crypto code of conduct ("Crypto-Knigge")

Thomas Asta thomasasta at googlemail.com
Thu Jul 31 19:18:43 CEST 2014


Dear Hauke,

thanks for this initiative, it is and your website is great.
Is there a wiki to add improvements to your draft?

I think it needs some change in wording, in strategy and "Duktus", also
from content. You seem to be a trainer for encryption and you have many
experiences in how people react when they first time step into this.

Much of your text is unfortunately written not in an encuraging way.
we should turn that all in a better wording.
e.g. instead of "1. Werden Sie sich der eigenen Grenzen bewusst" you might
want to say: "1. Kommen Sie mit Verschlüsselung Schritt für Schritt in
Kontakt und erlernen Sie es auf eine spielerische Art und Weise gemeinsam
mit einem Partner", or: "2. Rechnen Sie mit Fehlern und Unkenntnis der
anderen" could be turned into "2. Helfen Sie Ihrem Kommunikationspartner
mit geteiltem Wissen und geduldigen und ausführlichen Hinweisen - denn
jeder hat mal Klein angefangen", further "3. Verbreiten Sie nur gesicherte
Informationen" could be "4. Helfen Sie als Multiplikator mit, Ihr Wissen
zum Thema Kyrptographie zu teilen - aber achten sie auch auf eine
Qualitätskontrolle, indem Sie ihr Wissen zum Thema Kryptographie
kontinuierlich vertiefen und verbreitern".

I would not spit it into Kür and Pflicht, as it is in some sense redundant.
Two chapters end with buy a website and buy a domain. Both in the chapter
for make it easy and dont do it know, this stresses the user too much, to
hear the need to order first a webserver before starting with crypto. You
might want to intent the opposite. And might be a result of beeing fixed on
a certain encryption technology. We have a problem when you pretend a fixed
view of the world and speak as well of "Nischentechnik" - you might want to
say the opposite: Evaluate all tools. But you pretend to say: Use only OTR.
Here a discussion about the technical aspects might rise, as you do not
want Monopols, but suggest one. OTR has as well negative aspects like a too
short MAC key and renewal options  only per session. Other tools allow to
renew the symmetric key instantly per knopfdruck and have a much longer MAC
key.


So dont suggest the tools, but rather some criteria. E.g. the multi
encrypting messenger http://goldbug.sf.net has on the website 6 criteria
published, which you could integrate into your considerations. One
important thing is, that the source code of the app, and as well the chat
server is open source. E.g. Bleep, the new Bittorrent Chat Tool is very
straigth focusing on geeting users by integrating a key server with phone
number, email address and key - but no one knows, if the tool is working
when this server is down or how to insert DHT bootstrapers. As well the D/H
key exchange for OTR is broken, if the xmpp servers communicate only point
to point and not end to end. A man in the middle is possible?!

Your last suggestion to not encrypt everything is not consistent. Of course
we need in every place the infrastructure for encryption that means each
email with an encryption key as an offer. If a user, who encrypts all, or a
user, who encrypts only the important emails, is more in the focus of
agencies.. this might be discussed on another list..

Okay.. for me it might be a summary to suggest you to not only suggest to
others only one tool or technique. Try to be open and evaluate more tools:
http://wiki.vorratsdatenspeicherung.de/List_of_Secure_Instant_Messengers

Maybe you can extend your training to all these tools and the mentioned
criteria could be part of the Knigge, you suggest.
For me most important is, that the chat server is open source and cannot
log any plaintext. Plugin-Encryption is that not.

Kind regards Tom


On Tue, Jul 29, 2014 at 9:35 PM, Hauke Laging <mailinglisten at hauke-laging.de
> wrote:

> Hello,
>
> missing a culture of secured communication
> code of conduct (my German term: "Crypto-Knigge") would be quite useful to
> get there (or at least nearer).
>
> I am not talking about technical recommendations but about
> "organizational" (behaviour / attitude) recommendations.



> http://www.crypto-fuer-alle.de/crypto-knigge/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140731/27696dc9/attachment.html>


More information about the Gnupg-users mailing list