[OT] Why are you using the GPG / PGP keys?

Doug Barton dougb at dougbarton.us
Wed May 29 06:42:22 CEST 2013

On 05/28/2013 03:14 PM, Johan Wevers wrote:
> On 28-05-2013 23:18, Henry Hertz Hobbit wrote:
>> But what does Firefox and other browsers want to do?  They want
>> to PERMANENTLY store the exception.
> Still easier to use than my experience with my own mailserver. When I
> set it up to accept only secure connections Thunderbird had no problems,
> but my phone (Nokia E72) kept refusing to use the selfsigned certificate
> permanantly. I had to approve it each time, even after importing it in
> the phone. Until I found out, a year later and almost by accident, that
> the CN field of the certificate has to exactly match the domainname of
> the mailserver. After creating a new certificate it runs good, but too
> much checks can also give problems and could have driven less tech-savy
> people away from encryption.

You've actually hit on one of the key elements of the debate, the 
continuum of secure vs. convenient. "We" (for sufficiently competent 
definitions of "we") see the need for security, and are willing to pay 
the price. Average users want things to be "secure" (for sufficiently 
warm and fuzzy definitions of "secure"), but not "hard," or more 
accurately, inconvenient.

Not to pick on you, Johan, but I would regard your phone's refusal to 
accept the certificate as a feature. You regarded it as an inconvenience.

Furthermore, there is no reason to fool around with self-signed certs 
nowadays. Just trot over to https://www.startssl.com/ and get your free 
cert signed by a recognized CA. I use that for my web and mail systems 
(including secure SMTP), and it works just fine.

The reason I'm replying to this thread (which I keep hoping will 
suffocate under its own weight) at all is to point out that the whole 
idea of "everyone" should use encryption, or cryptography more 
generally, is absurd. Most users not only do not want the inconvenience, 
they don't care if their communication is observed. Where validity is 
concerned for e-mail there are things like SPF and DKIM that get you 90% 
there on a system level without the user having to do (or be 
inconvenienced by) anything.

Don't get me wrong, I still think that PGP is important, and would 
lament its passing if somehow it went away. But that's not the same 
thing as thinking "everyone should use encryption."


More information about the Gnupg-users mailing list