What is stopping PKI from growing was: Re: what is killing PKI?

Faramir faramir.cl at gmail.com
Fri Aug 31 04:36:31 CEST 2012

Hash: SHA256

El 29-08-2012 5:28, antispam06 at sent.at escribió:
> Hello List!
> I'm (for some of you) your worst nightmare. Somebody who does not
> master the fine arts of cryptography, yet has an oppinion about
> cryptography. I might say I enjoy reading the thread on PKI, but I
> wasn't able to read it all.

  I don't think that is anybody's nightmare. After all, many of us are
not "masters of cryptography".

> Please understand this is not a flame against Landon, but rather at
> the whole culture of having a debate that puts people into two
> groups: a small one formed by initiated and a huge one with lay
> people. I am using

  Right, but it doesn't require high technological skills or a degree
in computer science to become an initiated. It can be explained in 20
minutes, while you drink a coffee. Manuals are long and sometimes hard
to understand, because they must cover a lot of information, and list
all these options we will never use (but are still there, because what
I don't use is a must-have for other people). Just stay with us a bit,
and soon you'll find yourself transformed into a GPG initiated.

> I think the argument with the envelope instead of a postcard is
> dated before considering encryption as an electronic envelope.
> Anyway, while

  Well, but it is. It is an almost impossible to open envelope, but
encrypted email still have the recipient's address, and the info of
the sender, at plain sight.

> stereotypical nerd living in a basement. The real postman has way
> too much on his hands to waste time with every private message.
> Yet, the message might be delivered into the hands of a servant or
> family member. It's them, the people around, who are the most
> interested to find out the juicy story.

  That is also very true, Eve is probably very close to either the
sender or the recipient. Unless we are talking about NSA, CIA, or Men
in Black, but if that is the case, then using cryptography is only a
small part of the protection measures.

> I see webmail as far from a barrier. Get one plain text editor
> with encrypt / decrypt abilities. Than just copy and paste the
> armored text.

  Or even better, attach the armored file to the message, and then you
don't even have to worry about html stuff messing it.

> What can be simpler? Why do I have to handle a buggy slow beast
> like thunderbird or evolution when I can do it with the balast
> provided by a

  As a thunderbird user, I don't find it buggy or slow. At least, it
didn't use to be slow.

> everything on a 386. So, instead of having a complicated system
> with problems, just use a web interface and do all the mails
> offline in a folder. Faster, more portable.

  Not sure about the faster part, you have more steps to follow to
send a message. But it still can be done. And as you need to carry
your encryption tools with you, you can also carry a portable install
of Thunderbird+GPG+Enigmail. Well, not sure if GPG2 will run in
portable mode, but for a while we can still use 1.4.x branch

> Why look down at people? Lay people? A concept invented by the
> religious / initiated caste to sepparate themselves from the
> disgusting masses.

  Lol, it is not like that. It is we are talking about encryption and
why except us -the paranoid guys- the other people don't use it. It is
not about education level, intelligence, or anything like that, in
fact, if we were looking down at people, we would be saying "they
aren't capable of using this stuff", instead of that, we are talking
about "why don't they use it? How can we make them use it?".

> It's cute to develop bondage though some sort of initiation, say 
> Dungeons and Dragons if you like a cliché, but it's still jacking
> off. The world is the thing out, at large, and not some meetings in
> a basement.

  Initiation? I'm lost now... I came here, joined the list, read a
bit, made some questions, tried GPG, left a orphan key... and somehow,
now I'm a GPG user. And to think it all started when a teacher said
"well, this is my public key, your assignment is to send an encrypted
message to me, that is the link to PGP's site". And of course, I
thought "isn't there a free version?"

  By the way, some years ago I went to a CAcert assurer's meeting. It
was on a coffee shop, no basements involved.

> Even if gpg is easily obtainabe, that is, still, almost nothing.
> Gpg is not a portable app. One must read a few cryptic pages. Even
> if clear,

  It used to be. You can still get the portable version.

> they are boring. Generate a key. What size? The answers are quite 
> liberal: it depends on what you need. It should be *2048 or read
> some

  Unfortunately, it really depends on your needs. But there is hope:
the standard answer here is "most people should stick to the
defaults". There are even some straight forward wizards to set it up
and generate your key (like enigmail's wizard).
  Options are more complex, but people with unusual needs should know
they have to devote more time reading manuals, after all, they already
devoted some time to discover they have unusual needs.

> Now, Thunderbird is a pain in the behind. A team is trying hard to
> bring the anonymity of Tor to it. I hope they would be able to do
> it. It's

  Well, but remember email encryption is not about anonymity, it is
about privacy. Pretty Good Privacy, not Pretty Good Anonymity. Sure,
some people wants both, but that is out of our scope.

> portable. Enigmail is an extension and that makes it rather
> portable. But gpg4win is NOT.

  Until very recent times, GPG branch 1.4.x windows binary was easy to
find, and could be run in portable mode. Probably there will be (or
already are?) packages offering portable Thunderbird+Enigmail+GPG combo.

> Also I think people like you should work more and more on their
> pleasant side. Learn some skills that don't involve machines.
> Relax. Just because other bullied you, you don't have to be a
> bully.

  I think you are following stereotypes a bit too much. You imagine
people here are fit for the "Revenge of the Nerds" movie casting.

> Or put it this way: what makes you sure your way is the good way?
> Just

   Well, we are the Iluminati, our Order comes from the time lay
people used to live in caves, while we already had cable TV. Bazinga!

> Question: sure, it's nice to see the signature used here, on the
> gpg list. But why do you people use it? Myself, an outsider, see it
> as a geek code. Sure, Werner is the gpg master. And somebody might

  Well, I use it in a vain attempt to make people aware about there is
something called OpenPGP. Also, because the first time I found spam
messages sent... by me to me, I was very worried about how my email
box had been compromised, I changed password, ran every anti-malware
tool I could find, and so on. Then I learned anybody can fake that. No
compromise at all, the spammer just crafted a message that to me,
looked like a message sent from my email box. So I said "fake this,
M.F.!" and started signing my messages.

  By the way, I caught you. You say you are an outsider, yet you know
about GPG, Thunderbird, Enigmail, you know they can be portable, you
know about gpgp4win -and it has its own mailing list, so usually it is
not mentioned here-, you know how easy is to encrypt text on a plain
text editor with encryption capabilities and paste ascii armored text
on the webmail composer. You talked about TOR, and you know the
password strength is related to the entropy it has. You know xkcd
comic. You even know about Allice and you don't think she is a
Twilight character. You don't fool us, your geek coefficient is at
least as high as ours!

  Best Regards
Version: GnuPG v1.4.12 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/


More information about the Gnupg-users mailing list