Re: Web of Trust itself is the problem
While the ontopicness of my comment is a bit questionable I don't think I've gotten an encrypted email in the last 12 months, but I still use gpg every day. All Debian and (I imagine, or at least hope) Debian derivatives such as Ubuntu incorporate digital signing of software. I think signing of software to be a pretty important thing, and represents a relatively large userbase that's not to be overlooked. Though, admittedly, some proportion of them are indifferent towards it. -- Roscoe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
On Sun, Jan 10, 2010 at 11:37:12PM -0500, Robert J. Hansen wrote: A few years ago a fellow grad student of mine, Peter Likarish, developed a really cool anti-phishing technology. [but test subjects didn't react to the warning] Peter's hypothesis was that Flash ads are to blame. Users have become conditioned to having Flash ads appear on the screen, take over real estate, and so on. Therefore, users were subconsciously filtering out this big red alert bar and it was never percolating up to the conscious level where users could make an informed decision about the risks. Yes indeedy. Those ad.s appear at the top of the page (and elsewhere, but there's *always* one at the top). We're rigorously trained every day to ignore stuff at the top of the page that doesn't look like what we expected. Maybe he should try a bar across the *middle* of the window, or a diagonal, or alpha-blend a red overcast onto the entire page Still, it's another technology-intractable problem. If people cared, they would train themselves to look for trouble indicators, like scanning the dashboard from time to time for problems with speed, fuel, temperature, etc. We're trained to operate motor vehicles, but not to operate browsers or MUAs. (It's intuitive! Not.) And meanwhile the world is training us that it is vitally important to our sanity and the defense of our time to learn to detect and ignore things that we don't care about. I think that technology can't help this as much as would knowing why we want some technology. People who feel a need will look for tools to deal with it; people who feel no need will ignore the finest tools. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let friends publish revisable-form documents. pgpczMlSHupRn.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark H. Wood wrote: | | Still, it's another technology-intractable problem. If people cared, | they would train themselves to look for trouble indicators, like | scanning the dashboard from time to time for problems with speed, | fuel, temperature, etc. We're trained to operate motor vehicles, but | not to operate browsers or MUAs. (It's intuitive! Not.) I know drivers who have no clue about all those trouble indicators. I was a passenger with a friend and I noticed the engine temperature gauge was too high. I urged her to stop the car until it could cool down and we could see what the trouble was. She said she would do that after lunch, but she did not have time then. I told her to turn the heater on full, and since this was summer, she objected, but did it. When we got to the restaurant, she turned the motor off. After lunch it had cooled down some, so I looked into the radiator where there was no noticeable water. We got some from the restaurant. I forgot what the trouble was (defective radiator hose, loose clamp, etc.), but at least she did not need to get a new engine. People often drive for months with the Check Engine light on. When I ask about this, they say it is nothing: it is always on. They have seen it so long they have gotten used to it. They just do not care. I knew a guy who had a Pontiac station wagon he bought new. He never had it serviced or even checked the oil or the oil pressure light. Well one of those will go about 25,000 miles before seizing up. - -- ~ .~. Jean-David Beyer Registered Linux User 85642. ~ /V\ PGP-Key: 9A2FC99A Registered Machine 241939. ~ /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ~ ^^-^^ 10:05:01 up 4 days, 12:00, 3 users, load average: 4.56, 4.59, 4.68 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFLTJGhPtu2XpovyZoRAoziAKCwQV3ZfYoLK3u/K5UUKMntfo4lpwCeNYcv 2OElW0+lwjTgll0fSK4a/8M= =4tgG -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 January 12th 2010 in gnupg-users@gnupg.org thread Web of Trust itself is the problem Actually I was quoting Robert Holtzman, not Robert J. Hansen, sorry for not including the full name. I have no time now to read those texts because my holidays ended alredy :(. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEAREIAAYFAktM48YACgkQZ4DA0TLic4j5CQCeOKzabnsWhEDJV9P6d4CoA8uW t3MAn26T7s6uB3GqQqThCj7oZw8F4XGG =6Jk1 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
