encrypting to expired certificates

Robert J. Hansen rjh at sixdemonbag.org
Mon Sep 15 20:17:53 CEST 2014


> Sorry. I've confused too issues.  Yes, it is hard to enforce expiry 
> dates in a 'secure' way. I wasn't meaning to suggest it was
> something openpgp should try to do.  I don't think we should make it
> easy to ignore them, that's all.

Well, I still respectfully disagree, because -- oh, that's a rant.

Then again, when has something being a rant ever stopped me?

Okay: hang tight for some heresy.

I've been using PGP and GnuPG for over twenty years now, and in those
twenty years I've reached only a handful of beliefs.  I love the math
because you don't need to believe math: the theorem either works or it
doesn't.  Belief is a harder thing, and because of that it's wise to be
very careful before forming beliefs.

Here's my belief: anyone who advocates PGP/GnuPG, with or without
supporting tools like Enigmail, to average end-users is committing
professional malpractice.  If they don't recognize they're doing it,
they should take that as a sign they don't understand GnuPG/OpenPGP
anywhere near as well as they think they do.

GnuPG is not a communications security solution.  It is a communications
security *toolbox*, and an incomplete toolbox at that.  GnuPG provides
mechanism and only mechanism.  GnuPG does not provide policy, and
precious few of the tools supporting GnuPG fill in that gap.  Enigmail
doesn't.  GPA doesn't.  Pretty much nothing does.  For that reason,
recommending these tools to end-users is professional malpractice
because end-users do not have the skills or experience to wisely
determine policy.  (I don't, either.  If I were drafting policy I would
need, at the least, assistance from HR [to tell me about human-factor
concerns], Legal [to tell me about regulatory concerns], and IT [because
they'd be the ones supporting the thing].  I doubt that anyone on this
list, up to and including Werner, is capable of drafting a competent and
effective policy for an entire organization on their own)

Whew.  That was a good beginning to a rant.  Let me take a deep breath
here...

Policy -- who signs what, whose certificates are trusted and why,
whether persona certifications should carry different semantic meaning
than generic certifications, whether signatures should carry expiration
dates, whether those expiration dates should be respected -- is, in a
word, *IMPORTANT*.

Further, policy will vary from person to person to person and
organization to organization.  This is one of the reasons why the
"should we use inline or PGP/MIME?" question will never be conclusively
answered.  That's not a technical question, it's a policy question that
people insist on treating like a technical question.  Technical
questions have only one answer: policy questions can only truly be
answered with a, "well, it depends..."

Here's something else about policy: putting together good policy is
*HARD*.  I've sat in on policy meetings before to provide technical
advice, and let me tell you, I'd much rather be debugging Win32 binaries
using gdb and a broken keyboard.  Policy is driven by human factors as
much as, or more than, by technical factors and that means your average
geek is completely adrift in this space.

Once you've got a usage policy, your next three questions become
monitoring, remediation, and enforcement.  How do you monitor usage to
ensure it complies with policy?  When something falls out of spec,
what's the process to bring it back into spec?  When you find who's
responsible for it falling out of spec, what happens to them?  These
questions, too, get discussed and resolved in policy meetings.

So, put it all together and here's what you need, at a minimum, to
effectively use GnuPG:


1.  Cryptographic tools.  GnuPG provides these.
2.  Usage policy.  You're on your own.
3.  Monitoring policy.  You're on your own.
4.  Remediation policy.  You're on your own.
5.  Enforcement policy.  You're on your own.


... So, yeah.  Whenever I see someone talk about how "we need to improve
GnuPG's adoption numbers!", I roll my eyes.  Invariably they talk about
how we need to make GnuPG "easier to use".  But that's not the problem
and it's never been the problem.

The problem is *policy*.

Werner has, IMO wisely, decided that GnuPG will not make policy for the
user.  I think that's the absolutely correct decision to make.  GnuPG
should not be telling me what my usage, monitoring, remediation or
enforcement policies should be.  But the total absence of policy has led
to the vast majority of GnuPG users *not even knowing that it's absent*.

As a result, we as a community drastically understate (or in many cases
don't even state!) the difficulty, expense, and necessity of policy.

So, to tie all this back to your original remarks, Nicholas, I disagree
that we need to do something about making it harder to encrypt to
expired certificates.  That's a policy decision, and as such it's
outside the scope of GnuPG.

But if you want to start waving the banner of, "POLICY!  GET SOME!",
well, the line starts behind me.  :)



More information about the Gnupg-users mailing list