Is the OpenPGP model still useful?

[Robert J. Hansen]

On Wed, 27 Apr 2011 11:09:00 -0400, "Mark H. Wood" <mwood at IUPUI.Edu>
wrote:
> o  Media-hopping:  each segment can be treated separately.  The users
>    know there is a thread of conversation but the technologies do
>    not.  So, is this point relevant?

Yes.  E.g., OpenPGP messages cannot be reduced to fit in an SMS message:
you'd need to break them apart multiple SMS messages.  Different media have
different technical requirements.

>    Today the chief difficulty for a state really isn't technical or
>    financial, but legal.

Strongly disagree.  Figuring out the difference between signal and noise
seems to be highly nontrivial.

> o  "Encrypt each communication (Facebook post, SMS, whatever) with a
>    random 40-bit key.  Throw the key away.  Send it."  Isn't that what
>    we do now?

No.  Encryption -- even weak encryption -- is not pervasive.  It's my
position that pervasive weak encryption would make large-scale data
analysis difficult (further hammering the differentiation issue and making
a hard problem harder), while impacting regular users only slightly.

>    Or do you mean:  encrypt *everything*; don't ask, just
>    make encryption the default for all communication.  I could get
>    behind that.  (I've argued for some time that we ought to do away
>    with HTTP-not-S, not-S-SMTP, etc. and this just extends the
>    argument to another layer.)

My problem with HTTPS, SMTPS, etc., is they typically have scalability
problems.  Asymmetric crypto is CPU intensive.  I'd like to see, e.g.,
HTTPS for commerce, but if I visit Slashdot go to a weaker system that's
not CPU-intensive but would still make mass surveillance problematic.

> o  Just so long as those who *do* care can plug in or wrap on something
>    stronger and more manageable if they wish.

Yes, absolutely.