pgp/gnupg

[billhorne at mediaone.net (Bill Horne)]

Kent Borg wrote:

> On Fri, Oct 05, 2001 at 11:20:51PM -0400, David Kramer wrote:
> > I used pgp at my past job, and still do, to communicate with co-workers
> > stuff I didn't want management to see.
>
> Practical question: How easy is it to keep track who is gnupg/pgp
> capable and their public key/sig details?

It's nearly impossible, at least in an office environment with people whom
are not computer-literate, especially across company boundaries or between
vendors.

The best I've been able to do is use Lotus Notes built-in encryption
functions to prevent auto-monitoring, but I don't know if I can prevent
unauthorized users monitoring my email by hand if they want to, since the
control over private keys is not documented. However, it's damn near
impossible to get any vendor attached to the system, and so we've been
reduced to handing over floppies in person or using direct-dialup connections
which I've been told to assume are secure.

Any effective system involving PGP in a non-techie environment would have to
include, IMNSHO, full integration with the MUA at each end so that encryption
is totally transparent to the user. Notes has this, and it works, but it's
not (AFAIK) compatible with PGP.

In addition, a neutral third party would be needed to issue and keep track of
keys and users: Verisign and Thwarte make a lot of money doing this, and it's
something the BLU could do well (Hint. Thud.).

Bill Horne

-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).