Questions about OpenPGP best practices

[Doug Barton]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 02/28/2013 09:33 AM, Kristian Fiskerstrand wrote:
| for a service that specifically targets the OpenPGP community, I
| consider using the OpenPGP WoT more appropriate than any CA
| Corporation.

Kristian,

I certainly understand that perspective, however I see a couple of
problems with it. First, there is a bootstrapping problem. People new
to PGP almost certainly do not possess the skills to verify the
signature file for the cert, even if they had an appropriate web of
trust to rely on (which obviously they would not).

Second, not using a cert signed by a recognized CA presents 2
problems, it increases the perception that the PGP community is a
closed circle, such that if you don't already have the skills, we
don't want to talk to you. For those new users that click through it
adds further damage to their security habits, since we try to teach
people NOT to do that, even though most people do it anyway.

In the previous era where free and/or low-cost SSL certs were not
available I would have had a lot more sympathy with your position.
However nowadays there are a non-zero number of good choices,
including https://www.startssl.com/ which offers free certs, and has a
good reputation in the community. I personally use them for my sites,
although I have no other affiliation other than "happy 'customer.'"

I hope you'll reconsider your decision.

Doug

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iQEcBAEBCAAGBQJRL+MxAAoJEFzGhvEaGryEmCgH/0d3sZ8fHcuaKKUexTXugSX7
C23zFnSihJZeU3CL4DgcbroRT5dstBOw69/rB1SVCCEukuhcZ/DVfksHj5iKfFxQ
3Jc2skvH8rsFzEnRjrnwcZVowljNQpN9s8hWRMDJGTs8xfIrRoXlgaI3eukOGpGv
DesttA2GKAMq9NJIm2tJ4GgW3CS1f3UQ7G+v301BVnKLfAncAAZ8g2zQCJpZL0UF
mw9JvBa8lP2+jGB8nn2zMGBHMgl2U1ydfcxgcSZejvfZQ+AkujA0PKgcSdo/bgY7
qgRIKwiNVijhu3v0K6m0nkUyLXVV/TsG56uQdeh3XCc1bg3fhg4yd9WGZbNZON8=
=nTWY
-----END PGP SIGNATURE-----