Re: PGP signatures.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tim wrote:
On Fri, 2008-05-30 at 11:46 -0430, Patrick O'Callaghan wrote:
It's a basic fact of life that crypto software is complicated for
users, and there appear to be fairly fundamental reasons why this is
so (see "Why Johnny Can't Encrypt", an interesting paper by a group of
Stanford researchers from a few years ago).

I've had to set up PGP/GPG for someone, yonks ago, because comprehending
any of it was going to be completely beyond them.  But we had to be able
to exchange some information confidentially, so there was no avoiding
using it.  Eventually I managed by setting it all up for them, and were
able get to the point where I only had to give telephone help for the
steps to encrypt or decrypt mail (enter passphrase, which passphrase it
was they had to use, which options they had to pick to encrypt, etc.),
but I don't think it was ever going to get to the stage of them being
able to use it all by themselves.

It would have helped if Evolution, for instance, allowed you to set an
option in the address book to always encrypt for this person, rather
than requiring the user to do an encrypt action choice for every email.
I've had that option in other clients.  That'd help against accidentally
sending things in the clear, at the very least.

If you install the Enigmail plugin in ThunderBird, you can configure rules to control encryption options for specific e-mail addresses. It defaults to asking you what to do when it gets an address that does not match any of its rules. (It is all check boxes and drop-down options.)

One thing that struck as being particularly painful, since it was email
that we were talking about, was the inability to give someone your
public key in some way through your mail program.  Yes, I know that's
not a brilliantly safe way to set things up.  But with two PCs next to
each other on a LAN, that would have been safe and an easy to do it.

The key management option will let you create a key pair, publish a key, get a key from a key server, and import/export a key. For sending keys through the mail, even pgp offered the option to export your public key as an ASCII armored text file that you could include inside the message, or as an attachment. You can then import the key from that file. It is also handy if you want to publish your public key on a web page.

Sending/receiving a key using e-mail is not really a security risk if you have a second method of communication so that you can verify that the key is really from you. (Compare the key fingerprints.) You do not need to protect your public key - just make sure the key he gets is really your public key.

You had to use the gpg program, separately, to publish your key, or
create it as a file.  The "mail and encryption are separate things"
issue is difficult for many to comprehend, and that's just another thing
that will discourage many from using it.

Various gpg programs are geared towards using public keyservers as about
the only way to exchange keys (or the only obvious way to do it), but
that may not be desireable for some.  It certainly isn't for me, as I've
found using them to be a guaranteed method for receiving spam.  Even
more so than having your e-mail address on your website, completely
unmunged.

The GUIs and mail integration has improved drastically from when you had to do everything from the command line. But it was not that hard to create scripts to handle common tasks. For your friend you were exchanging mail with, something like "encrypt <file>" and "decrypt <file>" would probably been enough. Or just encrypt and decrypt if you used the same file names all the time.

As I mentioned earlier, someone's obviously monitoring some keyservers,
and harvesting addresses from them.  Adding another address to the
public key instantly results in that address being included in the next
volley of spam.  Peculiarly, removing some addresses from the key had a
similar effect (no more spam being received at those addresses).  I
didn't expect that to happen.

The keyserver I used was:  hkp://subkeys.pgp.net  Though I'm inclined to
suspect the harvesting is not that server, in itself.

The keyservers share the key information, so it is hard to say what key server is being monitored. I would not think it would be a good source of addresses to SPAM... But I have seen addresses harvested from places like the Postfix support list. LOL

Mikkel
--

  Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux