PGP problems

Brian Morrison pmmail@rpglink.com
Tue, 01 Aug 2000 18:02:55 +0100 

On Mon, 31 Jul 2000 22:27:45 -0300, Trevor Smith wrote:

>On Mon, 31 Jul 2000 20:02:00 -0400, Andrew Webber wrote:
>
>>1. So I'll know to do that. ;)
>>2. In case I got too many, I could automate it (so far I've had
>>almost no requests).
>
>Sad isn't it? Like you alluded to, everyone should use PGP, but no
>one does. I believe this is because it is very complicated to
>understand. I don't think the use of cryptography itself is
>inherently complicated, but I think that *ALL* the documentation for
>PGP is. Some day I am going to write a really simple, "this is what
>it's about, this is why/how to use it" document.

If Steve is prepared to set up listar to receive encrypted mail and
send out encrypted mail to those that want it, we could make this list
encrypted.

I think the snag is that the Web Of Trust is actually rather cumbersome
and to really believe that you are secure you have to take a lot of
precautions that are not readily applicable to email. We all expect to
just type right? Well security just isn't like that, you need to be
utterly sure that the person you are communicating with is really who
they say they are. PGP is best suited to people that have met to
exchange bona fides previously, all this stuff about not needing a
secure key exchange channel obscures the reality of how it would be
possible to use man-in-the-middle attacks on people you need to
eavesdrop on.

Better still folks, get IPv6 and press for everyone to start using it
in their networks. That denies traffic analysis because the data is
fully encrypted including all the headers with the exception of source
and destination addresses. If you used a server as a gateway and all
your traffic always took the same route no one could know what you were
doing, and of course PGP is still your friend underneath the IPv6
encryption. IPv6 may be what finally drives me to use Linux I'm afraid,
OS/2 seems unlikely to get revised TCPIP stacks.

As you may know, the RIP bill has received the Royal Assent in the UK,
we're all in the government's gunsights over here now :-(

-- 
Brian Morrison                                  bdm@fenrir.demon.co.uk
              do you know how far this has gone?
               just how damaged have I become?
                                      'Even Deeper' by Nine Inch Nails