Gnupg good for big groups?

Fri Aug 6 00:32:37 CEST 2010

On Thu, 2010-08-05 at 19:00 +0100, MFPA wrote:
> This could be describing almost any social or work-related group!
> (-;

Networking theory is like that.  It takes a while to understand the
math, but once you do you see applications everywhere.

> I probably under-estimate the amount of churn - partly because few
> people actually leave the group rather than just stop posting and get
> culled at the next roll-call. It seems unlikely to me that key
> management is the major reason people sign up and don't hang around,
> since that also happens a lot in non-encrypted groups.

Yes and no.  Generally speaking, the number one reason why nodes drop
out of networks is the benefit is exceeded by the cost.  Or, in plain
English, "it just isn't worth the headache."  Marriages end for this
reason.  So do friendships.  Political alliances come apart.  Etc., etc.

So the question isn't whether key management is the major reason why
people sign up and don't hang around -- the question is more whether key
management is a major expense which adversely affects the cost-benefit
ratio.

As an example, if I were to start posting tomorrow's winning lottery
numbers to PGPNET, you'd hardly see any churn at all.  The benefit is
worth the cost.  But, as you've observed, the network's purpose is
generally social.  It's pleasant, but it's not exactly winning lottery
numbers.

Returning back to general discussion about networks and OpenPGP, the
usefulness of the information will be a (although perhaps not *the*)
major factor which will drive the network's growth.  The headache
involved in key management will be a (although perhaps not *the*) major
factor limiting the network's growth.

> If nothing else, I think it is very relevant to where "not encrypted
> to my key" appears on the scale from major problem to minor issue.

See above.

> Yes, you have made this very clear.

Good.  :)  My thanks to the various PGPNET guys for being good-natured
about this.  The group is a good laboratory for discovering and
understanding problems that arise in real-world OpenPGP deployments.

> I guess there is a more scalable model of openPGP-encrypted mailing
> list. Maybe members could encrypt to a group's key and the list-server
> decrypt, then re-encrypt for the members?

Some years ago I offered to write a tool for the group which would help
manage the key problem.  (Kind of.)  The idea was to write a small
Windows app that would automatically download the membership list once a
day and update Enigmail's pgprules.xml file.  This meant Enigmail users
would no longer be maintaining per-recipient rule lists by hand (which
is tedious, error-prone, and frustrating for newbies).  The process
would be entirely automated.

It sounds like a great idea, up until you consider that even if the spam
overhead problem is reduced by a factor of 10, that gain gets
obliterated once a few more people join the network.  The spam overhead
follows an exponential growth.  When dealing with exponential curves,
linear reductions -- even large linear reductions -- are pretty much
meaningless.

Ultimately, the group decided not to take me up on the offer -- the
overwhelming opinion was that they'd rather get experience editing
pgprules.xml by hand.  C'est la vie.  :)