I ranted about certain annoying consumer-grade-security email.
I appealed for PGP. If you're on Linux at all, you *have* PGP. We should
be using it more than we are. (And you're using it even if you don't
know that you are.)
Several months ago, I pitched PGP to a small lab in a major software house.
The house is doing the code-signing thing that everyone is doing
(good!). But the usual method is all PKI-bound, which leads to
complexity that this smaller group is simply understaffed for.
So I suggested PGP. They didn't buy my argument. I honestly think they
just did not *understand* the proposal. (And maybe that's my fault?) PGP
is significantly easier to use for them than the corporate PKI remedy.
But I digress.
The blog post is all about PGP.
If you're on SUSE or RedHat, PGP is built-into the RPM ecosystem. (For
clarity, it's GPG, but functionally the same.)
If you're on Debian, the whole development team uses PGP personally.
The blog post is here:
https://github.com/trothr/blog/blob/master/sir.santa/2024/20240223-you-have-received.md
It's open for debate.
I mentioned on the VM list about a trust anchor for the mainframe
community. (Slight topic drift.) A few people have expressed interest.
What I have collected so far are a handful of PKI root certs and a few
PGP public keys. PKI lacks the person-to-person factor, but root certs
*can* be signed with PGP giving the same web-of-trust reliability. if
you're inclined, please let me know.
-- R; <><
On 3/22/24 11:09, Rick Troth wrote:
Got a little side project of establishing a web-of-trust for mainframers.
Most of us won't have time for it (I usually don't), but when we do
it's a good thing, a community service.
The blog post is a plea that service companies start using PGP. They
can. They should. It would make a lot of stupidity vaporize.
It relates to the "web-of-trust for mainframers" because that's an
inherently PGP thing.
I sent the following the the IBM-MAIN list.
-- R; <><
On 3/22/24 11:05, Rick Troth wrote:
Techies will understand.
And maybe it's coddling the non-techies that drives service companies
to provide dumbed-down remedies.
They're still obligated to comply with new and wonderful regulations.
They (the good ones) genuinely try and they (the lazy ones) at least
want to *look* like they're protecting us.
So I got another of these "you have received a secure message"
messages, the kind which come through one channel (objectively *not*
secure) telling me to go to another channel (secured, at some level,
but invariably hard to use).
If the first channel is insecure, how do they know that I'm even
getting the message to go read the message?
I want this crap to go away!
And it's not like it can't go away.
It's just that simple solutions seem to have baggage. "It's too easy,
so it can't possibly be really effective." Why don't we teach the
kids basic LOGIC in school??
The rant is here:
https://github.com/trothr/blog/blob/master/sir.santa/2024/20240223-you-have-received.md
And some will disagree.
That's okay, because you're allowed to be wrong.
But we can talk about it. (The alternatives are debatable.)
I expect the biggest disagreement to come from PKI aficionados. PKI
is great, but it doesn't work well for person-to-person. Long story.
-- R; <><
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www2.marist.edu/htbin/wlvindex?LINUX-390
