PGP/MIME use

[Hauke Laging]

Am Mittwoch, 1. Februar 2012, 17:19:08 schrieb Robert J. Hansen:
> On 2/1/12 10:47 AM, Hauke Laging wrote:
> > Of course not. I just don't believe that there are many examples of
> > this type out there. To me a serious user is one who actively signs,
> > encrypts, and/or verifies data and knows what he is doing. He has
> > created a key and verified at least one. Everything else seems like
> > special use to me.
> 
> Then yes, you are selecting for email users.  There are quite a lot of
> people who use GnuPG primarily for themselves -- for instance, a system
> administrator who signs each backup, a lawyer who encrypts files when in
> transit on a flash drive, etc.

My description does not select for email users only but also covers your 
examples. We are not talking about "primarily" but about "only".


> Yes, this definition means that you're a serious user of your OS kernel.
>  And why wouldn't you be?  You demand your PC make thousands of kernel
> calls each second.  Is that not serious use?

Depends on what you are thinking about. Of course, it is interesting to know 
how many kernels are out there. But it is also interesting an deserves being 
looked at seperately how many people have an "active", "planned" interaction 
with their kernel. Something like compiling it themselves, compiling modules 
for it, deactivating or configuring modules, configuring the kernel via 
command line parameters, saving an old kernel version as fallback.


> >> (GnuPG is already on your system.)
> > 
> > That's not true for a certain quite popular OS.
> 
> Quite in context, please.  In context, that sentence obviously referred
> to Linux users.  Quoting people out-of-context to score points is a pet
> peeve of mine.

I apologize if anyone had the impression that I used your quote wrongly (but 
why should I?). The point is that you said nothing about Windows which due to 
its market share cannot be ignored. And that has no relation to the context of 
your quote.


> And if users who know of,
> are aware of, who pay attention to, how GnuPG works behind the scenes
> aren't relevant to you, then what is?

I do not see how relevance could be bound to knowing what happens if this has 
no influence to what happens at all. Users who need a software (whether they 
know that or not) are relevant to me, too. But those users are relevant for 
GnuPG's verification feature only because they never use anything else.

To me it's important for the assessment of a user whether ot not he causes any 
data in the world to be changed (because he signs something, encrypts 
something, something is encrypted for him). One groups makes just a quantity 
difference to IT, the other one a quality difference.

The reason why most people do not use Enigmail (or something similar) is *not* 
the installation of GnuPG. You can easily install GnuPG without any clue how 
to use it. The main reasons are the lack of felt need (whether those people on 
average feel a need for update rpm signature checks?) and the lack of 
knowledge. Thus only comparing the GnuPG users with knowledge to the Enigmail 
users makes sense to me.


> Each benchmark I use to represent
> a class of users, you reject as being not what you're talking about, so
> please tell me precisely what you *are* talking about.

I already did so:
> > This sounds like a No True Scotsman fallacy.  If someone uses GnuPG but
> > not for email, does that disqualify them from being a serious user?
> 
> [...] To me a serious user is one who actively signs, encrypts,
> and/or verifies data and knows what he is doing. He has created a key and
> verified at least one. Everything else seems like special use to me.

However, we are not discussing something important. You said that Enigmail 
users were just a small share of GnuPG users. This share depends on the part 
of GnuPG users considered. Obviously our opinions about that part differ but 
the decision who is "right" has no consequence at all.


> > And which of these scenarios is more probable? Who will after
> > starting to sign emails start to send emails to people he is not
> > familiar with?
> 
> Quite a lot, apparently.  There are a whole lot of people on this
> mailing list.  I'm sending a message to all of them, including people I
> don't even know.

But you don't send email to this list *because* you sign your email. You don't 
even sign your email to this list.


> Your question: "Who will after starting to sign emails start to send
> emails to people he is not familiar with?"
> 
> The answer is Facebook.  Google+.  eHarmony.  Match.com.  JDate.
> Bear411.  ChristianSingles.com.  The list goes on and on and on.

Right. But for nearly none of those cryptography is the reason for contaction 
others. In other words: If email cryptography becomes more common there is no 
reason to expect more email from unknown people (due to this effect).


> The people who would be complaining about my conduct would be people who
> don't know me from the wind.  *They're* the ones who would have to be
> persuaded I was on the up-and-up.

OK but if someone considers his opinion about something he is not familiar 
with superior to the uniform opinion of some who are familiar then I would 
consider him an idiot (not stating that idiots cannot be a problem for someone 
innocently accused).


> >> And then I imagined my dean answering, "That proves nothing: after
> >> all, if I was posting this stuff I wouldn't sign it, either."
> > 
> > Would not make much sense to use the name but not sign it, though.
> 
> Sure it would.  Deniability.

That's the sense of non-signing. What's the sense of using your name? Creating 
problems for yourself? Accepting those problems in order to make the offense 
more interesting to the public?


Hauke
-- 
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20120201/2855ab0e/attachment-0001.pgp>