some beginner questions

[Will Senn]

On 4/2/17 1:20 PM, Doug Barton wrote:
> Some answers below, and you've already received some good answers, but
> I have some more fundamental questions. :)
>
> First, and an important question for security-related stuff generally,
> what is your threat model? In other words, what dangers are you
> guarding against by using PGP? You mention evangelizing your key, and
> asking how to get more people to use PGP with you. Those are
> reasonable questions, but the first is the most important.
>
Doug, interesting term "threat model". I've seen it a few times and
wasn't sure what it meant. Thanks for the simplified explanation. It's a
piece of technical jargon that is part of the difficulty I saw with
learning the OpenPGP terrain. While security folks probably dig the
lingo, for the lay person, it's, well, interesting... I perceive my
threat model as being 1) a risk that someone other than my intended
recipient will gain access to information that I am sending to my
intended recipient  2) a risk that someone other than me will gain
access to information that I want only to be accessible to me. I
envision the solution, based on my understanding of available
(affordable) technologies as being 1) secure method of transmitting
information asynchronously over public media and 2) a method of
encrypting information on local storage media.

As you can see above, my threat model is neither comprehensive, nor is
it fully informed. But, it's pretty much the same story for a lot of
folks. I have learned over the past several weeks, that key management
is potentially a vulnerable point... I kind of suspected this, but after
hanging out in irc for a bit and tor, I'm kinda freaked out that it's a
more widespread problem than most folks realize - trojans are everywhere
:).
> If you simply want a secure way to communicate with people that you
> know without others being able to snoop on the conversation, there are
> other, arguably better, and certainly easier, solutions. PGP has its
> use cases, but unless we know why you want to use it, it's nearly
> impossible to give you good advice.
>
> More below.
>
> On 04/01/2017 07:10 AM, Will Senn wrote:
>
>> 3. I've read
>> https://superuser.com/questions/466396/how-to-manage-gpg-keys-across-multiple-systems
>>
>> and other such pieces proclaiming the value of having the master key in
>> a safe place and having subkeys on your actual devices.
>
> What do you think a master key is, and why do you think it's important
> to protect it? What kind of devices do you want to put signing subkeys
> on? Why do you think that your use of PGP will be more secure if you
> have a signing subkey on a device, instead of your "main key?"
>
Neal pretty much spelled out a reasonable answer to these questions, but
I'm not having much luck signing with subkeys, so I'm not convinced this
is worth the headache and increased complexity of key management.

>> 4. Is it safe to refer to my public key/fingerprint information as I did
>> in the previous question with output from gpg?
>
> In what way(s) do you think it could be unsafe?
>
> Doug
>
After some thought and additional input, I don't think it is unsafe. But
I was curious if my slightly informed perspective would bear up to
additional scrutiny.

Thanks,

Will

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170402/8f291210/attachment.sig>