Grant's reply also got quarantined by Googoo. [sigh] Nice detailed reply, Grant!
> I chose to use S/MIME in lieu of PGP / GPG because S/MIME support > has been in email clients going back to the late '90s. As such I found > S/MIME to be FAR MORE TRANSPARENT than PGP / GPG ever was. I concede. And thankfully, *both* are supported in Thunderbird.And when I differentiate PGP from S/MIME it's really for the sake of tackling one thing at a time.
> I just renewed my S/MIME cert a few weeks ago.I'll split the thread on this point (in another note) because I really want to hear more about that.
> I've found that a number of people in the circles that I travel in think that > (both) PGP/GPG (and S/MIME) are outdated and are more of a risk than a reward. > Sadly when I ask these people what to use in place thereof for non-real-time communications > (read: email) they don't have an answer. Instead they tell me to use some sort of > real time communications and to make sure that it has Perfect Forward Security (PFS).
There are some logic flaws in their thinking.Outdated? What makes something outdated? Just because a thing is old does not make it bad.
Waxing opinionated ... the concept of planned obsolescence is pervasive in Western society. It's arguable that it only helps *providers* and does not help consumers nor the system as a whole. (See Bernard London, also AP Sloan, Jr., and others.) It's arguable that key/cert expiration benefits pay-for CAs more than the Internet or the users. (We should come back to this later. Another thread fork?)
PFS is one of the current buzzwords that gets thrown around.As a CISSP, I can tell you that these things cannot on their own fix all the problems we have with security and privacy. Cryptography is not like fairy dust we can sprinkle into our apps and suddenly they're safe. (My tone is not directed at Grant, but at the wrong-headed thinking of self-appointed security experts.)
> I find the web-of-trust (WoT) to be problematic.> The circles that I travel in never got past -- what I call -- the priming / > boot strap problem. We never had a sufficient WoT to be of any effective use.
> Conversely, the PKI model is not mutually exclusive to the WoT model. > Friends and I have exchanged personal root certificates to allow us to > trust each other's systems. Thereby making each of us effectively one > more root CA in each other's PKI. -- The more recent iterations of> this have been with constraints to only allow signing of our own domain(s).
Cool!You established your own web-of-trust with colleagues sharing your root certs.
You did with PKI what others have done with PGP. I also run my own CA.As we establish a little trust circle here, we should include both PKI trust anchors and PGP trust anchors.
But one thing at a time.As for my "now" and "much easier", I'm saying this based on direct observation of a friend. A certain buddy in Texas was looking for crypto solutions, even cooking up his own, and would never use PGP no matter how I talked it up. When Thunderbird included OpenPGP, suddenly my friend decided it was usable. (And PGP had already been built-into other email clients for several years. But not Outlook. And up until circa 2020, not TBird either.)
This is just to say where my verbiage stems from. Great observations, Grant. Thanks. -- R; <>< On 12/6/23 11:59, Grant Taylor wrote:
On 12/5/23 12:19, Rick Troth wrote:That's cryptoGRAPHY, not to be konfoozed with cryptoCURRENCY.Chuckle.Any of you using Thunderbird?Yes, for now.And if so, are you using the (now) built-in PGP support?I've poked it a few times, but I don't do much at all with PGP encrypted / signed email. Conversely, I (normally) use S/MIME for encrypted / signed email. I chose to use S/MIME in lieu of PGP / GPG because S/MIME support has been in email clients going back to the late '90s. As such I found S/MIME to be FAR MORE TRANSPARENT than PGP / GPG ever was. I'm on a new install and I've not yet set up S/MIME. But I've got S/MIME configured on all my other devices, including my iPhone and iPad. I just renewed my S/MIME cert a few weeks ago.... but I then wondered about the rest of the group. So I must ask.I have made extensive use of GPG(2) to provide encrypted file storage on my system. Some files hold passwords, other files hold notes. I've renewed that GPG key set many times over the last decade.I've been a user of, and a fan of, and a promoter of, PGP for many years.I have too. Just not for email.There are lots of tools now for security and privacy, and a handful of trust webs supporting them.I've found that a number of people in the circles that I travel in think that (both) PGP/GPG (and S/MIME) are outdated and are more of a risk than a reward. Sadly when I ask these people what to use in place thereof for non-real-time communications (read: email) they don't have an answer. Instead they tell me to use some sort of real timecommunications and to make sure that it has Perfect Forward Security (PFS).Usually they point me at some other contemporary options that will sing things, but not that will encrypt things.The PGP "web of trust" is the most important because it is peer-to-peer. Not to slam the PKI model, but it has drawbacks when used at the lowest level. I could discuss, but let's do so in a separate thread.I find the web-of-trust (WoT) to be problematic. The circles that I travel in never got past -- what I call -- the priming / boot strap problem. We never had a sufficient WoT to be of any effective use. Conversely, the PKI model is not mutually exclusive to the WoT model. Friends and I have exchanged personal root certificates to allow us to trust each other's systems. Thereby making each of us effectively one more root CA in each other's PKI. -- The more recent iterations ofthis have been with constraints to only allow signing of our own domain(s).And don't forget that if you're running Linux, you ALREADY HAVE PGP in house, even if you don't know the value.I want to agree with you. But I've used too many Linux installations that don't have PGP / GPG(2). Even contemporary installations. I agree that GPG /should/ be on contemporary Linux installations. But I will most definitely not hold my breath for it to be there.The downside to PGP is its upside. Being peer-to-peer it doesn't scale well in large environments (enterprise, gov/mil, consumer). As a result, it has always been kind of a side-show. But then, it's a standard part of Linux. And now with OpenPGP built-into Thunderbird (and other email clients, from way before TB), it's much much easier to start using it, and then shortly to get into the web of trust.Your "now" and "much easier" seems to parrot what I've been saying about S/MIME. S/MIME has been guilt in to every fat GUI email client that I've used for the last 25 years. PGP / GPG support hasn't been able to claim that for more than 5 years. IMHO the mobile scene is even worse for PGP/GPG. Again, S/MIME has had better support integrated in the mobile scene.So that's the question: are any of you using PGP via Thunderbird?No, I'm not using GPG via Thunderbird.(Or using PGP at all?)Yes, I am using GPG. (Just not for email.)I'd like to hear from you. Maybe converse with myself and our unnamed colleague.#canYouHearMeNow? -- Grant. . . . ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions,send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visithttp://www2.marist.edu/htbin/wlvindex?LINUX-390
---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390
OpenPGP_signature
Description: OpenPGP digital signature
