Encouraging email security.

David Shaw dshaw@jabberwocky.com
Wed May 21 14:13:43 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, May 18, 2003 at 02:19:21AM +0000, tk wrote:

> Large proportion of e-mail users communicate mostly in their own
> "small-world" communities and they have absolutely no problem
> whatsoever exchanging, authenticating, revoking, etc. their public
> keys. It is also most likely that communication with fellow members
> of such communities will need to be protected (as opposed to the
> communication with strangers). I would thus suggest that a
> simplified GPG version (GPG-lite?) should be constructed and
> deployed, where the system does not even attempt to assist (let
> alone control) the dissemanation, authentication and revocation of
> public keys. The security of such system would remain as strong as
> the "real thing", provided that the key is exchanged in person (its
> finger verified over phone, printed on a business card etc. etc.).

This is a fairly frequent request, but the functionality you desire is
built into every copy of GnuPG.  GnuPG is extremely configurable.

For example, to completely disable the web of trust, put:
  always-trust

in your gpg.conf file.  That makes all keys fully valid and ignores
all signatures on them.  A slightly less drastic way to disable the
web of trust is:

  max-cert-depth 1

That makes GnuPG trust any key you have signed yourself, but no
others.

If you want certain ciphers to be used, try:

  default-preference-list ""

That makes the key use only 3DES, SHA1, and ZIP (or none) compression.

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-cvs (GNU/Linux)
Comment: http://www.jabberwocky.com/david/keys.asc

iD8DBQE+yVB94mZch0nhy8kRAuxCAKCd+0Q2xROG38651OVDVlgIgwMCNwCfW40/
u/w0VUkCVafHXW4PBfRc9F8=
=JlIo
-----END PGP SIGNATURE-----