symmetric email encryption

Hauke Laging mailinglisten at hauke-laging.de
Sat Jul 19 23:02:19 CEST 2014


Am Sa 19.07.2014, 22:37:24 schrieb Ingo Klöcker:

> > > And what's your threat model, i.e. what do you want to achieve by
> > > your symmetric email encryption scheme?
> > 
> > Same answer: This is for users who don't need any threat model
> > consideration.
> 
> Huh? Why would those users want to encrypt a message if they don't
> have a threat in mind?

I guess the typical case would be that either the sender or the 
recipient wants the communication encrypted (probably uses real crypto 
himself) and would use symmetric encryption as the fastest and easiest 
way to enable the other one to do that (or the only way the other party 
accepts at that moment).

Furthermore: Usually when people start using a new tool or new 
technology they don't use it right. Probably at least 90% of the OpenPGP 
users use OpenPGP in a way I would not consider good. They do it because 
it's OK for them. They probably haven't put much consideration into that 
– as you have to know a lot about the area to make these considerations. 
Noone cares about that with normal crypto. Why should this be a hard 
criterion in this case?

I haven't seen the new Enigmail 1.7 yet but the default settings of 1.6 
are a nightmare. GPGTools takes worst practice to a new level by doing 
the same like Enigmail – but without the (easy to find?) option to 
change it. And even more showing off on the bad side: Certifying keys 
*without* showing the fingerprint! GnuPG doesn't tell you at which 
(maximum) level a certain key has been signed. There is no transparency 
in authenticity, no transparency in key security (part of that: no 
transparency about PC security, see (German) http://www.crypto-fuer-alle.de/wishlist/securitylevel/), no trancparency in key usage, the 
current WoT is crap because it offers nearly none of the information you 
need... That is the current crypto reality. And people are talking about 
security problems and thread models for symmetric encryption, fighting 
for good crypto usage? Really?


Hauke
-- 
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140719/1d43ce6e/attachment.sig>


More information about the Gnupg-users mailing list