> Sorry. I've confused too issues. Yes, it is hard to enforce expiry > dates in a 'secure' way. I wasn't meaning to suggest it was > something openpgp should try to do. I don't think we should make it > easy to ignore them, that's all.
Well, I still respectfully disagree, because -- oh, that's a rant. Then again, when has something being a rant ever stopped me? Okay: hang tight for some heresy. I've been using PGP and GnuPG for over twenty years now, and in those twenty years I've reached only a handful of beliefs. I love the math because you don't need to believe math: the theorem either works or it doesn't. Belief is a harder thing, and because of that it's wise to be very careful before forming beliefs. Here's my belief: anyone who advocates PGP/GnuPG, with or without supporting tools like Enigmail, to average end-users is committing professional malpractice. If they don't recognize they're doing it, they should take that as a sign they don't understand GnuPG/OpenPGP anywhere near as well as they think they do. GnuPG is not a communications security solution. It is a communications security *toolbox*, and an incomplete toolbox at that. GnuPG provides mechanism and only mechanism. GnuPG does not provide policy, and precious few of the tools supporting GnuPG fill in that gap. Enigmail doesn't. GPA doesn't. Pretty much nothing does. For that reason, recommending these tools to end-users is professional malpractice because end-users do not have the skills or experience to wisely determine policy. (I don't, either. If I were drafting policy I would need, at the least, assistance from HR [to tell me about human-factor concerns], Legal [to tell me about regulatory concerns], and IT [because they'd be the ones supporting the thing]. I doubt that anyone on this list, up to and including Werner, is capable of drafting a competent and effective policy for an entire organization on their own) Whew. That was a good beginning to a rant. Let me take a deep breath here... Policy -- who signs what, whose certificates are trusted and why, whether persona certifications should carry different semantic meaning than generic certifications, whether signatures should carry expiration dates, whether those expiration dates should be respected -- is, in a word, *IMPORTANT*. Further, policy will vary from person to person to person and organization to organization. This is one of the reasons why the "should we use inline or PGP/MIME?" question will never be conclusively answered. That's not a technical question, it's a policy question that people insist on treating like a technical question. Technical questions have only one answer: policy questions can only truly be answered with a, "well, it depends..." Here's something else about policy: putting together good policy is *HARD*. I've sat in on policy meetings before to provide technical advice, and let me tell you, I'd much rather be debugging Win32 binaries using gdb and a broken keyboard. Policy is driven by human factors as much as, or more than, by technical factors and that means your average geek is completely adrift in this space. Once you've got a usage policy, your next three questions become monitoring, remediation, and enforcement. How do you monitor usage to ensure it complies with policy? When something falls out of spec, what's the process to bring it back into spec? When you find who's responsible for it falling out of spec, what happens to them? These questions, too, get discussed and resolved in policy meetings. So, put it all together and here's what you need, at a minimum, to effectively use GnuPG: 1. Cryptographic tools. GnuPG provides these. 2. Usage policy. You're on your own. 3. Monitoring policy. You're on your own. 4. Remediation policy. You're on your own. 5. Enforcement policy. You're on your own. ... So, yeah. Whenever I see someone talk about how "we need to improve GnuPG's adoption numbers!", I roll my eyes. Invariably they talk about how we need to make GnuPG "easier to use". But that's not the problem and it's never been the problem. The problem is *policy*. Werner has, IMO wisely, decided that GnuPG will not make policy for the user. I think that's the absolutely correct decision to make. GnuPG should not be telling me what my usage, monitoring, remediation or enforcement policies should be. But the total absence of policy has led to the vast majority of GnuPG users *not even knowing that it's absent*. As a result, we as a community drastically understate (or in many cases don't even state!) the difficulty, expense, and necessity of policy. So, to tie all this back to your original remarks, Nicholas, I disagree that we need to do something about making it harder to encrypt to expired certificates. That's a policy decision, and as such it's outside the scope of GnuPG. But if you want to start waving the banner of, "POLICY! GET SOME!", well, the line starts behind me. :) _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
