On Fri, Oct 11, 2013 at 10:24 AM, Tempest <temp...@tushmail.com> wrote: > Gregory Maxwell: >> My other big technical complaint about PGP is (3) in the post, that >> every encrypted message discloses what key you're communicating with. >> PGP easily _undoes_ the privacy that an anonymity network like tor can >> provide. It's possible to use --hidden-recipient but almost no one >> does. > > i am often a bit confused as to why people take issue with the fact that > gpg/pgp isn't anonymous. i don't recall the technology ever being > proposed as such. rather, effort was made to have mechanisms to verify > the identity of a sender. however, if one creates an identity and > keypair that as only been used over tor, what's the problem? creating > and maintaining anonymity is an entirely different subject that gpg/pgp > was not created to address.
Security is a complicated subject. The exact properties you need to be secure depend on your threat model. You add encryption via PGP because you know you need encryption in order to be secure against your threat model. But without it being very obvious PGP has written a long term identity fingerprint encoded in the opaque base64 data which distinguishes your messages by recipients. This long term identity key can _increase_ your vulnerability to traffic analysis over using nothing at all. It does so invisibly to many users. It may be a very bad thing for your threat model. I think communications security tools ought to avoid increasing vulnerability to any common threats to the greatest extent that they can, and when they must compromise they should make it obvious. Both for non-repudiation and resistance to traffic analysis PGP dramatically reduces user security and does so in a way which is not obvious to any except the most advanced users. Both of these could be fixed with basically no user impact: Make hidden-recipient the default and allow optional clear-text recipient list on ascii armored output; add an "authentication" mode which is used by default instead of signing for encrypted messages that uses ring signatures (and don't allow unauthenticated encryption, geesh). > effort was made to have mechanisms to verify the identity of a sender PGP actually has no mechanism for that. Thats authentication. Instead PGP substitutes non-repudiation for that purpose, which is a superset of authentication which reduces security in many situations. PGP provides basically no way for me to convince you that I'm the author of a message without also making it possible for you to prove it to the whole world. Sometimes you want this— for contracts and such— but usually you just want authentication. > "if one creates an identity and keypair that as only been used over tor" Say you are a famous anonymous developer that creates software for dissidents to help them connect to tor. You have a nice anonymous key that is well known to belong to you. Do you think any of your users should want to send you email to anonymous one time use tech support mailboxes using that key, provably showing they were communicating to you to anyone who can monitor their email? Do you think your users will even realize that sending you messages will expose them? -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.