David Shaw writes, in part: -+- | It's not that they gave it a bit of thought and decided | against it for whatever reason - they never gave it even a | moment of thought. The only crypto they use is the crypto | that is invisible to them (usually https, which is pretty | invisible). I used to work at Verdasys. One of the strong selling points with its customers is as you say, for crypto to be in place but with no user the wiser nor need that they be. A piece of marketing material: http://www.verdasys.com/images/uploads/Encryption_DataSheet.pdf There are quite a few installations of the above at the 100,000 seats level (enterprise deployment). --dan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
Am Montag, den 11.01.2010, 01:26 -0500 schrieb Robert J. Hansen: On 01/10/2010 10:57 PM, Faramir wrote: ...I just about had a heart attack. The voting authorities thought this was just fine... _ You are obviously not loved by the voting authorities :-) Greetings from the Black Forest! Bernhard __ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users signature.asc Description: Dies ist ein digital signierter Nachrichtenteil ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Robert J. Hansen escribió: ... Crypto is not like this. Sure, you don't need to understand Feistel networks or large number theory in order to use crypto, but look at what you *do* need to understand: * Identity verification I think I understand it. * Document verification I hope I understand it. * What a hash is I understand it. * How hashes are used I think I understand it. * How hashes are misused and shouldn't be used Ehh... I've never thought about it. How they should not be used? * Out-of-band verification I think I understand it... * Type I versus Type II error I don't have any idea about this, can you please clarify it? ... As an example, a fairly tech-savvy friend of mine made a habit of signing all her emails. Her reasoning was, if people ever see a message that's not signed, they'll know it's not from me. This reasoning sounds good, and many people on this list would probably agree with it. The problem is that it's incorrect. If someone using her name were to post a racist, hate-filled screed on the internet, would she really be able to persuade people she didn't write it just by saying look, I didn't sign it? Or would her critics say, of course you didn't sign it, you wanted to be able to deny writing it!? I get your point. However, people should be considered innocent until proven guilty. Of course if we talk about racism, paedophilia or drugs traffic, people is guilty even if they have been dead for years before the incident. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJLSqGwAAoJEMV4f6PvczxAfckIAJqXGBlfoTd5Gq92/nFv63oZ qcD/3oHHTxxc7OfRHkiU+wOc0vscOcxnraIe+KPsdqexpiEou7Z0gI9QxwqMMJaF dXR13zqO6kKd687UINfiXurr2rEoT8u9EXpyW1me44yaIsXuyST/Apr2VhLBeomq sQg4nOUm4d8/zPl3HXq2siMAHLgjGM7RnaqoMOHfcDD6Yl/0UNesQ67RHMlktBGm DKfXDTztAyMec1GDnrkLTovER7wBwMRFPQPDZk+rzoy7zZXRvuUZSQ18WMDcDQEo DA7oSGED5PmKGl+70hUHcprYcszp6ditvnxe0cWEyZvnKgAJfCPSncNDTes+pPY= =zY0v -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
On 01/10/2010 10:57 PM, Faramir wrote: * How hashes are misused and shouldn't be used Ehh... I've never thought about it. How they should not be used? I've seen computerized votes authenticated by MD5 hash... sent over email... in the same message as the official vote record. As in, the attachment has MD5 hash XXX, if your version hashes out to XXX then the vote record is authenticated. I just about had a heart attack. The voting authorities thought this was just fine, and a perfectly correct use of hashes. * Type I versus Type II error I don't have any idea about this, can you please clarify it? False positive versus false negative. If there's a transmission error in the sigblock *but not in the source text*, you can have a bad signature with a completely intact message. Therefore, the fact a signature is bad doesn't automatically tell you the message was tampered with. If the message was altered somehow, the signature will be bad. However, if the signature is bad, that doesn't necessarily mean the message was altered somehow. A lot of people miss this point. It's kind of important. I get your point. However, people should be considered innocent until proven guilty. What should be true is a question for religion, philosophy and ethics. Engineering is about asking what *is* true. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
