On 8/16/2014 1:14 PM, Kristy Chambers wrote: > Sorry for that crap subject. I just want to leave this.
Meh. Color me unimpressed. * "PGP keys suck." No, asymmetric key infrastructure sucks in general. OpenPGP provides no infrastructure, only tools with which to build infrastructure. If your organization doesn't build its infrastructure, that's not OpenPGP's fault. * "PGP key management sucks." Sigh. Ditto. * "No forward secrecy." Not everyone needs PFS, and frankly, obsession with PFS is one of those things I really wish people would grow out of. Before complaining about what OpenPGP needs or where it's lacking, try looking at where OpenPGP has been broken in the real world. Hint: PFS ain't a panacea. * "The OpenPGP format and defaults suck." Good Lord, no. As Jon Callas pointed out recently on the OpenPGP working group list, there's a big difference between what the standard *requires* and what implementations are encouraged to *use*. Most implementations have moved far beyond minimal conformance with the standard. The standard exists so that there is a common minimal core that all clients can conform to: the reality is the two biggest players (PGP and GnuPG) both go *far* beyond the defaults. * "Terrible mail client implementations." Again, unimpressed. Consider his criticism that most OpenPGP-enabled mail clients store passphrases in memory for longer than he'd like. Well, one, this is easily configurable via gpg-agent, and two, *so what*? If an attacker is in a position where he or she can read arbitrary memory locations on your PC, you're completely screwed anyway and there's nothing OpenPGP can do to help you. * "So what should we be doing?" I'd start by ignoring the recommendations. Do your own homework on where OpenPGP fails and how, and start thinking about how to fix those. The author falls into the trap of knowing how to fix A, B, and C, and so he wants to fix A, B, and C, without realizing the real problems are X, Y and Z. OpenPGP's biggest problem, BTW, which goes *completely unmentioned* in this blogpost: OpenPGP can't protect your metadata, and that turns out to often be higher-value content than your emails themselves are. Further, exposed metadata is inherent to SMTP, which means this problem is going to be absolutely devilish to fix.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
