gpg "simplified"?

Faramir faramir.cl at gmail.com
Wed Aug 22 05:16:53 CEST 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

El 31-07-2012 8:17, peter.segment at wronghead.com escribió:
...
> Correct me if I'm wrong, but it is unreasonable to expect anybody 
> to successfully and safely use gpg without understanding the 
> concepts and mastering the skills essential to the WOT:

  I think you are wrong about that. All the user needs is a properly
configured portable install of GnuPG (and very likely, an easy to use
GUI, because if Allice can't understand WOT, probably using CLI won't
make her happy at all).

  The "group manager" (from now on, the administrator) has a key, used
to sign the member's key (as Robert explained in the message from july
31, about using Thunderbird+Enigmail). Gpg is configured to trust
Administrator signature, probably her own signatures, and nothing else
(so, it will be a very short WoT). If she encrypts a file to a public
key, either:

a) Gpg sees the key is signed by the administrator, and allows the
encryption. Allice doesn't have to know about the internal magic in
this process.

b) Gpg doesn't find the administrator signature, and rejects the
recipient's key as not valid. Allice doesn't need to know what does it
mean, she just need to know "if GPG doesn't let me do this, I must not
do this". Of course, if all they keys she has available came from the
software provided by the administrator, this will never happen.

...
> "group manager" in the widest possible sense). He can easily do
> all the necessary key management (distribution, verification,
> revocation...) functions in the course of his other (quite
> extensive, actually) group management tasks and activities.

  Then the end user will never have to bother about what is a WoT. GPG
and the group manager will handle that part. End user just need
updated public keyring.


> Most users in this group have no single computer they operate on. 
> Occasionally they must be able to create cipher-text on "drive-by" 
> computers, not connected to the public network or where any
> network access is raising undesired attention . It is essential
> that the software requires no "installation" on the computer it is
> to be used on. (i.e., it must be statically linked, with no
> external dependencies).

  I have GPG with GPGShell on my USB flash drive, and I can encrypt,
decrypt, and generate keys quite easily. Of course I can do a lot more
things, but I'm not forced to do any other thing. And since GPGShell
is JUST a GUI, that means GPG can do the same things from command
line, and unlike GPGShell GUI, it is available for windows, linux, etc.

  Now I already said that, I must also say I don't enter my private
key passphrase in a computer I don't trust. In fact, I don't remember
if I ever used my portable gpg, other than to test if it works. I
carry it with me just in case I go to visit my father, and for any
strange reason, I want to decrypt a file I have at my 4shared account.
I know his computer is probably safer than mine, since he uses it just
for work, he doesn't install stuff on it, and so on.

  Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJQNE8lAAoJEMV4f6PvczxAeR8H/jr+cXxjZebOD9yv2INAsR4c
t5PrOKdL1YIbLOhi5900hosY/Fuj5+Dvb2d7V64OM47IFrPN/4ud+pGs3iK4Mlbf
1sNJU5NUozo8cspz1kizKi6uXbFWoAMllcyGBuGz7U7mflC7APIabZG8ItXPZjXv
rkPQGdpApdm8V2pp7g9ZbX3nSASoilvwsGT3a7SLVJvTK9e9wZT2EXRWTvcPxdo5
loLaVmaJSnKSKPgNgRXB9BomMIuHlGftlY6KZSeCvP/adzazKb+uHyW9XCgztZuH
p9qvQAR443anYrl68AJIEpfUKvjBbWpDYnXz4VZwI3hmzNWu6CrZX1FElugT+qM=
=W66I
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list