On 1/11/2010 1:26 AM, Robert J. Hansen wrote: I've seen computerized votes authenticated by MD5 hash... sent over email... in the same message as the official vote record. As in, the attachment has MD5 hash XXX, if your version hashes out to XXX then the vote record is authenticated. I just about had a heart attack. The voting authorities thought this was just fine, and a perfectly correct use of hashes. E... unbelievable! -- Jim ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
On 09.01.2010, RobertHoltzman wrote: Personally I think a lot of people care about privacy, but are just not able and/or frightened to install something complex on their machines. Then you get the contingent that sats I have nothing to hide. What I've encountered is that lots of people answering that way do not actually mean what these words say, but use them as a way to avoid saying the truth: I'm not able to install such software, I can not understand how this works at all, it seems way too complicated to me, and I do not want you to know that I do not even understand the slightest bit at all of what you're talking about :-) http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
On Sat, Jan 09, 2010 at 02:49:13PM +0100, Heinz Diehl wrote: On 09.01.2010, RobertHoltzman wrote: Personally I think a lot of people care about privacy, but are just not able and/or frightened to install something complex on their machines. Then you get the contingent that sats I have nothing to hide. What I've encountered is that lots of people answering that way do not actually mean what these words say, but use them as a way to avoid saying the truth: I'm not able to install such software, I can not understand how this works at all, it seems way too complicated to me, and I do not want you to know that I do not even understand the slightest bit at all of what you're talking about :-) http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565 That is a great paper. I am keeping it for the next time I run into one of them. -- Bob Holtzman GPG key ID = 8D549279 If you think you're getting free lunch check the price of the beer. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
On Thu, Jan 7, 2010 at 9:08 PM, Mario Castelán Castro mariocastelancas...@gmail.com wrote: I think the WoT and in general the cryptography is not widely used because few people really care about their privacity. IMHO, there's another problem, an entry barrier to the WoT. The practice of key exchange is widespread in very close circles of geeks, Linux developers and, to a certain degree, scientists. For someone who does not belong to these categories and does not attend any conferences, the web of trust is hardly reachable. Unfortunately, I know no solutions besides commercial CAs. -- With best regards, Dmitri Minaev Russian history blog: http://minaev.blogspot.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
Dmitri Minaev min...@gmail.com writes: On Thu, Jan 7, 2010 at 9:08 PM, Mario Castelán Castro mariocastelancas...@gmail.com wrote: I think the WoT and in general the cryptography is not widely used because few people really care about their privacity. IMHO, there's another problem, an entry barrier to the WoT. The practice of key exchange is widespread in very close circles of geeks, Linux developers and, to a certain degree, scientists. For someone who does not belong to these categories and does not attend any conferences, the web of trust is hardly reachable. Unfortunately, I know no solutions besides commercial CAs. Sites such as http://biglumber.com/x/web can help with this. My perception of it is that it does not exclude non-geeky people. /Simon ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
On Fri, Jan 8, 2010 at 8:21 PM, Mario Castelán Castro mariocastelancas...@gmail.com wrote: IMHO, there's another problem, an entry barrier to the WoT. The practice of key exchange is widespread in very close circles of geeks, Linux developers and, to a certain degree, scientists. For someone who does not belong to these categories and does not attend any conferences, the web of trust is hardly reachable. Unfortunately, I know no solutions besides commercial CAs. Well, you really don't *need* to be within WoT to use crypto, the confidence level will be less but for most people it is enougth. Actually, you don't really *need* to use crypto in email, the confidence level will be less, but to most people it is enough :) -- With best regards, Dmitri Minaev Russian history blog: http://minaev.blogspot.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
On Fri, Jan 08, 2010 at 10:21:51AM -0600, Mario Castel�n Castro wrote: Did you count the citys in the list, they are just 11 of thoustands and thoustands around the world; it helps of course, but very little. You obviously didn't try to use the search box to find more cities. -- Bob Holtzman Key ID: 8D549279 If you think you're getting free lunch, check the price of the beer signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
