secure sign & encrypt
Robert J. Hansen
rjhansen at inav.net
Wed May 22 16:31:01 CEST 2002
> Why do locks exist, then? The existence of thieves is a purely
Mostly to make homeowners feel safe. Locks don't exist to keep burglars
out. My parents lock their front door religiously every single night,
and have a cognitive dissonance in place regarding the large bay window
by the front door. When I go home to visit, I sometimes like to make a
demonstration of just how silly the front door's lock is by picking
it--lockpicking isn't a hard skill to pick up, incidentally; it just
requires a little devotion. The reaction I get from Mom and Dad is
always the same: "I wish you wouldn't do that." Not, "Oh, dear, that
lock's insecure, we need to change it." My parents are very typical
people in this regard.
You're right; burglary is a sociological problem, and one shouldn't try
to solve it with technological means. Aggressive law-enforcement, which
is a sociological measure, has a much better track record than locks,
which are purely technological ones.
> I agree it'd be breaking (I'd call it extending, but call it what you
> want). But I argue that it's just automating a task the user presently
> has to do manually.
It's breaking a standard for no effective increase in security. If the
person you're communicating with is untrustworthy, they can still do all
sorts of things to you which are a thousand times worse than this
(fairly trivial) attack you're worried about.
> Currently, to get secure, authenticated end-to-end encryption with gpg,
> the sender has to sign/encrypt/sign, which presently requires at least 2
> gpg invocations, and the recipient has to manually verify that the inner
> and the outer signature match.
No: only for people whose threat models include a paranoiac distrust of
their recipients have to worry about this. My threat model doesn't
incorporate that, and thus, I can get (just to be buzzword-compliant)
"secure, authenticated end-to-end encryption with GPG" just by signing
Many other people share my threat model, and changing GPG's behavior
would mean GPG would no longer well-represent our threat model.
> What I propose does basically just automate this task. It might do so by
... and breaks RFC.
More information about the Gnupg-devel