Re: PGP signatures.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2008-05-30 at 11:46 -0430, Patrick O'Callaghan wrote:
> It's a basic fact of life that crypto software is complicated for
> users, and there appear to be fairly fundamental reasons why this is
> so (see "Why Johnny Can't Encrypt", an interesting paper by a group of
> Stanford researchers from a few years ago). 

I've had to set up PGP/GPG for someone, yonks ago, because comprehending
any of it was going to be completely beyond them.  But we had to be able
to exchange some information confidentially, so there was no avoiding
using it.  Eventually I managed by setting it all up for them, and were
able get to the point where I only had to give telephone help for the
steps to encrypt or decrypt mail (enter passphrase, which passphrase it
was they had to use, which options they had to pick to encrypt, etc.),
but I don't think it was ever going to get to the stage of them being
able to use it all by themselves.

It would have helped if Evolution, for instance, allowed you to set an
option in the address book to always encrypt for this person, rather
than requiring the user to do an encrypt action choice for every email.
I've had that option in other clients.  That'd help against accidentally
sending things in the clear, at the very least.

One thing that struck as being particularly painful, since it was email
that we were talking about, was the inability to give someone your
public key in some way through your mail program.  Yes, I know that's
not a brilliantly safe way to set things up.  But with two PCs next to
each other on a LAN, that would have been safe and an easy to do it.

You had to use the gpg program, separately, to publish your key, or
create it as a file.  The "mail and encryption are separate things"
issue is difficult for many to comprehend, and that's just another thing
that will discourage many from using it.

Various gpg programs are geared towards using public keyservers as about
the only way to exchange keys (or the only obvious way to do it), but
that may not be desireable for some.  It certainly isn't for me, as I've
found using them to be a guaranteed method for receiving spam.  Even
more so than having your e-mail address on your website, completely
unmunged.

As I mentioned earlier, someone's obviously monitoring some keyservers,
and harvesting addresses from them.  Adding another address to the
public key instantly results in that address being included in the next
volley of spam.  Peculiarly, removing some addresses from the key had a
similar effect (no more spam being received at those addresses).  I
didn't expect that to happen.

The keyserver I used was:  hkp://subkeys.pgp.net  Though I'm inclined to
suspect the harvesting is not that server, in itself.

-- 
Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.




-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux