Questions about OpenPGP best practices
dougb at dougbarton.us
Fri Mar 1 00:07:29 CET 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 02/28/2013 09:33 AM, Kristian Fiskerstrand wrote:
| for a service that specifically targets the OpenPGP community, I
| consider using the OpenPGP WoT more appropriate than any CA
I certainly understand that perspective, however I see a couple of
problems with it. First, there is a bootstrapping problem. People new
to PGP almost certainly do not possess the skills to verify the
signature file for the cert, even if they had an appropriate web of
trust to rely on (which obviously they would not).
Second, not using a cert signed by a recognized CA presents 2
problems, it increases the perception that the PGP community is a
closed circle, such that if you don't already have the skills, we
don't want to talk to you. For those new users that click through it
adds further damage to their security habits, since we try to teach
people NOT to do that, even though most people do it anyway.
In the previous era where free and/or low-cost SSL certs were not
available I would have had a lot more sympathy with your position.
However nowadays there are a non-zero number of good choices,
including https://www.startssl.com/ which offers free certs, and has a
good reputation in the community. I personally use them for my sites,
although I have no other affiliation other than "happy 'customer.'"
I hope you'll reconsider your decision.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Gnupg-users