GPG support in Mahogany

Tenui tenui@ifrance.com
Thu Dec 12 21:10:02 2002


On Thursday 12 Dec 2002 at 18:21 Dick Gevers wrote

 >On Thursday, 12 December 2002 at 7:10 h, Tenui wrote
 >about "Re: GPG support in Mahogany":

 >>Sorry, Dick, I must in turn disagree with you. It is
 >>not the privacy of the recipient that is encroached upon, but rather
 >>his/her personal liberty.

 >In my view these are almost synonymous, at least in this case.
 >Anyway I agree on that point.

 >>For the sender, though, it is a question
 >>of privacy, and maybe more (life, liberty, property, etc may well be
 >>at stake).

 >True, but he entrusts the contents of the message to the recipient,
 >otherwise he should not have sent the (encrypted) message to him.
 >
 >So he also trusts the receiver to not repeat the contents by any
 >means from the tempest viewer (no matter how, e.g. by retyping
 >word for word). So he can only *ask* the recipient to uphold the
 >utmost security when viewing his e-mail. However IMHO he
 >should not *force* the recipient under all circumstances
 >(including those of the highest possible security) to view them
 >by means of one viewer or another.
 >
 >It is naturally the responsibility of the recipient to observe the
 >highest possible security without infringing on that of the sender,
 >but the sender must trust the receiver to be the judge of his own
 >threat model, not the sender. If there is no such trust the sender
 >should not relay the sensitive data to the receiver at all.
 >
 >Therefor, IMO, Mahogany should not *force* the recipient to use any
 >kind of tempest viewer. It may be turned on by default but I as
 >recipient must be able to turn it off if I judge that my
 >circumstances permit that - without breaking the trust the sender
 >placed in me.
 >
 >You may, of course, disagree with me, but in that case I will not
 >use your application if it *forces* me to view the content of an
 >encrypted message in a manner that I prefer not to use. On the
 >other hand, as I said before, if you are in a position to *order*
 >me to do so then I can only observe the instruction. But that will
 >apply only if there is an agreed relation e.g. employer/employed,
 >contractor etcetera.

 >>Agreed, some users may use "for your eyes only" messages lightly,
 >>but if I send such a message it is because I have a good reason for
 >>doing so, and I must assume a priori that any sender also has a good
 >>reason.

 >Okay, in such cases I would say turn the tempest viewer on by
 >default, but in a secure setting the receiver should have the
 >liberty/privacy/right to turn it off. That does not relieve him of
 >the need to not break the privacy, liberty or security of the
 >sender. But that should remain in the hands of the recipient. If
 >the sender does not trust the receiver to that extent, then don't
 >send the message.

 >I trust this clarifies my view and I hope that you can to any
 >extent agree with what I am saying.

 >Best regards,
 >Dick Gevers=

OK. I can understand your point of view and I think it may well be that of 
the majority,
But I suspect that our difference of opinion is based on different 
experience of the need
for confidentiality. It is no longer the case, but during a certain period 
my life depended on
the confidentiality of the information I transmitted. And when it comes to 
my life I don't
trust anyone.

But on a more general level, we are talking here in reality about tempest 
attacks. No matter
how much I trust my correspondent, I have no idea if he may be the target 
for such intrusion.

So I would be happier to accept the sender's' wishes and, in cases that 
seemed unnecessary,
tell them that I preferred that they did not use this form of message 
unless it was absolutely
necessary.

Cheers,
Tenui

PGP key: http://www.tenui.tk/keys/0x4E19C1FF.asc
3A6F F173 43E5 6DC4 48BA FF96 0FB9 7EF0 4E19 C1FF