On 4/2/17 1:20 PM, Doug Barton wrote: > Some answers below, and you've already received some good answers, but > I have some more fundamental questions. :) > > First, and an important question for security-related stuff generally, > what is your threat model? In other words, what dangers are you > guarding against by using PGP? You mention evangelizing your key, and > asking how to get more people to use PGP with you. Those are > reasonable questions, but the first is the most important. > Doug, interesting term "threat model". I've seen it a few times and wasn't sure what it meant. Thanks for the simplified explanation. It's a piece of technical jargon that is part of the difficulty I saw with learning the OpenPGP terrain. While security folks probably dig the lingo, for the lay person, it's, well, interesting... I perceive my threat model as being 1) a risk that someone other than my intended recipient will gain access to information that I am sending to my intended recipient 2) a risk that someone other than me will gain access to information that I want only to be accessible to me. I envision the solution, based on my understanding of available (affordable) technologies as being 1) secure method of transmitting information asynchronously over public media and 2) a method of encrypting information on local storage media.
As you can see above, my threat model is neither comprehensive, nor is it fully informed. But, it's pretty much the same story for a lot of folks. I have learned over the past several weeks, that key management is potentially a vulnerable point... I kind of suspected this, but after hanging out in irc for a bit and tor, I'm kinda freaked out that it's a more widespread problem than most folks realize - trojans are everywhere :). > If you simply want a secure way to communicate with people that you > know without others being able to snoop on the conversation, there are > other, arguably better, and certainly easier, solutions. PGP has its > use cases, but unless we know why you want to use it, it's nearly > impossible to give you good advice. > > More below. > > On 04/01/2017 07:10 AM, Will Senn wrote: > >> 3. I've read >> https://superuser.com/questions/466396/how-to-manage-gpg-keys-across-multiple-systems >> >> and other such pieces proclaiming the value of having the master key in >> a safe place and having subkeys on your actual devices. > > What do you think a master key is, and why do you think it's important > to protect it? What kind of devices do you want to put signing subkeys > on? Why do you think that your use of PGP will be more secure if you > have a signing subkey on a device, instead of your "main key?" > Neal pretty much spelled out a reasonable answer to these questions, but I'm not having much luck signing with subkeys, so I'm not convinced this is worth the headache and increased complexity of key management. >> 4. Is it safe to refer to my public key/fingerprint information as I did >> in the previous question with output from gpg? > > In what way(s) do you think it could be unsafe? > > Doug > After some thought and additional input, I don't think it is unsafe. But I was curious if my slightly informed perspective would bear up to additional scrutiny. Thanks, Will
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
