carlo von lynX: > > People expect PGP to be "secure" without having such a clear idea > of what they mean by "secure." Suddenly, times have changed. > This summer times have changed and nothing is as it was. > Now we know just being able to encrypt and sign is not enough > for most situations in life. It's no longer "secure."
but, again, pgp/gpg never pretended to provide "anonymity." if the public perception of "secure" now includes anonymity, that is neither the fault of the tech nor a reason not to use it. rather, it's a reason to learn tools that will help to anonymize a connection if that is what one desires. > You can't just use it over Tor, you also need a mail server willing > to give you an account anonymously and then you need all your > communication partners to do all of that configuration and > finally you need to configure PGP so it won't expose who you are > sending to. correct. people need to learn appropriate opsec based on the circumstances they are dealing with. it is more than possible for any user to have a key associated only with an email address that has never been touched by anything but tor from their side. plenty of services exist that provide e-mail addresses for free without blocking tor. the question of how private those services may keep your communications is an entirely different issue, which is why the use of pgp/gpg is still a good idea. > On 10/11/2013 09:10 PM, Tempest wrote: >> a fair point. but one could significantly address this issue by hosting >> the public key on a tor hidden service. that would greater ensure that, >> in order to get your key, they would be using a system that protects >> against such threats. hardly an "easy" solution. but it can be solved >> with a little extra planning. > > I was just thinking to answer that you could leave out PGP entirely > in this scenario, but... > > On 10/11/2013 09:24 PM, Gregory Maxwell wrote: >> Of course, if you can do this and the HS is secure, then you can just >> dispense with the PGP altogether. > > Gregory said just that ;) this would assume that servers never get discovered or compromised in some way. a perfect real world example right now to refute the above notion is silkroad. any person who used pgp/gpg to encrypt their communications with each other via that service is likely in a much better place right now. just because a server appears to be fully secured within the tor network is no reason to abandon pgp/gpg encryption of private communications. i still do not see how you've made good arguments to support your title. nobody has ever said pgp/gpg is perfect. but to make the claim that people shouldn't bother starting to ue it is too simplictic and, therefore, just a bit reckless under the circumstances. ------------------------------------------------- VFEmail.net - http://www.vfemail.net $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.