Questions about OpenPGP best practices

Kristian Fiskerstrand kristian.fiskerstrand at sumptuouscapital.com
Fri Mar 1 18:06:40 CET 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 03/01/2013 12:07 AM, Doug Barton wrote:
> On 02/28/2013 09:33 AM, Kristian Fiskerstrand wrote: | for a
> service that specifically targets the OpenPGP community, I |
> consider using the OpenPGP WoT more appropriate than any CA |
> Corporation.
> 
> Kristian,
> 
> I certainly understand that perspective, however I see a couple of 
> problems with it. First, there is a bootstrapping problem. People
> new to PGP almost certainly do not possess the skills to verify
> the signature file for the cert, even if they had an appropriate
> web of trust to rely on (which obviously they would not).
> 
> Second, not using a cert signed by a recognized CA presents 2 
> problems, it increases the perception that the PGP community is a 
> closed circle, such that if you don't already have the skills, we 
> don't want to talk to you. For those new users that click through
> it adds further damage to their security habits, since we try to
> teach people NOT to do that, even though most people do it anyway.

Arguably the website doesn't provide information that strictly has to
be protected by a HTTPS scheme. So to some extent this is avoided by
such users using the HTTP website in the first place, and not
necessarily contributing as much difficulties for bootstrapping new
users. Another point is obviously that new users doesn't necessarily
visit the website at all, but it is more for people with more special
interests.

> 
> In the previous era where free and/or low-cost SSL certs were not 
> available I would have had a lot more sympathy with your position. 
> However nowadays there are a non-zero number of good choices, 
> including https://www.startssl.com/ which offers free certs, and
> has a good reputation in the community. I personally use them for
> my sites, although I have no other affiliation other than "happy
> 'customer.'"

Ironically enough I have a stronger affiliation than that, myself, as
I still have an active reseller agreement :)

> 
> I hope you'll reconsider your decision.

I certainly continuously consider constructive feedback on the setup,
so will give it some more thought.

The main issue I see is that when I experimented with this a while ago
the two schemes were incompatible, i.e. I couldn't get monkeysphere to
work with a CA signed X.509 certificate. For this to work I'll have to
completely switch to the root CA approach, which I don't particularly
trust, so I'd prefer to have a way to continue using the OpenPGP WoT.


- -- 
- ----------------------------
Kristian Fiskerstrand
Twitter: @krifisk
- ----------------------------
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
Nil satis nisi optimum
Nothing but the best is good enough
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.0-beta163 (GNU/Linux)

iQIcBAEBCAAGBQJRMOAgAAoJEAt/i2Dj7frjm4gQAJLrBUs14yKrRhFOrcxT3X/+
XpDZAZx1/jBpLqrHZn9Jlum88JLT25jVPlVFcRekPrb+gR5VUnOWk3g5NSXg13+f
fz+4dTsm0XIMmoWwOnIIIFAdu/03401FruZIZ5wy/hHJVXVDnSe0zTEh4boELcpo
0VUKSCe05csa36nQlM9wyIUr1/yIvljJVQhCadX4/fngOA0eNPifqMdTdRDz2eyW
iA7mNEmfNUvp+D240rcI7XaTUUknt3StYZJUtYids0coPkHb6GAeqiOA2GU8s7pI
6EhCnetnRqTOhslgglyn3LwiMUBhMdDCuUejnzIJoVlmLOwaiBE8H1WM392t/YyP
0fVLxdbcbTD2e8KmdscEcW0LK9LrDUSKKxx6RVJqhn7GLOJy8J53dUiLRoOsCysK
paxmvtv99wTGY5rsz3PPGez1bV0y6VSPjIOG3HIxVXeLwk4HxV94mP2DvM2JPFCS
0Mu45LtzHfZ5SviVjv3RC+gmTmRCShKgCTqaJSG8T1daI1WYiNPXsE+2FP700odv
RzlQTCh5zMs/FwsxVgSI2AITRRfYuXYKC+yAdUvSZZveGF/JifRAtSuyT5si1FTy
I+fEYLrO42t19sEAK2W3l/fFbQvcJLLZ2VCf1hi0Zz5xbi1iU2VLkw+A6nWxLheQ
BvUR2divq8Ar0LH19ypn
=8nU1
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list