On 01/08/12 23:05, Robert J. Hansen - r...@sixdemonbag.org wrote:
> By itself, GnuPG is useless. [...and more, much more, on steep learning curves and cargo-cult security]. I happen to agree with most of what was writetn in your lengthy expose. But you omit one important problem: the program like gpg is deployed, 99% of the time, with no user specific threat analysis. This means that it must answer all conceivable threats, which in turn makes it so hard to use that it's adoption rate is, well, what it is. You are very rigorous in your views on the subject. Consequently (at least as I read your text) you reject the most damaging canon of the contemporary "computer security industry", the one that demands no knowledge, no conceptual understanding and no discipline on the part of the end user - it all has to be solved for him by the software. For this I applaud you. However, I would add one more thing as necessary for successful use of any security software: *user-specific threat analysis*. Without it, gpg - or any other piece of software - is indeed not much different from that plane mock-up in New Guinea. If such threat analysis was done more frequently than appears to be the case, perhaps we would end up with specific tools, ones that do not attempt to cover all conceivable threats but address only threats specific to some segment of user population. What they would loose in the width of applicability they would gain in simplicity in code and simplicity in use - both extremely desirable security software characteristics. This was precisely the process that led to my post that this discussion is an offshoot of. In other words, users from that original thread certainly didn't "have a great idea that will allow people to keep secure against dedicated, serious adversaries while requiring very little training or knowledge on the part of the user". They have performed a very thorough threat analysis of *their circumstances*, and are looking for either an existing software or possibility of constructing a new one, that would be best suited to *their threat model*. Peter M. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users