Thoughts on GnuPG and automation

Robert J. Hansen rjh at
Tue Mar 3 17:01:34 CET 2015

Hans, please trim your quoted material.

> They would need to use a specialized system, and that specialized
> system might then be a marker of suspicion (for example, lots of
> governments, including the NSA, already mark all PGP messages as
> suspicious).

Unless you've got a desk somewhere deep inside Fort Meade and you're
sitting in on briefings the rest of us aren't, you don't know this.

There's a lot of panic and paranoia in the air already without people
making it worse by treating what they *think* is true as if they *know*
it's true.

(I don't know if what he's claiming is true or false... but I *do* know
that I don't believe his certainty, and I wouldn't believe anyone else
who claimed to be certain, either!)

> trumpeting "ease of use" above all else.  We are seeing systems like 
> that make things really easy, but also expect users to 
> upload their _private_ key to some alpha web service.

keybase doesn't expect users to upload the private key.  It works just
fine if you don't, and in fact you have to go through an extra couple of
steps to put the private key on the keybase servers.

For some use cases this is a good practice.  For many more it's a bad
practice.  But it's way too facile to simply say,

> That is terrible security practice.

More information about the Gnupg-users mailing list