On 07/23/2009 01:23 PM, Udo Puetz:
I'll combine my answer to this post and the ones below here. PGP/GPG has it's "web of trust". You say in the other post "the client software would still have to find a path to a trusted CA for PGP keys - something which doesn't quite exist.". A web with few points (i.e. users) is not good, I concur. That's why more users would be good. I think there is a fundamental question that needs to be answered by everyone themselves: do you think that it's better to implement something proper and "with all features" directly from the start and maybe shy away people because it's difficult to use or do you implement something very easy to use, build up a big following/user base and then deal with inconsistencies/unclean implementations.
That's not how I understand security.
In other words: is it better to use a little more security easily or proper security hard to master?
What is a little more security? Something which gives you a warm fuzzy feeling, worth exactly nothing? I don't have the time to explain all disadvantages of PGP, but I believe that a web-of-trust with no oversight and no boot-strapping and no revocation method is just security theater. That security works until you receive an email signed by PGP key and counter-signed by another 15 people from Steve Balmer confirming that you won in the Microsoft award lottery 45 million dollars and all you have to do is transfer 1495 dollars by Western Union to me.
My opinion is this: the web of trust is not the safest system I can thing of - but with key exchanges with friends over the phone and key signing parties at conferences the whole thing becomes more and more safe.
Would you call verifying keys over the phone something which will go mainstream? Is it convenient? I remember from your previous messages that you were looking for something which could be used by the masses. Do you really think that's the way to go?
Whereas I haven't managed to import the bloody p12 cert of the co- worker (see above).
Which was a technical problem - if at all. That's a different matter altogether than what we've discussed above.
My conclusion from this is: better use the small part than nothing at all.
Nope, you are doing your users a disservice by giving them the false sense of security. In the case of PGP it's certainly not something for the masses.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
