PGP 8.0 download links got fixed and the entire site got overloaded.  Luckily, I was able to download and install.  It seems more user friendly than older versions.  It installed a service named PGPsdkService although PGP 8.0 SDK was not released today.  Its interesting to note that PGP 8.0 doesn't support Windows 95 which still has 3% marketshare but does support Macintosh OS X which has a fraction of 2% marketshare enjoyed by Macintosh.  Blame it on momentum and coolness.  Now, all I need is the SDK to start playing with PGP 8.  I'll have to support GPG too but money follows money so I must follow PGP 8 first.

I have been looking into PGP and GPG lately with an eye toward supporting them in an upcoming digital signature software I am designing.  All the different versions of PGP out there is pretty confusing.  PGP developer information is pretty lame also.  PGP 8 is supposed to be released today along with source code, but broken links and delayed SDK makes its release a non-event.  GPG is apparently pretty solid but its GPL-based and installation sucks.

I haven't updated my blog in a while now.  Primarily, I have been busy.  For the past few days, for example, I have been working on an Adobe Acrobat plug-in for a client.  Its basically allows you to digitally sign Acrobat documents.  Digital signature part is no brainer, but Acrobat SDK is a beautiful nightmare.

I haven't had the time to read it yet, but the specs are here.  Also, XACML 1.0 specs have entered Committee Specification phase which is probably equivalent to W3C's Candidate Recommendation phase.  I am not aware of implementation of either, but the usual suspects are probably busy working on them.

Korean word for money is same as my first name, Don.  It means turning or circulation.  If money doesn't circulate, you end up with what has been going around in Japan for the past ten years and the US for the past two years.  Current trend toward free software and open source encourages circulation of goods and discourages circulation of money.

Andy Hertzfeld put up preview of his Chandler prototype.  So far I am not very impressed.  It looks just like Outlook.

Dear Jeremy,

I would like to ask you to put following two features into Flash that will impact both Macromedia and the Web tremendously.  Here are the features:

1. User Control over Flash Content Feed (aka Slap Button)

It's simple, give web surfers a button somewhere on the browser toolbar that will disable flash content from the particular site currently  being viewed. If more than one site is involved, disable them all.  If flash content is being blocked already, the button should provide some feedback showing there is flash content available, so those who enjoy being annoyed can do so.

2. Cryptography Support

Add crypto support to Flash that can be used for encryption/decription, digital signature, strong authentication, and other cryptographic applications.  The business world needs zero-install clients with cryptographic features: online payment companies, banks, financial institutions, law firms, hospitals, acounting firms, B2B companies, auctions.  The list goes on an on.

Need a document signed?  Just convert the PDF to Flash and embed digital signature code that uses Flash's built-in crypto functions.  Encrypted web-based mail (see Identity-based Encryption) and secure web-storage also become possible using Strong Flash.  New online payment technologies like Verified-by-Visa, MasterCard SecureCode, PayPal, and Bill Me Later as well as B2B e-commerce technologies can also take advantage of Strong Flash to strongly authenticate transactions without requiring the users to install software.  PassPort and Project Liberty can benefit as well.

Best,

Don Park
Docuverse

3D-Secure (used in Verified-by-Visa and MasterCard SecureCode) is extensible in two ways:

1. <Extensions> element – this element can be used to transmit vendor specific elements as well as standard extensions (there is none at this moment).
2. Custom message type – you can send new request/response message pairs like PAReq and PARes to either an ACS or the DS.

Both ACS and DS are supposed to be able to withstand hacker attacks, so it should be fairly safe to send unknown messages to them.  Worst that can happen is logging.  Same applies to custom elements dropped into <Extensions>.

This means it should be all right for each 3D-Secure vendor to start defining new message types and extensions.  Of course, neither Visa or MasterCard will be happy with this, but these vendor extensions will allow 3D-Secure to evolve and survive far beyond what can be achieved by a central committee dictating each and every new 3D-Secure message types and extensions.

A very useful 3D-Secure extension is Form Fill.  Why bother asking users to filling all the payment fields when all you really need is the credit card info?  Just ask user to provide the card information and press the Buy button.  If the card issuer supports form-fill, cardholder information necessary to complete the transaction will be returned in the Extensions.  If not, ask for them.  Since the user approved the transaction already by entering their PIN, they will be more likely to complete the transaction.

Another useful 3D-Secure extension is Digital Identity.  Have the user login or sign-up for membership by entering their credit card info.  If the ACS supports Digital Identity request, whatever information user allowed the card issuer to share with the merchant will be returned when asked by the merchant.

Extensions like these can and will make 3D-Secure the online payment protocol for the next twenty years.

Some open sourcers want software to be commoditized.  While commoditization could drop prices initially, marketing and branding may come into play.

Robb Beal questions OSAF's status as a charitable organization and brings up an interesting point:

With a free product, you largely don't have to compete on other aspects. (Or, put another way, users tend to discount the quality of a non-free product when there's a free alternative.)

This corresponds with my thoughts on quality and functionality thresholds.  While both factors matter, their impact drops off after a certain point.  Once free software achieves sufficient level of quality and functionality, there is no room for commercial software.

If I am completely happy with what I have been using, why would I want to switch to something new that provides features I care little about?  .  Even if the new software cost only $1, cost of migrating data and training weights in.