|
Q:
What kind of encryption does the VaultletSuite use?
Q:
Why in the world do we need another encryption program, isn't PGP good enough?
Q:
Why doesn't the VaultletSuite use and/or support PGP?
Q:
What's platforms does VaultletSuite run on?
Q:
What's so special about Open Source?
Q:
So, what part of your code are you open sourcing?
Q:
I hear that SHA1 is broken. How does that affect the VaultletSuite?
Q: What kind of encryption does the VaultletSuite use?
A: VaultletSuite uses 2048 bit RSA public key and 256 AES encryption, as implemented in the Bouncy Castle Lightweight Crypto API, along with the Moonbounce Crypto Wrapper API.
...top
Q: Why in the world do we need another encryption program, isn't PGP good enough?
A: 1) PGP/GPG, as technically wonderful as it is, is about as fun and user friendly (for the friends, family and significant others of security
and crypto geeks) as playing rugby with a cactus, hence it's less than stellar adoption rate.
Note: That nobody has succeeded in putting PGP/GPG into
simple, easy to use interfaces for mortals is no comment on the merits of its creator or the historical importance of the
story
behind the struggle to freely distribute it and other strong crypto.
Note 2: In fact, even Phil Zimmermann thinks PGP is hard to use.
2) It's not a program, it's a suite of end-to-end set of solutions that takes advantage of its user's effort to create a keypair for public key encryption:
you use the same key pair for email, password stashing and file encryption.
3) Use of the keypair is transparent. Users need to know nothing other than their private key's passphrase to use it, and publish or revoke their
keys.
4) It's available from just about anywhere, and automatically and transparently updates itself on Linux, Win32 and OS X via Java Web Start.
If you're using a USB flash drive for your local data cache, you have simple and transparent access to your email archive, password cache
and encrypted files from just about anywhere too.
5) VaultletMail isn't just secure, spam-free email, it's great email: messages go only to intended recipients and no further (ScopeControl), and
only live as long as their authors allow them to (HalfLife).
6) It plays well with others: it allows you to send and receive email outside of the system too, via SMTP.
7) It's based entirely on an Open Source stack; the high level encryption wrapper library, which is based upon the highly regarded and widely used
bouncycastle encryption library, will be released as open source in late spring 2005 (around v1.2.2).
It is, quite simply, the easiest and most secure way to kick the "everything's a postcard" habit.
...top
Q: Why doesn't the VaultletSuite use and/or support OpenPGP?
A: There are a number of good reasons. Here are a few: 1) one of our design goals was to reduce the complexity of our source code so that the end result would be secure *and* easy to maintain. This frees up our time so that we can dedicate our energies to innovating in terms of the user's experience, 2) our users and target market are people and organizations that don't need 17 different encryption algorithms, key exchange protocols and key lengths, rather, they are people who realize that they just need one industry standard configuration that works, and 3) while PGP's admittedly the crypto gold standard, it is far from dominating the potential market for secure communications.
...top
Q: What platforms does the VaultletSuite run on?
A: The VaultletSuite server software is based on an entirely Open Source stack: Linux, Apache, Jboss, Tomcat, Axis, KSoap, MySQL and
Bouncycastle, while the client software runs and is supported on Windows, Linux, Solaris and Mac OS X. Even though the client software probably works on other
platforms, such as FreeBSD or AIX, we don't currently have the resources to test and support it on these platforms.
...top
Q: What's so special about Open Source?
A: What we initially found, and continue to find, attractive about Linux and many other such Open Source projects is the crucial distinction
between process and product, Open Source embodying the former, commercial software the later; the role that transparency and accountability play
in providing software that is released for use solely according to its readiness for redistribution (which is largely attributable to the fact
that the contributors' reputations depend upon it); and finally, the fact the all aspects of development take place in the open, where it is
subjected to the perpetual scrutiny of thousands of participants and observers.
Transparency in process, and personal accountability for results, engender respect and, ultimately, trust in a given software package.
Trust is an integral part of privacy and security; not blind trust or the wishful thinking, but the kind of confidence that arises
from the knowledge that, if not you, then other people are looking out for your interests; that, "given enough eyeballs, all bugs
[or backdoors/exploits/machinations] are shallow". The same could arguably be said of government too.
...top
Q: So, what part of your code are you open sourcing?
A: We've released the source code
to txikisoft's Moonbounce wrapper classes under the LGPL license, in addition to some
other handy secure programming tidbits we created when we hit
version 1.2.2 in the summer of 2005. You can find the Moonbounce source here, and our
VaultletSuite Client Source Code for Peer Review page here
...top
Q: I hear that SHA1 is broken. How does that affect the VaultletSuite?
A: Indeed, it is. Check out what Bruce Schneier has to say about it.
This has no effect on the VaultletSuite, as we use SHA256 as a part of our HMAC algorithm, which is a highly regarded published
spec for generating message authentication codes. This algorithm is also recommended by Ferguson and Schneier in their book
Practical Cryptography
...top
| 
