gpg "simplified"?

Robert J. Hansen rjh at sixdemonbag.org
Tue Jul 31 21:25:00 CEST 2012 

On 7/31/2012 8:17 AM, peter.segment at wronghead.com wrote:
> Correct me if I'm wrong, but it is unreasonable to expect anybody
> to successfully and safely use gpg without understanding the
> concepts and mastering the skills essential to the WOT:

This is not at all the case.

Set up a trusted introducer/certificate authority and presto, bang,
you're off to the races.  When Alice comes on board at the company, the
local authority generates a certificate for her, sets up her
Thunderbird+Enigmail installation (or choose-your-preferred-MUA), signs
her certificate, and has her certificate recognize the CA as a trusted
introducer.

All Alice needs to do is choose her passphrase.  She can now communicate
securely with anyone inside the organization.  In order to communicate
securely with someone outside the organization, she calls up the
certificate authority and says, "I need to email some documents to Bob
over at another firm.  Could you please make this happen?"

The CA then calls Bob, does the identity check, fingerprint
verification, etc., and at the end of it signs Bob's certificate and
introduces Bob's certificate to the local keyserver.  The CA calls Alice
back and says, "Grab Bob's certificate from the local keyserver: you're
good to go."

At no point does Alice need to know anything about the Web of Trust.
All she needs to know is --

	1.  She needs to keep her passphrase secure
	2.  If she wants to send secure email, she needs to
	    check to see if her recipient's certificate is
	    on the keyserver
	3.  If it's not, she needs to call the local CA

The rest can all be done automatically.

> Most users in this group have no single computer they operate on.
> Occasionally they must be able to create cipher-text on "drive-by"
> computers

This cannot be done safely.

You must have physical control over the hardware for GnuPG to be used
safely.  "Drive-by" machines have uncomfortably high malware infection
rates.  Don't use GnuPG except on machines that you physically control
and are confident are free of malware.

More information about the Gnupg-users mailing list