Teaching GnuPG to noobs

Bob (Robert) Cavanaugh robertc at broadcom.com
Wed Jun 17 19:55:42 CEST 2015

Hi All,
This is an interesting thread and I want to share my experience. Part of what I do is train people for a secure position. When I am explaining compartmentalization, I use a two-key lock metaphor to help describe classification levels and need-to-know. The metaphor only deals with 'opening' the lock. I think that may be where the inappropriate use  got 'appropriated'.

Bear in mind that my noobs are generally at least technically conversant. I first describe that the public and private key are calculated together and are mathematically linked. Depending on the audience I don't go over the modulus formulae but I do then describe what can be encrypted with one key can be decrypted with the other. Then I talk about the actual mechanism for doing so. I find that if they have a least a cursory understanding of what they are trying to do, it helps a lot in understanding the actual command line/GUI sequence

I leave signing until after I describe the public key/private key encryption paradigm. I find that combining the two topics leads to a lot of confusion. Once they understand assymetric encryption then I go on to digital signatures and why they are important (Man in the Middle is an excellent way to introduce this topic).


Bob Cavanaugh

> -----Original Message-----
> From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of
> Robert J. Hansen
> Sent: Wednesday, June 17, 2015 7:15 AM
> To: A.T. Leibson; gnupg-users at gnupg.org
> Subject: Re: Teaching GnuPG to noobs
> > What has your experience been teaching inexperienced users how to use
> > GnuPG properly?
> Varies between extremely good and extremely bad with very little in-
> between.  When addressing people who have the motivation to learn and
> the ability to think analytically, it's been great.  When addressing people who
> lack one or the other it's frustrating, and when addressing people who lack
> both it makes me prefer dental surgery.
> > What are common pitfalls on the part of the instructor?
> The most common one I've found is not understanding the material as well
> as they think.  This tends to come through most in the metaphors an
> instructor uses.  For instance, I frequently encounter instructors who tell the
> class to imagine a lock with two keys, one that locks it and one that unlocks it,
> and they proceed to use that lock metaphor to explain crypto.
> It's absurd.  Who in the class has ever seen a lock with two keys, one that
> locks it and one that unlocks?  The metaphor's ridiculous: the locks the
> students are familiar with require *no* keys to lock and only one key to
> unlock.
> When I see an instructor use inappropriate metaphors, who doesn't
> understand that these metaphors are inappropriate, it makes me think the
> instructor has a superficial and fragile understanding of the material.
>  And frankly, there are a lot of those people out there.
> (One metaphor I've been playing with lately, but haven't decided yet
> whether it's a good one, involves magical sealing wax.  This magical sealing
> wax can only be cut or shaped by one person -- the person who owns it.  If
> you seal a message with this person's magical sealing wax, only that message
> recipient can open it.  And if you see that someone has pressed a signet ring
> into it, you know the person who owns the wax did it, since only they could
> shape it.  So if Alice were to affix her magical sealing wax to a message and
> press her signet ring into it, and then fold the letter and seal it with Bob's
> magical sealing wax, only Bob could cut the magical sealing wax to read the
> message and he would know that only Alice could have put her signet on the
> blob of wax at the end of the letter.
> Is magical sealing wax a better metaphor than a lock with two keys?
> Yes.  Is it better *enough*?  I don't know yet.)
> > What aspects are the most challenging for new users to understand?
> Anything that gets explained with a poorly chosen metaphor.

More information about the Gnupg-users mailing list