On 08/11/15 13:41, Joseph Gentle wrote: > On Sun, Nov 8, 2015 at 7:45 PM, oshwm <[email protected]> wrote: >> On 08/11/15 08:40, Peter Gutmann wrote: >>> oshwm <[email protected]> writes: >>> >>>> Can GPG be easier to use, I think so, is it too difficult to use by >>>> ordinary >>>> people - no, they're just too fucking lazy and lack motivation. >>> >>> ... and this is pretty much the poster child for why we have so much >>> unusable >>> crypto today. >>> >> >> Or, why we have such a fucking retarded human race with the attention >> span of a knat who expect everything to be given to them on a plate. >> People have to stop being lazy and start taking an interest and >> responsibility for what goes on in the world around them - your point of >> view re-inforces the dumbing down of the population and the increase in >> power of the Government and big Corps. > > Even if thats all true, its still also true that nobody is using PGP. > Its easier to make a slick UI than convince people to do work. Is it > so much to ask that people who make software try to make life easy for > their users? >
Slick UI would be cool, just a shame that's being used as an excuse by ppl who can't be arsed to do a bit of work. What's the excuse once it has a nice UI? As for nobody is using PGP, I think that may be a little overstated - what you mean is nobody who doesn't give a fuck about privacy is using it. > For all your talk of doing hard work oshwm, it looks like you only > created that PGP key yesterday: > $ gpg --list-packets signature.asc > hashed subpkt 2 len 4 (sig created 2015-11-08) [...] except the key has been around for quite some time, I did re-sync with the sks servers yesterday. > > And as far as I can tell it hasn't been signed by anyone. At least I > think so - after 15 minutes fighting with gpg I still can't find your > actual key and I ran out of care. > No, it hasn't been signed by anyone as I don't have any friends in real life who give two shits about security as I mix with non-techies offline. This is not a difficulty issue, I can't even begin to talk about encryption with them without them changing the issue to great subjects such as what was on telly last night. > ... Which leads me into my second point, which is that here in 2015 > PGP is a terrible technical solution. It doesn't encrypt metadata > (which is a non-starter these days - who you communicate with is some > of the *most* valuable personal data for the NSA). It also leaks > information about who signed your key. That means either: > Oh yeh, some bright spark came up with STARTTLS for encrypting comms with mail servers but made it optional, not a GPG issue. However, the metadata issue a big problem for everyone who connects to a server that isn't owned by them and I suspect really requires a new mail protocol to resolve. > - Your key gets signed by your friends, so now your friend network public > or > - Emails with PGP are provably from you, in a way that can be traced > back to physically witnessed government ID. > 1) friend network - can't be avoided if you want a system for vouching for email sender authenticity. 2) That's part of what PGP is about - sender authenticity. My PGP is not attached to a Gov Issued ID. > ... Or both! Personally I would rather the possibility of forgery than > either of those outcomes. > > -J >
signature.asc
Description: OpenPGP digital signature