On 07.01.2010, Mario Castelán Castro wrote: I think the WoT and in general the cryptography is not widely used because few people really care about their privacity. I think the overall stats for people using cryptography is that low because it is or seems too complicated for them. A lot of people in the world do not even know how to install Windows, and a whole lot of people even can't install programs on their computers properly. This is not meant in a discriminating way at all, this is the real life. Personally I think a lot of people care about privacy, but are just not able and/or frightened to install something complex on their machines. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
On Thu, 07 Jan 2010 09:36:26 +, makrober wrote: G/PGP isn't widely used because it does not address adequately the real-life operational circumstances of the potential user, and I still believe that OpenPGP along with PGP 2.1 is the most used data protection scheme for plain data and email. We don't have any hard facts except for problem reports we have seen over more than a decade. There must be a reason why OpenPGP application are even sold for mainframes; they need to exchange data with Unix and PC users. On the other hand, WoT brings with it an immense problem for a large number of those that need to communicate in secrecy: it is providing an adversary with a traffic analysis tool that he can only wish for. To state - as those who promote the system in its That is simply not true. The only fact you can read from the WoT is that two person have met around some date. That is in most circumstances not a secret fact; you merely have to look at the list of attendees of conferences. The WoT can give you only a clue if you have only a few signatures on your key. You can get a better set of data for traffic analysis by monitoring the keyservers. However this has nothing to do with the WoT. Or - Web of Trust isn't the solution, Web of Trust is the problem. Consequently, a WoT improvement mechanism such as outlined in the presentation is, unfortunately, extremely unlikely to advance the adoption of g/pgp. Until recently almost every mail client simply ignored the key validity and encrypted anyway. Yes, that is not as one should do it but it shows that the WoT is not really used. The majority of people don't care. For example. my key is around for many years now and for quite some time it has been one of the top connected keys. Despite that I only recently could find a trust path to the keys used to sign the linux kernel. They Linux hackers obviously didn't care about getting involved into the WoT. (I am not sure whether this is pro or contra to your statement ;-) Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
Thanks for your comments Werner; Werner Koch wrote: On Thu, 07 Jan 2010 09:36:26 +, makrober wrote: G/PGP isn't widely used because it does not address adequately the real-life operational circumstances of the potential user, and I still believe that OpenPGP along with PGP 2.1 is the most used data protection scheme for plain data and email. Correct, but still there is no doubt that only a very small fraction of what I would call qualified e-mail is encrypted. (In this context, let's agree that qualified is mail between two parties that have a trust relationship and a real need for secrecy (from whatever adversary!) as opposed to those that would just encrypt the mail out of style or principle. We probably agree at least that that the adoption of encryption in computer communication, both general and qualified communication is surprisingly low, and that it is worth examining why is this the case and what should or could be done to change that. I offered one view of the reasons, but in the following I would also suggest what would be worth undertaking: Using the excellent crypto-code base of GnuPG, a derivative public key encryption/decryption product with the following characteristics should be created: 1) it should be communication channel and protocol agnostic. 2) its operational components should be self-contained; i.e., it should assume it is running on a stand-alone computer. It should require no tight integration with the operating system of the computer it is running on. 4) until successfully decrypted, none of the data it operates on should be distinguishable from a random stream. 5) it assumes that someone or something outside of the system guarantees the authenticity of fingerprint of the public key of the corresponding party. 