Re: Trust and distrust [was: Re: Google releases beta OpenPGP code]
some ideas that would help a distrustful person such as myself before addressing your mistrust question --- I wish that there was a standard API for low level encryption JS libraries.. Not only so that I could swap them in OpenPGPJS on a whim. But so that I could also swap them in my code as well, without writing the glue. I wish there was a standard for the random number generators. So that I could easily swap out, and ALSO, use a fake number generator to test that different implementations of PGP create *exactly* the same results. I then I wish there was a standard API for PGP. So that when the google code comes out I could swap as I wish. Test one against the other. Use the fake number generator and fake timestamps to verify that the resulting output is *exactly* the same in hundreds of test cases. And then code coverage. I wish there were statistics published about code coverage. If there is 100% code coverage and the output of two PGP implementations is the same. It gives me a much higher I trust this code doesn't have an insert somewhere, than just well the results were the same for the test cases I have. Swapping + code-coverage + exactly same results + disparate code bases with maintainers who don't look at the other code base (and possibly distrust the other coding group) = more trust from me. --- begin response to distrust, which I've tried not to make emotionally bated, but really I would just ignore this section --- I'm not exactly sure if this list is an appropriate place for me to state my reasons for distrusting google. Find the congressional testimony by google about what they were doing in china, especially the auto censoring. That was my moment where I realized the google that I had hoped for had nothing to do with the google it transformed into. In terms of just plain security. I will say that I also do not trust OpenPGPJs. But in a different way. After that china testimony I didn't trust google to put people before governments. And unfortunately I feel as if my fears have been proven correct. Since google controls chrome-- a plugin by google designed to thwart google, running within google's chrome?? U.. Not sure... If I were an adversary that could force google to do something I wanted, I would make them take screensots of anybody using this plugin, and send them to me. -tim ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Trust and distrust [was: Re: Google releases beta OpenPGP code]
On Sun, Jun 08, 2014 at 01:13:27PM -0400, t...@piratemail.se wrote: And personally, I do not trust google. Enough said in that regard. ;-) Sorry to hijack this topic, but... Why would you trust the OpenPGP.js developers? At least, you can hold google as accountable for their actions. You cannot for them: perhaps they do not even physically exist, and are just nameholders for a three-letter-agency project, willingly introducing backdoors in this project. Maybe they just fixed the bugs you reported because it made them look less conspicuous. Maybe will bring us all very far away. What's great about open source is that you do not at all have to trust the maintainer of a project. You only have to trust the project -- and by this I mean the fact that at least a developer will have noticed the flaw. I may even distrust Werner, and yet use gpg -- if e.g. I trust another gnupg developer. And even this trust is not strictly required: you can always inspect the source code all by yourself. Sure, this model of trust the community is far from perfect, heartbleed being the latest proof of that. But it is better than trust the maintainer, who is always part of the community. And what's great about google's project is that they are quite likely to be highly audited: if anyone found a willingly placed security flaw in google's end-to-end library, it would mean a lot of prestige. So, even if I trusted google less than OpenPGP.js developers [and who tells us these developers are not disguised google agents?], I would likely, after a period during which security experts will have had their time with this new library, trust it more than OpenPGP.js. Despite the fact that it might have a backdoor while the other does not. Because the opposite is even more likely. Cheers, Leo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users