Old PC as Hardware Security Module?
Robert J. Hansen
rjh at sixdemonbag.org
Tue May 15 11:33:17 CEST 2007
> Is it not legitimate then to discuss what level of trust it
> deserves and what level of trust is sufficient for what purpose?
'Legitimate' is a bad word to use. Is it legitimate? Sure, I guess,
as long as you live in a nation with strong freedom of speech laws.
If you live in Cuba, you might get some inquiries from the police
about your interest in cryptography. Certainly, nobody here is going
to tell you that you can't talk about these subjects.
But is it wise? Is it productive? Probably not.
The idea that there should be a discussion about what level of trust
GnuPG deserves is, frankly, absurd. It implicitly casts the
discussion in terms of there being a single Platonic ideal for what
GnuPG should do, and a yardstick with which to measure how well GnuPG
matches the ideal.
> If JAP users had known that the German government could legally
> compel the JAP developers to secretly compromise the system, would
> that be a significant factor in deciding whether to use it or use
> something else?
I don't mean to sound rude here, although I'm afraid it's going to
come out that way. Please read this as if my tone is calm and
sympathetic, not harsh and bitter.
For you, maybe it should be. For me, maybe it shouldn't.
As an example, when I was an exchange student in Germany my host
father was a German state prosecutor.[*] Do you think he would be
more or less likely to use JAP on the basis of his knowledge that it
the JAP folks at Dresden would cooperate with law-enforcement?
Should we think that his opinion is right or wrong, just because it
contradicts your position?
Werner already gave you this answer, more or less. What he said was:
"For whatever reasons the JAP folks at the Dresden university
they want to help them. There was no actual need. I recall a
conversation with the resonsible professor where he told me: yes,
in favor of anonymity but there needs to be a limit; child porn
of a reason to help the prosecution office."
Different people will have different security policies, there's
nothing you can do to change that, and the fact the policies are
different doesn't say anything about whether you're right and they're
wrong or vice-versa.
You get to decide your security policy. You don't get to decide
anyone else's. In fact, I think it's unethical to even try to
influence other people's security policy. I think the most you can
ethically do is calmly present information, separate the things you
can prove from the things you suspect, distinguish objective fact
from subjective opinion, and trust that if enough people do this, we
will all be enriched.
[*] You Germans on the list, you have no idea how much I envy you. I
left Hildesheim in '94 and I've wanted to return ever since. It's
the first city I ever found that felt like home to me. I've missed
it ever since.
> If the German government can legally compel the distributors of the
> OpenPGP Card to secretly compromise it, would that be a significant
> consideration in deciding whether to use it or switch to something
> open source? Is it really unreasonable of me to ask such questions?
Yes. Because why are you even bothering asking such an important
question like that on the internet?
You don't know me. For all you know I work for the NSA. Why would
you put any stock whatsoever in my opinion?
If this is the sort of question you want to ask, then find people you
know, people you know to be wise, people you know to be calm, people
you know to be reasonable. People you trust. Ask them, talk it over
You don't know me and that means you probably shouldn't trust me.
Despite that, you appear to be putting an awful lot of emphasis on
getting me to agree the sky is falling. This makes me think that you
want to use my opinions as a drunkard uses a lamppost... for support,
not for illumination.
More information about the Gnupg-users