gpgsm and expired certificates
expires2013 at ymail.com
Wed Nov 6 00:41:53 CET 2013
On Monday 4 November 2013 at 10:43:43 PM, in
<mid:87habrrdnk.fsf at mat.ucm.es>, Uwe Brauer wrote:
> - NSA (among others) has abused its resource to
> read email worldwide at a very large scale.
> - so if a lot of people, say 30 % of all users
> would encrypt their email, then NSA statistical
> approach would *not* work that smooth and this
> is a good thing.
Why do you describe it as a statistical approach?
I guess 30% was plucked out of the air. It would seem self-evident
that if a sizeable proportion of emails travelled encrypted, the NSA
etc. would have to do more work to read them.
> - so encrypting email should be easy and look
> trustful for a majority of users
I like the idea, but have a bit of an issue with security made too
easy. Security has to be inconvenient; just a lot more so for a
would-be attacker than for the person using the security.
> - usually public/private key based methods are
> considered relative secure (Even Snowden claimed
> that you could rely on them), this does not mean
> that the NSA could not read your email. They would
> usually try to enter your machine installing a
> keylogger or something like this. But this is
> beyond the statistical method I mentioned above.
Hopefully, if it was more effort and more cost to read an individual's
mail, that individual might be left alone unless they are a suspect.
But what about an individual two or three communication hops from a
> - if I understand correctly the real problem is
> not security of the the cipher but the
> authenticity of the sender and so the most
> common attack is a man in the middle attack. This
> is true for both smime and gpg. So comparing
> fingerprints of public key is a good thing,
> which most of us, I presume, don't do.
For most people's communication, it is not encrypted so the main
problem is simply being read in transit, and/or stored. Once you start
encrypting, even without putting the effort in for sender
authentication, it takes more effort to snoop on your mail than on the
majority of people's.
> - from my own experience I am convinced that smime
> is much easier than gpg for reasons I am not
> going to repeat here. (I got 7 out of 10 of my
> friends/colleagues to use smime, but 0 of 10 to
> use gpg.)
Depending on the software people are using. I'm willing to accept that
there are probably more people for whom S/MIME is easier to use.
> - one of the reasons some of them hesitated was
> the fact that the certificates were offered by
> some commercial company they did not know and
> trust. They would have had installed it from
> a government based organisation, say the
> ministry of justice though.
I think "know" is the key factor, but "know and trust" is even better.
I suspect a whole lot of people would also be perfectly comfortable if
a certificate were available from the company that supplied their
operating system, or their email application or webmail account. Or
maybe from their bank or ISP.
> - so if some government based organisation would
> do what say commodo does it would send a signal
> to the public that it takes privacy seriously
> and I think it would encourage more people to use
The actions of governments and government organisations in so many
countries send signals that they are anti-privacy, or at least not
pro-privacy. I think this small contradictory signal would be in
severe danger of being drowned out. But now I understand what you
> - Private certificates, are unfortunately no
> solution. Yes it is possible with openssl to
> generate them, I have done that myself. However
> it is very difficult till impossible to convince
> the main email programs, such as outlook,
> thunderbird or Apple mail to use them or to use
> public keys sent by such certificates. 
The email app I am using to write this message can (almost trivially)
generate and use self-signed certificates for the email accounts it
has configured. The difficulty is getting other people to persuade
their MUA to accept them.
> Footnotes:  I must add that I don't share your
> general view about government based organisations.
> I still hope that abuse is the exception not the
I think I mentioned in one of my other postings that I was using
hyperbole to make my point. I'm not quite _that_ paranoid, but I
believe in exercising a healthy skepticism.
MFPA mailto:expires2013 at ymail.com
Experience is the name everyone gives to their mistakes
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1075 bytes
Desc: S/MIME Cryptographic Signature
More information about the Gnupg-users