I feel slightly embarassed that I ever taught classes on PGP.
Conversation
Notices
-
The Doctor (drwho@hackers.town)'s status on Friday, 27-Aug-2021 17:19:32 UTC 
The Doctor
-
Emacsen (emacsen@emacsen.net)'s status on Friday, 27-Aug-2021 17:19:07 UTC 
Emacsen
I've thought a lot about this over the last 4 years or so, and here are my thoughts in a nutshell (maybe I should write this up):
1. PGP would be simple if it weren't for things like WoT. Without WoT we don't need to worry about signed keys and chains and any of that.
2. We should have just accepted some defaults ala P3P such as approve new keys automatically and made that tunable for extra security by others.
...
-
Emacsen (emacsen@emacsen.net)'s status on Friday, 27-Aug-2021 17:19:28 UTC
Emacsen
Why?
-
Charles U. Farley (freakazoid@retro.social)'s status on Friday, 27-Aug-2021 17:19:28 UTC 
Charles U. Farley
@emacsen @drwho Because it's a usability nightmare, which makes it less secure and also dramatically reduced its ability to have any impact, at best, and at worst it taught people that encryption is hard so they might as well not even try?
Bernie repeated this. -
Emacsen (emacsen@emacsen.net)'s status on Friday, 27-Aug-2021 17:23:37 UTC
Emacsen
3. Purists are a real problem. Look at this comment on Hacker News in response to my mobile OS review:
https://news.ycombinator.com/item?id=28299734
This commenter would prefer to tell people *not to use mobile phones* than let them use FLOSS OSes with binary drivers.
These attitudes put people in harm's way.
4. People believe that security = complexity. There's a paper on OCAP as implemented in HP that talks about this issue. It's a serious problem, and PGP absolutely fit into that mindset.
-
Charles U. Farley (freakazoid@retro.social)'s status on Friday, 27-Aug-2021 17:23:37 UTC
Charles U. Farley
@emacsen @drwho I think it's much better to just tell people to be mindful of their use of technology and to realize that nothing is perfect.
-
Bernie (codewiz@mstdn.io)'s status on Friday, 27-Aug-2021 17:24:04 UTC 
Bernie
@freakazoid @emacsen @drwho Another barrier to GPG adoption is that mainstream email clients (GMail, Outlook, and yes, even Thunderbird) have supported other security schemes. GPG plugins and extensions have been around for a long time, but each one came with interoperability or usability issues.
Finally Thunderbird has built-in GPG support (still very immature, and using its own key store rather than the system's).
-
Bernie (codewiz@mstdn.io)'s status on Friday, 27-Aug-2021 17:25:12 UTC
Bernie
@freakazoid @emacsen @drwho Another barrier to GPG adoption was that mainstream email clients (Gmail, Outlook and, yes, even Thunderbird) have supported other useless encryption schemes like S/MIME. GPG plugins and extensions have been around for a long time, but each one came with interoperability or usability issues.
Finally Thunderbird has built-in GPG support (still very immature, and using its own key store rather than the system's).
-
The Doctor (drwho@hackers.town)'s status on Saturday, 28-Aug-2021 04:18:52 UTC
The Doctor
@codewiz @freakazoid @emacsen T-bird finally ditched Enigmail?
-
Bernie (codewiz@mstdn.io)'s status on Saturday, 28-Aug-2021 04:19:37 UTC
Bernie
@drwho @freakazoid @emacsen Yes, finally. But they went the way of reimplementing the full-blown OpenPGP spec rather than use GnuPG (or GPGME).
It's probably good enough for a beginner user, but it doesn't support all the key formats and algorithms of GnuPG and requires manually importing/exporting private keys if you use PGP with other applications.
-
Bernie (codewiz@mstdn.io)'s status on Saturday, 28-Aug-2021 04:20:37 UTC
Bernie
@drwho @freakazoid @emacsen Yes, finally. But they went the way of reimplementing the full-blown OpenPGP spec rather than use GnuPG (or GPGME).
It's probably good enough for a beginner user, but it doesn't support all the key formats and algorithms of GnuPG and requires manually importing/exporting private keys if you use PGP with other applications.
-
All Bobinas P4G content and data are available under the