symmetric email encryption
Hauke Laging
mailinglisten at hauke-laging.de
Sat Jul 19 23:02:19 CEST 2014
Am Sa 19.07.2014, 22:37:24 schrieb Ingo Klöcker:
> > > And what's your threat model, i.e. what do you want to achieve by
> > > your symmetric email encryption scheme?
> >
> > Same answer: This is for users who don't need any threat model
> > consideration.
>
> Huh? Why would those users want to encrypt a message if they don't
> have a threat in mind?
I guess the typical case would be that either the sender or the
recipient wants the communication encrypted (probably uses real crypto
himself) and would use symmetric encryption as the fastest and easiest
way to enable the other one to do that (or the only way the other party
accepts at that moment).
Furthermore: Usually when people start using a new tool or new
technology they don't use it right. Probably at least 90% of the OpenPGP
users use OpenPGP in a way I would not consider good. They do it because
it's OK for them. They probably haven't put much consideration into that
– as you have to know a lot about the area to make these considerations.
Noone cares about that with normal crypto. Why should this be a hard
criterion in this case?
I haven't seen the new Enigmail 1.7 yet but the default settings of 1.6
are a nightmare. GPGTools takes worst practice to a new level by doing
the same like Enigmail – but without the (easy to find?) option to
change it. And even more showing off on the bad side: Certifying keys
*without* showing the fingerprint! GnuPG doesn't tell you at which
(maximum) level a certain key has been signed. There is no transparency
in authenticity, no transparency in key security (part of that: no
transparency about PC security, see (German) http://www.crypto-fuer-alle.de/wishlist/securitylevel/), no trancparency in key usage, the
current WoT is crap because it offers nearly none of the information you
need... That is the current crypto reality. And people are talking about
security problems and thread models for symmetric encryption, fighting
for good crypto usage? Really?
Hauke
--
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140719/1d43ce6e/attachment.sig>
More information about the Gnupg-users
mailing list