On Thu, Sep 5, 2013 at 8:45 PM, Randy Bush <[email protected]> wrote: > so, it might be a good idea to hold a pgp signing party in van. but > there are interesting issues in doing so. we have done lots of parties > so have the social protocols and n00b cheat sheets. but that is the > trivial tip of the iceberg. > > o is pgp compromised? just because it is not listed in [0] is not > very strong assurance in these dark days. > > o what are the hashes of audited software, and who did the audits? > > o what are the recommended algs/digest/keylen parameters? > > o do we really need eliptical, or is that a poison pill? > > o your questions go here ... >
I think our problems now go a lot further. The NSA is allegedly spending $250 million a year infiltrating vendors and standards bodies. They have also been pretty aggressive in hiring IETF folk for various consulting contracts. The big risk I see here is that there is a lot of finger pointing and every bad decision that was made in the past that delayed the deployment of strong crypto is now considered prima facie evidence of being a mole. Not being a US citizen I see no reason to allow the NSA a backdoor in anything I do. But looking at the carelessness and incompetence with which they have guarded their own secrets I would not be anxious to allow them access to mine even if I was a US citizen. Seriously, this type of activity is an attack on the trust that is necessary for collaboration. I doubt that the people who design and deploy these programs had the slightest understanding of or concern for the costs or consequences of their actions. -- Website: http://hallambaker.com/
