Why ¨trouble¨ ?

No such Client nosuchclient at gmail.com
Tue Aug 28 05:24:06 CEST 2012

On 08/28/2012 04:20 AM, pants wrote:
> On Tue, Aug 28, 2012 at 03:54:19AM +0200, No such Client wrote:
>> Why put your pubkey up forever, to make it easier to socially or
>> technically attack your comms?  
> I mean, by having access to a public key turns the technological attack
> on encrypted data from an intractable one to an intractable one.  You
> might now have a problem that goes with some smaller number raised to
> the n, but that grows exponentially with n nonetheless.
> # -> ¨from an intractable one to an inctractable one¨ (you mean ¨ẗractable¨ yes?) On a sidenote, If you have.. 5 gpg keys for example, one with real name, one backup, one for a group that you are a member of, one for your close relatives, and one for a former colleague, if the goal isnt to whore your public keys to be publically signed, how it is a problem to have a small series of people who each have different keys (the goal is to sign/encrypt with various social spheres of your life. ) 
>> Perhaps it is different in your country, however in the military, we
>> often have to think pragmatically of the human weakness, and when
>> symmetric or pKI is appropiate. Otherwise, others are at risk.
> Yes, it is fortunate that I, and indeed most of the cryptographic
> community, will likely never face any sort of physical coercion.
# very fortunate, however it also is why those that do, are often
frustrated or ignored by those who simply can never imagine the
situations, and how things are often not as simple as signing keys, or
using keyservers, or the tactical risks inherent something, which in the
¨normal world¨ would be quite routine and harmless. Even cryptographers
have social biases.
>   I, for
> one, am more concerned with privacy than with any serious data
> sensitivity.
# sure, and that is your prerogative to shape your security stance to
your personal risk-assessment, which ofc is shaped by your views,
experiences, interests, intentions. Nothing wrong with that. What is
wrong is when some (not saying you personally) , assume that their
intended usage or views of crypto is the same as all others, and apply
their personal views, opinions, or biases to others and judge them with
their own standards. I personally use gpg for work, play, family, and
friends because of the fact that I do not want to risk my loved ones, or
friends being hurt if I made a mistake. for sensitive data, simply lower
the cryptolength of keys.. ie, use 1d - 1w expiring keys, transmitting
data, and ofc having stringent controls of pubkey dissemination for
operational security.
>   But the addition of a frail human element into the problem
> is certainly interesting.
#agreed. I believe there is a field which deals with such things as
trust, loyalties, psychology, interests, motivations, power, coercion,
psychology.. Such a field might be stereotypically depicted in the
popular media, however cryptography goes hand in glove, with such a
(under)world. Crypto is what keeps our secrets safe, and our
civilizations safe. It is a powerful weapon, and like any other weapon,
is a double-edged sword. Layering this to mitigate against human
weakness is .. common sense if you have something to lose. If your
family was in some kind of unpleasant situation because someone
*thought* that you were working against their interests, I am confident
that you would take steps to protect them ja? Both digitally, and
physically no? Crypto is another tool that protects you from the wolves.
>   If one can torture a passphrase or key out of
> someone, what is to stop them from extracting the encrypted data from
> the person as well? 
# I never said that the person you encrypted it to was the end
recipient. If you are a digital courier, you can have something
encrypted to you, however upon decryption, you find that it is -R´d
again to another party, and you are simply given an email address, or
physical address to relay it to.. Or you put it on a flashdrive, and
leave it at a pre-arranged locale. Even if you are tortured for your
part, the ciphertext is still not within your means to decrypt. If you
used a symmetric password, then you might be able to namedrop, and now
others are at risk as well..
Someone down the line can give up the password. Now the torturers
dilemna, is that you could never fully prove your innocence, and the
torture could never fully prove your guilt. Using crypto in the first
place stands out, and is in the torturers eyes, a sign of guilt. Telling
them that you cant decrypt something, will make them think that you are
lying. Even if you are able to decrypt the first file, which could be
-R´d, for example , by the time you give in, and try to say that the
second file is really not within your ability to decrypt, the overseeing
party would be foolish to believe you. So their only recourse is to
continue torturing you, even if you are fully honest, or fully lying, as
they can never know when you are ¨spent¨, and have told all that you
know, as there is always a risk, that you are just resisting them,
holding something back.. While you can never prove that you honestly
have no way of decrypting the data (as it can be -c -R as well... which
means that you can never prove yourself innocent. Anyone that signed
your key, can also be grabbed.. And I know you might think of the xkcd,
however in the real world, when you have someone using electricity, or a
cold water and a sjambok, or worse, coercing you via your friends and
family.. It doesnt matter what you or cryptographers think. All that
matters is what the person who has your family thinks.

(The movie unthinkable speaks to this dilemna, albeit obliquely)
>  After all, in the situations you hint at, it is
> this which is actually relevant to the torturing party.
# not neccesarily. They most likely will be sadists,
(http://en.wikipedia.org/wiki/Reservoir_Dogs#Cast) , and they may want
information about who you deal with, or to prove a point to you.. Ie,
you are sng´d (snatched and grabbed) , torturing you, for who you deal
with, not what you deal with is far more revealing. And then they
release you, so that your friends and family, and allies, all think that
you revealed something. Which makes them distrust you. You feel
alienated, especially after watching tv, as every time you go to a
store, you think of that coke bottle up yer ass.. And you feel cut off,
and if they beet your feet, well you wont be walking too well..
Electricity and water are both deniable. However, now you feel
powerless, you arent sure who to trust (they told you that your friends
are really their friends), and you might be shunned from whatever you
were a part of, as they have to assume that you compromised others. So..
You might find yourself just a smile, and a pawn in a bigger game. You
made a sadist happy, and sow distrust and panic in whatever organization
your opposition has a dispute with. More importantly, they will grab
you, and see which birdies chirp about your arrest. You were essentially
just bait. And they will naturally monitor you, and see who approaches
you, or is worried about you.
This is all far more relevant than the ciphertext. Its who you know, and
what you are about. Not what you hide. Thats easy. If thinking in this
light, you could see why some are keyserver/ keysign averse (lsign only) ...
> pants.
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20120828/0db1b22a/attachment.pgp>

More information about the Gnupg-users mailing list