[NZLUG] Getting people to use GPG

Mark Foster blakjak at blakjak.net
Wed Jun 19 11:08:41 NZST 2013

On 19/06/13 10:45, Rob Connolly wrote:
> On Wed, Jun 19, 2013 at 09:48:27AM +1200, Steve Holdoway wrote:
>> On Wed, 2013-06-19 at 09:24 +1200, Rob Connolly wrote:
>> [snip]
>>> Following on from this, does anyone have any experience trying to get
>>> friends and family to secure their communications? GPG is case in point
>>> as it's only really of use if the people you correspond with also use it
>>> and people seem to find it hard to use.
>>> Cheers,
>>> Rob
>> I use evolution as the best mail client I can find - not saying much is
>> it - and I see the message 'Signature exists, but need public key'
>> against this message.
>> If my mail client can't fully use the GPG key, is it worth having?
> Well this is exactly the point. You need my public key to be able to
> validate the signature. Since my key is on publicly available keyservers
> this shouldn't be a problem, perhaps Evolution should ask if you want to
> fetch it.
> Of course there is still the question of how much you 'trust' each key.
> I'm not sure what would happen if there were a path through the Web of
> Trust from the keys in your GPG database to my key.

What are you trying to achieve with GPG?

If you receive an email from someone that is signed with GPG (note,
signed, not encrypted) then at least you can go and fetch their public
key (to verify their signature). The equivalent of doing signature
verification on a document (or cheque, perhaps).

None of this deals with the privacy issues that encrypted email would
deal with, and if you want end to end encryption to ensure privacy then
ubiquitous, automatic decryption at MUA level runs counter to the
security model you're trying to aim for.

Encryption over-the-wire is already commonplace (it's called
Opportunistic TLS), and that's your first vector - protection during
transmission. Encrypted email at the MUA (client) level is the only way
to ensure privacy protection in terms of data-at-rest, GPG may achieve
this but if you make the decryption too easy to do, where's the security
there?  It's still going to require client-side setup in the initial
stages at some point, isn't it?

(This thread forked from a discussion on privacy and data integrity, you
could potentially automate the fetching of public keys for sender
verification but manual intervention for decryption of email is in my
mind, still compulsary if that's what you're aiming for).

Another data point; I use Thunderbird with OpenPGP and as i'm replying
to a signed email, it asked me for my private key to let me sign my
response. I use it so infrequently i've forgotton my private key and
will need to wade around some of my documentation from when I set it up
12 months ago to see if I recorded it or a clue to it, or i'll be
resetting my PGP signature... (so even geeks can make a mess of this,
though perhaps I wouldn'tve if I used it more often.)


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nzoss.org.nz/pipermail/nzlug/attachments/20130619/996af8ea/attachment.html>

More information about the NZLUG mailing list