Questions about OpenPGP best practices

Kristian Fiskerstrand kristian.fiskerstrand at
Fri Mar 1 18:06:40 CET 2013

Hash: SHA256

On 03/01/2013 12:07 AM, Doug Barton wrote:
> On 02/28/2013 09:33 AM, Kristian Fiskerstrand wrote: | for a
> service that specifically targets the OpenPGP community, I |
> consider using the OpenPGP WoT more appropriate than any CA |
> Corporation.
> Kristian,
> I certainly understand that perspective, however I see a couple of 
> problems with it. First, there is a bootstrapping problem. People
> new to PGP almost certainly do not possess the skills to verify
> the signature file for the cert, even if they had an appropriate
> web of trust to rely on (which obviously they would not).
> Second, not using a cert signed by a recognized CA presents 2 
> problems, it increases the perception that the PGP community is a 
> closed circle, such that if you don't already have the skills, we 
> don't want to talk to you. For those new users that click through
> it adds further damage to their security habits, since we try to
> teach people NOT to do that, even though most people do it anyway.

Arguably the website doesn't provide information that strictly has to
be protected by a HTTPS scheme. So to some extent this is avoided by
such users using the HTTP website in the first place, and not
necessarily contributing as much difficulties for bootstrapping new
users. Another point is obviously that new users doesn't necessarily
visit the website at all, but it is more for people with more special

> In the previous era where free and/or low-cost SSL certs were not 
> available I would have had a lot more sympathy with your position. 
> However nowadays there are a non-zero number of good choices, 
> including which offers free certs, and
> has a good reputation in the community. I personally use them for
> my sites, although I have no other affiliation other than "happy
> 'customer.'"

Ironically enough I have a stronger affiliation than that, myself, as
I still have an active reseller agreement :)

> I hope you'll reconsider your decision.

I certainly continuously consider constructive feedback on the setup,
so will give it some more thought.

The main issue I see is that when I experimented with this a while ago
the two schemes were incompatible, i.e. I couldn't get monkeysphere to
work with a CA signed X.509 certificate. For this to work I'll have to
completely switch to the root CA approach, which I don't particularly
trust, so I'd prefer to have a way to continue using the OpenPGP WoT.

- -- 
- ----------------------------
Kristian Fiskerstrand
Twitter: @krifisk
- ----------------------------
Public PGP key 0xE3EDFAE3 at hkp://
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
Nil satis nisi optimum
Nothing but the best is good enough
Version: GnuPG v2.1.0-beta163 (GNU/Linux)


More information about the Gnupg-users mailing list