On Thu, Sep 5, 2013 at 8:45 PM, Randy Bush <randy@xxxxxxx> wrote:
so, it might be a good idea to hold a pgp signing party in van. but
there are interesting issues in doing so. we have done lots of parties
so have the social protocols and n00b cheat sheets. but that is the
trivial tip of the iceberg.
o is pgp compromised? just because it is not listed in [0] is not
very strong assurance in these dark days.
o what are the hashes of audited software, and who did the audits?
o what are the recommended algs/digest/keylen parameters?
o do we really need eliptical, or is that a poison pill?
o your questions go here ...
I think our problems now go a lot further. The NSA is allegedly spending $250 million a year infiltrating vendors and standards bodies. They have also been pretty aggressive in hiring IETF folk for various consulting contracts.
The big risk I see here is that there is a lot of finger pointing and every bad decision that was made in the past that delayed the deployment of strong crypto is now considered prima facie evidence of being a mole.
Not being a US citizen I see no reason to allow the NSA a backdoor in anything I do. But looking at the carelessness and incompetence with which they have guarded their own secrets I would not be anxious to allow them access to mine even if I was a US citizen.
Seriously, this type of activity is an attack on the trust that is necessary for collaboration. I doubt that the people who design and deploy these programs had the slightest understanding of or concern for the costs or consequences of their actions.
Website: http://hallambaker.com/