[Discuss] PGP Basics

[abreauj at gmail.com (John Abreau)]

Hey, I created a new key the day after the keysigning! It's just that the
next BLU keysigning party is still 11 months away...



On Tue, Oct 11, 2011 at 12:38 PM, Jerry Feldman <gaf at blu.org> wrote:
> On 10/10/2011 09:28 PM, Edward Ned Harvey wrote:
>>>
>>> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss-
>>> bounces+blu=nedharvey.com at blu.org] On Behalf Of Kyle Leslie
>>>
>>> Hola Everyone. ?With the recent talk about PGP and the growing need for
>>
>> its
>>>
>>> use at my company I have been trying to learn about it.
>>
>> I'll encourage you to look at S/MIME instead. ?It's much easier.
>>
>> Surely some people on this list will say PGP is more secure, and as with
>> anything, there's a grain of truth which is probably not represented
>> entirely accurately. ?The fundamental difference is this: ?S/MIME is based
>> on SSL, which means anything you send/receive is automatically checked for
>> validity using the built-in SSL root Trusts. ?These are the same
>> organizations that are used to trust https traffic, or anything else based
>> on SSL.
>>
>> So the grain of truth is like this: ?As long as you're trusting a 3rd
>> party
>> such as verisign or thawte, then there's an attack vector which otherwise
>> doesn't exist. ?An attacker only needs to somehow compromise one of these
>> root trusts, and then they can forge signatures. ?Although rare, this has
>> been known to happen. ?When it happens, the compromised certificate
>> authority promptly revokes any compromised certs (as soon as they discover
>> they've been compromised)... ?So it's important to keep current with
>> system
>> updates.
>>
>> On the flip side, with PGP you don't have automatic trusts. ?You need to
>> somehow decide you trust someone's cert based on some kind of out-of-band
>> information. ?Maybe because the person told you over the phone "I'm
>> sending
>> it now" and then it arrived a second later, or whatever. ?The problem with
>> something like this is... ?Just like the "Are you sure?" prompts that you
>> get everytime you try to do anything in windows... ?People just make a
>> habit
>> of always clicking "Yes" without thinking about it.
>>
>> Everyone has their own opinions, about which is more trustworthy and which
>> is more convenient. ?My opinion is that if you're deploying one of these
>> technologies for your company, IMHO your users would be more secure with
>> S/MIME, and it's much more convenient. ?If you were only deploying it for
>> yourself, then you as an interested and technical user might actually get
>> better security out of PGP.
>>
>> You can get free S/MIME certs from startssl.com, and probably a number of
>> other locations. ?If you're interested, I have an example here:
>>
>> http://dl.dropbox.com/u/543241/Digital%20ID%20Step%201%20-%20Create%20Cert%2
>> 0IE9%20Win7.pdf
>> and
>>
>> http://dl.dropbox.com/u/543241/Digital%20ID%20Step%202%20-%20Outlook%202010.
>> pdf
>>
> It does come down to trust, but also a need. I can pretty well trust those
> whose keys I have signed, and who have conversely signed mine. But, where is
> my need? I don't have much need, and until JABR gets a new key I don't much
> trust him :-). But, in a corporate environment when you are exchanging
> email, both digital signatures as well as encryption are workable. So, in a
> corporate environment, you might upload your public key to the corporate key
> server (assuming PGP). By having only employees being allowed to upload, you
> can establish trust as long as it is being properly managed. If an employee
> leaves, then there should be a procedure to decertify his/her key. Same
> would apply to ssl certs. I think in the original poster's situation, he is
> in a corporate PGP environment,
>
> --
> Jerry Feldman<gaf at blu.org>
> Boston Linux and Unix
> PGP key id:3BC1EB90
> PGP Key fingerprint: 49E2 C52A FC5A A31F 8D66 ?C0AF 7CEA 30FC 3BC1 EB90
>
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>



-- 
John Abreau / Executive Director, Boston Linux & Unix
GnuPG KeyID: 0xD5C7B5D9 / Email: abreauj at gmail.com
GnuPG FP: 72 FB 39 4F 3C 3B D6 5B E0 C8 5A 6E F1 2C BE 99