Gnupg good for big groups?

MFPA expires2010 at
Thu Aug 5 01:12:59 CEST 2010

Hash: SHA512


On Wednesday 4 August 2010 at 6:57:57 PM, in
<mid:4C59AA25.6080505 at>, Robert J. Hansen wrote:

> It is also worth noting that PGPNET has some very big
> problems with key management.  PGPNET users are
> apparently comfortable wrestling with these problems
> (more power to them for that), but we shouldn't pretend
> the problems don't exist.

In a business-critical setting where it is very important that such
things "just work" and do so effiently, this model undoubtedly would
fall considerably short of the mark. In a friendly, social forum like
PGPNET, I would characterise these "very big problems" more as minor
issues and/or learning opportunities.

It's really no big deal, just a case of adding/deleting a key in your
encryption list each time a new person joins/leaves/changes their key.
For those who don't want to "manage" it themselves, shortly after any
change one of the moderators posts a list of members and their key
IDs to the group's file area, along with an asc file containing all
the members' keys; sometimes this may happen a couple of times in a
week but more often it's well over a month. And twice a year there's a
month-long "roll-call" - anybody who doesn't post in that month is
removed from the group.

> 40 members equals 780 separate communications links, each one of
> which can fail and produce problems for other people. The network
> begins to get spammed with "that last message wasn't encrypted to my
> new key, please re-send."

There is a certain amount of that, obviously. Some people use more
than one system and forget to update them all, or update their
installation and break something. Or come back from vacation and post
messages before spotting there are new members. But it's not as much
of an issue as you might expect. Remember, the communications are
neither urgent nor important.

> PGPNET is probably operating pretty close to the limits of OpenPGP.
> At some point the math bites you hard and doesn't let go.

Some time back, the head count on PGPNET was in the mid-high 40s and
there were more issues. The inevitable increase in instances of human
error, plus I also think I recall some people's software would fail to
reliably encrypt to that many keys - not report any errors, just send
the message encrypted to a subset of the keys.

> A couple of years ago at USENIX Dan Wallach of Rice
> University talked about his difficulties getting 30
> Ph.Ds in computer science to all communicate on an
> OpenPGP-encrypted mailing list.  His precise phrasing
> was, "it was the torment of the damned."

Maybe the issue is that he was getting them to do it, rather than them
choosing of their own volition. Some new members on PGPNET seem to
have great difficulties; they overcome them or give up. Most are able
to master it fairly quickly, with help and guidance from existing
members as requested.

- --
Best regards

MFPA                    mailto:expires2010 at

All generalizations are dangerous, even this one.


More information about the Gnupg-users mailing list