Why trust gpg4win?

Sat Aug 24 23:14:25 CEST 2013

Thanks to everyone for the vivid discussion.

@HHH: Thanks for your text at
http://www.securemecca.com/public/GnuPG/TrustOfGPG4Win-2.txt

>As my little discourse here should have shown to you,
>Windows users as a group by and large just don't care about
>securing their systems.  They want a one stop solution and that
>is now an iPhone or an iPad.  You cannot do much with them but
>people that are lazy [...]

I agree with you and think we won't get rid of this "lazyness". We will not 
be able to change the fact, that most people use an insecure Windows or Mac 
OS, neither. GIVEN THAT, can we provide a way of secure communication for 
the majority of the people? This is what I want, since many of my friends 
are no computer experts and will never be.

It seems quite easy to advice people to have an offline windows PC with 
gpg4win on it and all their private stuff and a windows(?) online PC next to 
it. They could transfer encrypted messages with an USB stick from one PC to 
the other. I think this is a vector for an attacker, but how serious is this 
problem? An attacker only seems to have a chance if he has a contract with 
microsoft and windows secretly copies the private key, password or even any 
decrypted "word file" on any USB stick. Could such a thing be spotted or 
prevented?

There's another problem with the offline/online approach: convenience: Since 
you would transfer the messages in plain text on the USB stick, you would 
have to order them on the offline PC. You wouldn't have thunderbird there to 
do this for you.

Another general problem is that you encrypt YOUR messages with another 
persons public key and have to rely on this person that he protecs this 
private key well. I think it is necessary that you know how he keeps his 
private key (offline PC/online PC). I think everybody should note that in 
his key ID. Do you agree? So if you communicate with someone who stores his 
key on an online windows PC, it is not worth the effort to store your key on 
an offline PC and to refrain from thunderbird doing the ordering for you. A 
"solution" might be to offer your communication partner two kind of punlic 
keys: An "offline key" he should use if he has an "offline key", too, and an 
"online key" he should use if he also uses an "online key". Maybe this is 
not satisfactory but somehow fair and might encourage people to get offline 
PCs.

There's a lot more I have to say, but this has to wait now.

Best regards,
Jan 