[Discuss] Fwd: Relevance of PGP?

John Abreau jabr at blu.org
Thu Aug 18 03:05:53 EDT 2011


Another missed Reply-All


---------- Forwarded message ----------
From: John Abreau <jabr at blu.org>
Date: Sun, Jun 12, 2011 at 4:20 PM
Subject: Re: [Discuss] Relevance of PGP?
To: Anthony Gabrielson <agabrielson1 at comcast.net>


Sometimes people assign power of attorney to their lawyer or accountant.
A similar thing could be done to delegate trust to a hired professional,
without requiring a single central authority to be in charge of all such
trust delegations worldwide.

If an average user wants to delegate his PGP keysigning to his lawyer,
he can configure his PGP settings to trust all keys that the lawyer trusts,
and then the lawyer can take care of attending keysignings, contacting
other keyholders (or those keyholders' lawyers) to verify their keys, etc.

The SSL certificate hierarchy doesn't work this way, from what I've seen,
and transforming it to work this way would be a huge effort with a lot of
political resistance.  I believe it would be a lot easier to implement this
as an extension of the PGP web-of-trust model.



On Sun, Jun 12, 2011 at 3:50 PM, Anthony Gabrielson
<agabrielson1 at comcast.net> wrote:
> While I agree that more end-user education is always desirable I think much of that time could be better spent simplifying the interface (keep in mind the average user barely notices a browser lock).  IMHO most deployed cryptography is much to difficult for the average user to comprehend.  Lets look at key signing parties - can you really picture non-technical users having a key signing party?  I don't see parents at the park watching their kids playing and trading PGP keys among themselves.  I also don't see executives dedicating the first 20 minutes of a meeting to PGP key signing.  Most of the security achieved through key signing parties can be achieved in other ways, and those methods need to be exposed.  Truthfully, I don't think users even need to know they are even encrypting traffic.  They should be allowed to focus on their task at hand and the security should just work if conditions permit and if not an error code provided.  This isn't the first time an area of computing has been dominated by a difficult technology, much like sockets many years ago cryptography can evolve into an easy to use general-purpose API that will work across a wide spectrum of applications and technology so developers can focus on the interface.
>
> I'm not just ripping PGP; every form of cryptography that I have looked at is deficient in form or another.  Cryptography as whole needs to move from a math dominated field to a usability field.
>
> On Jun 12, 2011, at 3:29 PM, John Abreau wrote:
>
>> If average users didn't understand the reason their front doors have locks,
>> they probably wouldn't bother locking their fromt doors, and risk having
>> their homes burglarized.
>>
>> The problem with encryption is that the average user hasn't been taught
>> the risks, so they don't understand why they should bother with encryption.
>> It is precisely because they don't understand the risks that leads them
>> to perceive the effort as "jumping through hoops".
>>
>> It certainly doesn't help that Hollywood tends to portray crackers as having
>> some sort of supernatural ability to break into computers, when in reality
>> their skills are typically the equivalent of looking under the doormat
>> for a key,
>> knowing that many average homeowners will hide a spare key there.
>>
>> If the Bad Guys have supernatural powers, then no amount of effort can
>> keep them out, whereas if the Bad Guys are just looking under doormats,
>> then the effort needed to thwart them isn't so hard.
>>
>>
>> On Sun, Jun 12, 2011 at 3:09 PM, Anthony Gabrielson
>> <agabrielson1 at comcast.net> wrote:
>>>
>>> On Jun 11, 2011, at 2:23 PM, Bill Ricker wrote:
>>>> PGP ring of trust allows for non-centralized asynchronous auditable
>>>> out-of-band context. If I exchange key prints in a meatspace signing
>>>> party with John and he with you another day, I may decide that's
>>>> sufficient reason to believe you actually exist and that that's your
>>>> key, or not, at my choice.
>>>
>>> Yup you're absolutely correct.  However, thats why it will never see widespread use - BLU folks aren't the average user and the average user will never jump through those kinds of hurdles.  PGP out of the box is a PIA, with some really neat features.  I've been doing some research, that at least I find interesting, to make it PGP useable; if I can ever get one of the papers published it may even make a neat talk.
>>>
>>> Anthony
>>> _______________________________________________
>>> Discuss mailing list
>>> Discuss at blu.org
>>> http://lists.blu.org/mailman/listinfo/discuss
>>>
>>
>>
>>
>> --
>> John Abreau / Executive Director, Boston Linux & Unix
>> AIM abreauj / JABBER jabr at jabber.blu.org / YAHOO abreauj / SKYPE zusa_it_mgr
>> Email jabr at blu.org / WWW http://www.abreau.net / PGP-Key-ID 0xD5C7B5D9
>> PGP-Key-Fingerprint 72 FB 39 4F 3C 3B D6 5B E0 C8 5A 6E F1 2C BE 99
>
>



--
John Abreau / Executive Director, Boston Linux & Unix
AIM abreauj / JABBER jabr at jabber.blu.org / YAHOO abreauj / SKYPE zusa_it_mgr
Email jabr at blu.org / WWW http://www.abreau.net / PGP-Key-ID 0xD5C7B5D9
PGP-Key-Fingerprint 72 FB 39 4F 3C 3B D6 5B E0 C8 5A 6E F1 2C BE 99



-- 
John Abreau / Executive Director, Boston Linux & Unix
AIM abreauj / JABBER jabr at jabber.blu.org / YAHOO abreauj / SKYPE zusa_it_mgr
Email jabr at blu.org / WWW http://www.abreau.net / PGP-Key-ID 0xD5C7B5D9
PGP-Key-Fingerprint 72 FB 39 4F 3C 3B D6 5B E0 C8 5A 6E F1 2C BE 99



More information about the Discuss mailing list