German ct magazine postulates death of pgp encryption

Fri Feb 27 20:28:39 CET 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 02/27/2015 07:37 PM, Marco Zehe wrote:
> Hi Kristian,
> 
>> Am 27.02.2015 um 17:31 schrieb Kristian Fiskerstrand 
>> <kristian.fiskerstrand at sumptuouscapital.com>:
>> 
>> On 02/27/2015 05:26 PM, Patrick Brunschwig wrote:
>>> On 27.02.15 13:11, Kristian Fiskerstrand wrote:
>>>> On 02/27/2015 12:43 PM, Hauke Laging wrote:
>>>>> Am Fr 27.02.2015, 12:27:40 schrieb gnupgpacker:

...

>>> 
>>> But that's the main primary reason of the article at all. The 
>>> fact that anyone can upload _every_ key to a keyserver is an 
>>> issue. If
>> 
>> No, it is not, it has always been very clear no to rely on the 
>> existence of a key on either a keyserver or on a local keyring 
>> without proper verification and certification
> 
> And here’s the other problem the main article in c’t mentions:
> Those keys, although faked, were certified. They were certified by
> equally faked keys which resemble keys that are quite well-known.
> So unless someone had the *real* certifying keys installed and
> could see that those weren’t the same certifications as on the
> forged keys, there was no first and even second glance way of
> recognising these as being faked.

This doesn't make much sense, if you don't have a trust path to any of
those other keys their existence is irrelevant, and that is before
taking ownertrust into considerations in the first place (only a dozen
of the keys I've certified have ever been assigned an ownertrust of
marginal and much fewer as full)

What is needed is better education and an increased consciousness in
society at large in considering security and privacy. I will concede
that we have a way to go on making the concepts better understood,
which is increasingly getting difficult due to diffusion from things
like discussions on algorithms and key preferences, that plays a
marginal role in the overall consideration of security (including opsec).

- -- 
- ----------------------------
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
"I never worry about action, but only inaction."
(Winston Churchill)
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJU8MVjAAoJEP7VAChXwav6u+cH/2N+9jRongWuNnRVuoAtWv8l
942GmWX9bTiLrX7BMHLyVyQ3MwEA/nqvHA5g4wGCL2TbJ5IiUvMwEr772YlSbsXH
nMpEV4OVtdaZpCjvoCNtnNxHVG0IHI5PaPoCcAHMxOq3Ed2GIJjCvS/CQjP0XpSy
X96eyqg+IamEQzXF+ON90xstqLG704lFgkE7PI6hkRAzs+wi5mz54sN6YgmSKAUj
A4KS3/1ZORWLG/P0bGYChrtipoXAlW74K3gjG2eLLtFuiqlqG38HEBDYLYPISkyC
iwecqXSbKoq1R8e9c1Xox9bwVyqEDXz+lLahmwMgGtshQEhXkjylVPQ9uHkw8/w=
=gwGH
-----END PGP SIGNATURE-----