James Mickens on security

Robert J. Hansen rjh at sixdemonbag.org
Wed Aug 13 17:05:19 CEST 2014

Microsoft Research's James Mickens wrote several humorous columns for 
USENIX in which he interspersed brilliant insights with side-splitting 
humor.  I just found his "This World We Live In," which has a good bit 
about PGP in it.  You can find his original at:


"[C]onstructing a public-key infrastructure is incredibly difficult in 
practice.  When someone says 'assume that a public-key cryptosystem 
exists,' this is roughly equivalent to saying 'assume that you could 
clone dinosaurs, and that you could fill a park with these dinosaurs, 
and that you could get a ticket to this "Jurassic Park," and that you 
could stroll throughout this park without getting eaten, clawed, or 
otherwise quantum entangled with a macroscopic dinosaur particle.'  With 
public-key cryptography there's a horrible, fundamental challenge of 
finding somebody, *anybody*, to establish and maintain the 
infrastructure.  For example, you could enlist a well-known technology 
company to do it, but this would offend the refined aesthetics of the 
vaguely Marxist but comfortably bourgeoisie hacker community who wants 
everything to be decentralized and who non-ironically believes that Tor 
is used for things besides drug deals and kidnapping plots. 
Alternatively, the public-key infrastructure could use a decentralized 
'web of trust' model; in this architecture, individuals make their own 
keys and certify the keys of trusted associated, creating chains of 
attestation.  'Chains of Attestation' is a great name for a heavy metal 
band, but it is less practical in the real, non-Ozzy Osbourne-based 
world, since I don't just need a chain of attestation between me and 
some unknown, filthy stranger -- I also need a chain of attestation *for 
each link in that chain*.  This recursive attestation eventually leads 
to fractals and H.P. Lovecraft-style madness.  Web-of-trust 
cryptosystems also result in the generation of emails with incredibly 
short bodies (e.g., 'R U gonna be at the gym 2nite?!?!?!?') and 
multi-kilobyte PGP key attachments, leading to a packet framing overhead 
of 98.5%.  PGP enthusiasts are like your friend with the 
ethno-literature degree whose multi-paragraph email signature has 
fourteen Buddhist quotes about wisdom and mankind's relationship to 
trees.  It's like, I GET IT.  You care deeply about the things that you 
care about.  Please leave me alone so that I can ponder the 
inevitability of death."

More information about the Gnupg-users mailing list