Monday, April 27, 2009

Parliament says PGP told them PGP was incompatible?

Back in March I posted about how the Parliamentary IT Network was saying that Pretty Good Privacy encryption, a desktop application, was not compatible with the Parliamentary VPN and so members were advised not to install it and install the recommended software instead.

The IT news website, The Register followed up the story as they too were slightly confused by the response. PGP told them that they couldn't see why their desktop application was incompatible. John Callas, the CTO of PGP left comments, which is common for him to do, on my blog and elsewhere stating,
We look forward to talking to PICT or any other PGP user to resolve any deployment issues and use PGP effectively in their environment. We welcome PICT or anyone else to contact PGP Corporation's technical support directly, or to contact me personally and I will direct the appropriate people to resolve this issue.We look forward to talking to PICT or any other PGP user to resolve any deployment issues and use PGP effectively in their environment. We welcome PICT or anyone else to contact PGP Corporation's technical support directly, or to contact me personally and I will direct the appropriate people to resolve this issue.
I remind you of all this because the story has developed some more as Francis Maude has been asking some follow up questions. First he asked whether members could use PGP to encrypt their emails and the PICT said,
PICT's encryption services do not cover Members' emails once they have left the parliamentary network. Members' ability to install their own email encryption software was covered in the answer referred to above.
Now I don't get this answer at all. As was said, PGP is a desktop application which you use to encrypt emails that are plain text. once encrypted the email is still plain text but if you open it without decrypting the text first its gibberish. The suggestion here seems to be that you can't send gibberish over the PICT VPN - which to me sounds like errr... gibberish.

Next Francis Maude asked for the technical reason that PGP was not compatible with the PICT VPN. Apparently,
PICT was advised by Pretty Good Privacy Corporation that their product was not compatible with the versions of VPN software in use by Parliament.
That's funny, PGP seemed to tell the Register, and their CTO comments seemed to imply, that this was the first they had heard of it. Is someone lying here or has a call centre script-based support monkey told them some rubbish? The plot thickens! Finally, Francis Maude asked the PICT what the technical encryption standard int he software they recommended MPs to use was,
Following industry practice and as a policy PICT does not disclose information about the security products in use within Parliament.
OK, I understand why you might say something like, but then again, this is a network that allows anyone to plug remote device in so can MPs really rely on the PICT security policy?

7 comments:

wonderfulforhisage said...

Dizzy old boy, OT (but only very slightly) would this PGP software help foil the Government's proposed email/phonecall snooping? I had a look at PGP's web site and it was a bit too technical for me to understand.

I know it's a bit of a nerve to ask but I'm sure many of your readers would appreciate a non technical explanation of how the snooping is going to work and any advice you may have on how to foil it other than emigration.

dizzy said...

That depends entirely on what they really are collecting. If it is just the From and To then no. However, if you were using a web based mail service in the US, like Gmail, they would only be able to you visited that site and would not, I don;t think, be able to snoop the to and from fields. I could be wrong on that though

marksany said...

Perhaps PICT wants to be able to read al the MPs mail as it leaves and arrrives at the HoC? PGP would prevent them doing this and then report their finidngs to the Two Homes Secretary.

Richard said...

Presumably MPs use MS Exchange & Outlook for email. Wouldn't S/MIME encryption be more appropriate for them?

Installation and configuration of PGP is not trivial. It needs some sort of proxy email server running on the client PC. This can clash with anti-virus software running a similar server to check outgoing mail for viruses.

An X.509 certificate can be generated and installed in a few minutes. Thawte will give you one for free. The software is already built in to Outlook. All you need to do is install the certificate and click the padlock icon to encrypt your mail. Even Jacqui Smith could manage that.

Anonymous said...

Surely the PICT security policy is that security gets to check up on MPs?

Jabba the Cat said...

Sounds like a case of FUD in an attempt to discourage use of PGP because the local lot can't crack it.

Anonymous said...

There's a wee bit of an update here.

"The service provider has told us that this product is not compatible with software used by Parliament".

Which seems (in light of the comments by PGP) rather odd.