6) it can be both shell-driven and provide an API for the inclusion into a variety of software products that manage the variety of constantly evolving communication channels and protocols. MacRober ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 But the rest of the Why isn't [it] used is plain wrong. G/PGP isn't widely used because it does not address adequately the real-life operational circumstances of the potential user, and Web of Trust is the main culprit. It brings an enormous burden to the development and - consequently - to the daily use of the system. This burden is of such magnitude that it prevents all but technically very competent computer users from adopting the system. Yet it addresses the need that is present, I propose, only for a very minor segment of users: those that would like to communicate in secrecy but have not had a previous trusted relationship. You're disregarding the other major use of the WoT, which is authentication. - -- Greg Sabino Mullane g...@turnstep.com PGP Key: 0x14964AC8 201001070642 http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 -BEGIN PGP SIGNATURE- iEYEAREDAAYFAktFyLsACgkQvJuQZxSWSsi0GwCgqVZUBcfl0EcLiJ/JHm1GuYWL xZsAnRNRWjQDCN+KMLl4C/W0ei+0A/Ad =yPv+ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
Greg Sabino Mullane wrote: But the rest of the Why isn't [it] used is plain wrong. G/PGP isn't widely used because it does not address adequately the real-life operational circumstances of the potential user, and Web of Trust is the main culprit. It brings an enormous burden... You're disregarding the other major use of the WoT, which is authentication. A public key communication system such as gnupg can have three, somewhat related but to the user very distinct purposes: 1) secrecy of communication 2) authentication of the public key of message recipient. 3) non-repudiation of the content by it's sender. To a cryptographer, all three may seem equally important. In practice, they are not: the first one is of extreme importance and can not be substituted by any means outside of the system. The second not only can be achieved by methods that operate in addition to or outside of the system, but it is, for varios reasons I outlined before, sometimes (or perhaps even often?) desirable to do so. Finally, the third (I believe this is what you refer to above?) is, in practical terms, an extremely rare requirement when compared to the first one. If the above is the case, making a system very hard to use because of secondary objectives which are either hardly ever of real use (non-repudiation) or likely/preferably achieved by other means better, can't be conducive to the wide adoption of such system. MacRober ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
On 01/07/2010 04:36 AM, makrober wrote: *Most individuals will rarely, if ever, be motivated to communicate in secrecy with someone they don't already have a trusted relationship with*. I beg to differ. anyone who has ever conducted online business has a strong incentive for communications secrecy with a remote party with whom they do not yet have a trusted relationship. At the very least, the transfer of payment credential information is something most people would prefer was only seen by the other party in the transaction. The fact that most online transactions like this happen through the world wide web these days, and not e-mail, is perhaps a reason that the WoT does not have wider adoption, since the WoT is not used for the www (yet -- some of us are working on that). Online transactions are only one of many examples, but probably the one that people are most familiar with. The WoT also provides a method to handle situations like key loss or revocation, and subsequent new keys without forcing the keyholder to meet up in-person (or otherwise secured out-of-band) with every one of their contacts. Why is this all relevant? There are good reasons why you might be interested in knowing that someone specific signed something public , of course (e.g. software signatures, advice on mailing lists or other fora, etc). But for non-public communications: you *must* know who the remote endpoint is in order to have truly secret communications. Without that knowledge, you are communicating with an unknown party, so who are you keeping things secret from? secret communications with an unknown remote party over a trivially-compromised communications medium are anything but secret. --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
