It's 2014. Are we there yet?
kappu at hotmail.com
Thu Apr 10 18:23:07 CEST 2014
If you gave that explanation to my wife.... :) Her eyes would glaze over
before you finished the first paragraph. Not that I disagree with you and it
is actually a very sane/less complex explanation.
My point is that the average Joe user equates SSL with "web security" for
e.g. Whether this notion is right or wrong, doesn't matter, it's what he/she
believes. They don't understand SSL any better than PGP/GPG etc. yet they
"believe" in it. Somehow the message of "secure communications" needs to be
at the same level of simplicity and pervasiveness.
From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Mark
Sent: Thursday, April 10, 2014 10:50 AM
To: gnupg-users at gnupg.org
Subject: Re: It's 2014. Are we there yet?
On Wed, Apr 09, 2014 at 12:39:44PM -0400, Kapil Aggarwal wrote:
> Let's list a few arguments:
> - WTF is a key pair/public key/private key/<insert more arcane
> terminology>. - J This IS a big problem. I may get it, you may get it,
> does the average Joe user gain that understanding? The nomenclature
> needs to be, well, something that the average Joe user can understand
> as well. They understood SSL (well, for the most part).
I think this one is easy. The key pair is a mathematical analog of the old
spy trick (I'm sure it's in the movies somewhere) of tearing a playing card
in two, giving one piece to each of two people who do not know each other
but must be able to recognize one another. No two cards tear *exactly* the
same way. And the math does this *much* better.
I thought that the tradition of the mizpah coin would serve as well, but I
haven't found a good explanation, just advertising and Biblical
backgrounders. As I recall, someone thought to break a soft metal coin in
two, so that the jagged edges would symbolize a unique relationship, and
somehow related it back to the story of the cairn of stones that symbolized
an agreement with God as witness. Nowadays they mint the things in two
pieces, very stylized, and you buy them already separated. So maybe this is
not so useful here.
Anyway, the point is the same: a random process produces a unique boundary
between two complementary pieces, which the holders can use to identify each
other. A computer does it with mathematics that you don't have to fully
understand, so long as you trust someone who does. If you need to see it in
the physical world, just tear a piece of paper, or break a cookie in two,
and contemplate the result.
There are other things you can do with the jagged edges (so to speak) of
these keys, to scramble and unscramble a message, because the two pieces are
related, in a way too complex to easily guess if you don't have one of them.
Go ahead: pick up a pencil and paper, and try to predict the EXACT shape of
the torn edges of a card without seeing it.
One thing you must understand is that the keys are related *mathematically*,
not physically. *Unlike* the card, knowing one shape does not automatically
give you the other. This is useful: it means that you have a secret which
you don't have to share to prove that you know it.
After that, it's all just multiplying impossibly huge numbers.
That's dumbed down considerably, but I think it gets the basic idea across
Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu
Machines should not be friendly. Machines should be obedient.
More information about the Gnupg-users