> Am 09.04.2017 um 20:30 schrieb Doug Barton <dougb@dougbarton.email>: > > On 04/09/2017 11:01 AM, Mike Gerwitz wrote: >> If I know a threat exists, I'm going to evaluate my threat model and >> decide whether or not it is worth my time to mitigate it; whether I can >> hope to mitigate it; and whether attempting to do so is going to put me >> at even more risk for some other threat. > > You and Rainer have gone on at great length about the part of the threat > model equation dealing with the attacker. However, you don't seem to take > into account the other part of the equation, what you are protecting. > > The overwhelming number of PGP users simply use it because it's cool. They > don't have anything approaching significant secrets to protect, it's just fun > to do cryptography. There is nothing wrong with that, in and of itself. > (Note, I acknowledge that there are people for whom signatures and encryption > actually matter.) > > There is not even anything wrong with the idea that using smart cards, > air-gapped computers, detached signing subkeys, etc. *can* be part of that > fun. The concern is that when folks tell the new users that they are > *required*, that becomes problematic for a couple of reasons. First, it gives > a false impression of how secure the "basic" version of GnuPG is in the first > place. Perhaps more importantly, it places a much higher barrier to entry for > new users; for no measurable ROI. > > So if folks want to imagine that you live in a Bond film, and that SPECTRE is > out to get you, so be it. I don't begrudge you that fantasy. But when it > comes to offering advice to new users, please be realistic about what they > are actually going to benefit from.
I know of PGP-based WoT used in security-aware networks of sysadmins, CERTs etc. I would have guessed that a significant part of the audience of this list are professional/experienced/involved admins or developers. But let me know why the majority of users are not. - Rainer _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