On 01/07/2010 09:45 AM, Daniel Kahn Gillmor wrote: Why is this all relevant? There are good reasons why you might be interested in knowing that someone specific signed something public , of course (e.g. software signatures, advice on mailing lists or other fora, etc). But for non-public communications: you *must* know who the remote endpoint is in order to have truly secret communications. Without that knowledge, you are communicating with an unknown party, so who are you keeping things secret from? secret communications with an unknown remote party over a trivially-compromised communications medium are anything but secret. They’re only unknown the first time you contact them. It is useful to know that the second time you contact f...@example.com it’s the same party you contacted the first time. Or that the phishing email you received from b...@example.com didn’t actually come from the same party you corresponded with last week. Many people have correspondence with people they never have and never will meet in person, and knowing that it’s always the same person is still helpful. -Alex Mauer “hawke” signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
On 01/07/2010 11:50 AM, Alex Mauer wrote: Many people have correspondence with people they never have and never will meet in person, and knowing that it’s always the same person is still helpful. agreed, key continuity checking is itself a useful tool, and maybe more OpenPGP implementations should provide ways to facilitate that for keys that *aren't* well-bound to the Web of Trust by the user's current trust database. Key continuity checking doesn't solve the problem of initial contact, though. And it doesn't cope well with re-keying in the event of a compromise. So having functional, cryptographically-valid infrastructure available to handle those important cases is a good thing. --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
On 1/7/10 12:08 PM, Mario Castelán Castro wrote: very few really care about their privacity. The fact that free credit reporting services are making a ton of money, as are services like LifeLock and whatnot, plus the huge media impact of identity theft, etc., all points to people knowing their privacy is at risk and feeling stressed out about it. However, most people lack the skills necessary to do anything about their privacy, and lack the inclination (time, energy, or even self-confidence) to do anything about their lack of skills. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
On Thu, 07 Jan 2010 10:50:35 -0600, Alex Mauer wrote: They’re only unknown the first time you contact them. It is useful to know that the second time you contact f...@example.com it’s the same party you contacted the first time. Or that the phishing email you MUA authors should really add a feature supporting this. In particular storing the fingerprint of a key in the address book. We are talking about this for years but to my knowledge it has never been implemented. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
On Thu, Jan 07, 2010 at 12:23:55PM -0500, Robert J. Hansen wrote: On 1/7/10 12:08 PM, Mario Castelán Castro wrote: very few really care about their privacity. The fact that free credit reporting services are making a ton of money, as are services like LifeLock and whatnot, plus the huge media impact of identity theft, etc., all points to people knowing their privacy is at risk and feeling stressed out about it. However, most people lack the skills necessary to do anything about their privacy, and lack the inclination (time, energy, or even self-confidence) to do anything about their lack of skills. I think this hits way below the level of technology. We haven't been taught useful ways of thinking about our security and identity w.r.t. the world we now live in. When concepts like authentication and trust are seriously discussed in grade school (perhaps in smaller words :-) then we'll begin to build a society (as opposed to a few experts and enthusiasts) which is prepared to use these tools effectively. As it is, few know *how* to care about their privacy. -- Mark H. Wood, Lead System Programmer, enthusiast mw...@iupui.edu Friends don't let friends publish revisable-form documents. pgp0rtNspYLtw.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mario Castelán Castro escribió: ... I think the WoT and in general the cryptography is not widely used because few people really care about their privacity. I agree... one of my friends seem to think cryptography is useful for mafia and pedophiles. Other friends just say interesting and try to change the subject. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJLRsKgAAoJEMV4f6PvczxAaXMIAKFoxaTBnHJgCWO+G7CiziW1 h+DIrO7oRn5n47xUmnDh/HorSov3QyWTFDQ5ejSwpsMPYkJslMdWIDBova/Ezkwk g3dFfHf0/EHEBnhUNbAeLuuxMWoBRDXJgyc590vka3bZ/OZw0d/94rF4nVdQbcmW AeWZ1/jCLecoDPdkWD/LArCbmbQWbSXL9cEHPSYv4NXK//np9bHfFSMm0A5CM2vs F349iqY8M/cVDcdUY2dqDnLg+ftZUOYM1pTN33Vxm4RelteMsv8Q8hmt+RB0F24K d7WNx7s/q6tZv5PlVz06wUarB/4Fkh46Z4MbNGeFZmjvhyu6vez6y9nbTh1LPUg= =rE+O -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users