[clue-tech] Some thoughts about GnuPG.

David L. Anselmi anselmi at anselmi.us
Sat Sep 4 22:45:37 MDT 2010


Jed S. Baer wrote:
> No, the key doesn't have to be shared with an adversary, unless your
> definition of being shared includes their machine being lost, stolen, or
> confiscated by agents of the government.

It does.

> So let's say that Alice creates a key-pair using a weak passphrase. I
> send Alice my sooper-seekrit stuff -- let's say I've rediscovered the
> formulation for Reardon Metal. Industrial spies from Elbonia break into
> Alice's office and brute-force the passphrase, thus gaining access to my
> revolutionary formula. Oh noes! My business plan is ruined!

They didn't break in.  They picked up her printout from the trash.  So it's true, good information 
security is hard.  But it's harder if you don't have a key that you can trust is from Alice.

> Do we really expect lay persons to grok what is meant by what
> is a term of art in the PKI field?
[...]
 > Then there's the additional barrier of saying,
> "Oh, now I have all these messages I can't decrypt because the key's been
> revoked." People just aren't going to deal with that inconvenience.

Key revocation doesn't actually work like that (but it does in the smart card world--kind of funny).

So to make it ubiquitous it has to be simple.  You can get that by consolidated control, to the 
extent it's in a corporation's best interest.  But you can also get it from some long haired Free 
Software whackos.  Look how easy it is to install Linux now.

It would be nice if this became something everyone used.  But it's enough if it works for me and my 
friends at CLUE.  And if I learn how to do that maybe I'll be able to teach someone else.

Dave


More information about the clue-tech mailing list