[OT] Why are you using the GPG / PGP keys?
dougb at dougbarton.us
Wed May 29 06:42:22 CEST 2013
On 05/28/2013 03:14 PM, Johan Wevers wrote:
> On 28-05-2013 23:18, Henry Hertz Hobbit wrote:
>> But what does Firefox and other browsers want to do? They want
>> to PERMANENTLY store the exception.
> Still easier to use than my experience with my own mailserver. When I
> set it up to accept only secure connections Thunderbird had no problems,
> but my phone (Nokia E72) kept refusing to use the selfsigned certificate
> permanantly. I had to approve it each time, even after importing it in
> the phone. Until I found out, a year later and almost by accident, that
> the CN field of the certificate has to exactly match the domainname of
> the mailserver. After creating a new certificate it runs good, but too
> much checks can also give problems and could have driven less tech-savy
> people away from encryption.
You've actually hit on one of the key elements of the debate, the
continuum of secure vs. convenient. "We" (for sufficiently competent
definitions of "we") see the need for security, and are willing to pay
the price. Average users want things to be "secure" (for sufficiently
warm and fuzzy definitions of "secure"), but not "hard," or more
Not to pick on you, Johan, but I would regard your phone's refusal to
accept the certificate as a feature. You regarded it as an inconvenience.
Furthermore, there is no reason to fool around with self-signed certs
nowadays. Just trot over to https://www.startssl.com/ and get your free
cert signed by a recognized CA. I use that for my web and mail systems
(including secure SMTP), and it works just fine.
The reason I'm replying to this thread (which I keep hoping will
suffocate under its own weight) at all is to point out that the whole
idea of "everyone" should use encryption, or cryptography more
generally, is absurd. Most users not only do not want the inconvenience,
they don't care if their communication is observed. Where validity is
concerned for e-mail there are things like SPF and DKIM that get you 90%
there on a system level without the user having to do (or be
inconvenienced by) anything.
Don't get me wrong, I still think that PGP is important, and would
lament its passing if somehow it went away. But that's not the same
thing as thinking "everyone should use encryption."
More information about the Gnupg-users