I'd like to take is to provide for the specification of the PGP keyring filesystem location, and the importing of other people's public keys. Here's a screenshot of the 'keyring creation' dialog:

At this point, I'm afraid of wasting more time in pursuit of a convenient tool to encrypt & sign messages since it seems that after 15 years PGP is still not ready for prime-time. I don't think it's the result of a design flaw in PGP; rather, it seems that the infrastructure and standards aren't firm enough to ensure compatibility and ease of use.

It's really a shame that the continued lack of a Certificate Authority for PGP keys has been the downfall of secure e-mail. Without a CA, the dreaded "web of trust" as described by Bruce Schneier prevails. Users are required to trust one another based on credibility of a mutually known and trusted third-party. The credibility of the web’s connections decreases as it grows.