RE: PGP email encryption

["Jason Albuquerque" <JAlbuquerque () northkingstown org>]

CipherTrust Iron Mail Appliance is an Email Proxy server that runs its
own tweaked OPENBSD kernel.  It has the email encryption you need plus a
whole lot more!!!

Check it out.........


Jason Albuquerque

GIS Manager

Department of Information Systems

80 Boston Neck Road

Town of North Kingstown, RI 02852

Tel. (401) 268-1516

Fax (401) 295-2594

www.northkingstown.org

 "There are 10 kinds of people in this world. The ones who understand
binary and the ones who don't."


-----Original Message-----
From: Harrison Holland [mailto:harrisonholland () gmail com] 
Sent: Thursday, September 22, 2005 6:36 PM
To: AragonX
Cc: security-basics () securityfocus com
Subject: Re: PGP email encryption

Have you guys looked at ciphiremail.  That's a program that may help.

On 9/21/05, AragonX <aragonx () dcsnow com> wrote:
> <quote who="Meni Milstein">
> > Thank you for your detailed answer!
> > The reason I asked this question in the first place was because the
> > answers
> > I got (and keep getting) from the technical team and sales team at
PGP
> > were
> > inconclusive, and certainly WAY off what you are saying.
> >
> > There IS a web client to PGP, and one way to use "email encryption"
in PGP
> > (according to the tech team at PGP) is to have the PGP server catch
the
> > message after it passed through, say, my exchange server, and
instead of
> > sending that message, send another message (notification message) to
the
> > receiving end - with a link. The link will lead the user to read the
> > message
> > off the "web messenger" on the PGP server through HTTPS. The access
is
> > done
> > using a user entered pass phrase (which according to what you said -
is
> > very
> > bad.)
>
> I think the problem is PGP has been turned into more than it once was.
It
> once was a simple public/private key encryption program.  Now it's a
> company with a wide range of products.
>
> Personally, I would avoid PGP as a whole.  The US government has been
> pressing hard to get a back door into their keys.  I'm not sure if
they
> have one yet or not.  I'm not sure we would know if they did.
>
> Personally, I would suggest a solution based on gpg instead.
>
> http://www.gnupg.org/
>
> The way I see it, there is an easy way, and a hard way.
>
> 1)  Easy way - setup a web mail server using gpg encrypted messages.
>
>    Disadvantages
>
> 1 - You are relying on ssl encryption to protect the data once the
client
> logs on.  You could setup a secure VPN to mitigate this threat.
> 2 - The security of your server is greatly diminished by allowing
these
> external users access.
>
>    Advantages
>
> 1 - Easy to setup.
> 2 - Emails remain local and completely under your control.
> 3 - Depending on the countries you do business with, they may not be
> allowed to use gpg.
>
>
> 2)  Hard way - Send messages to your clients using gpg.
>
>    Disadvantages
>
> 1 - You must work with your client's IT staff to get this setup
correctly.
> 2 - Messages are out of your control once they leave your server.
>
>    Advantages
>
> 1 - You don't have to maintain the users on your server.
> 2 - Overall security of this setup is better.
>
> This is just the way I see it.  I could be way off base on some things
but
> I do feel you should avoid pgp and use gpg instead.


--
Harrison Holland