Morlock Elloi on Sat, 17 Dec 2016 22:58:36 +0100 (CET)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: <nettime> Ars Technica > Valsorda > I'm throwing in the towel

There is no "long-term PGP key model".

There is a fallacy of "web of trust" and fallacy of the notion that public keys need to be published (maybe because they are named 'public' ?)

PGP works fine for end-to-end security of authenticated parties. There are thousands (probably much more, but I'll stick to my samples and extrapolation) of cases where previously authenticated parties, personal or business partners, exchange their keys via secure side channel, and then happily message each other. Most often each party has dedicated key pair for just one correspondent. Public keys are never published - on the contrary, they are preferably kept secret. Metadata is not shielded unless Tor and throw-away accounts are used, but that is another topic. In reality there are very few people one person needs strong secrecy with, so the existing key management works well (and no, your social network "friends" don't count.)

Then we come back to the issue why would one want to have unauthenticated encrypted communication, which appears to be touted as one and the only use case for PGP (in other words, someone picks someone's public key from the public key server and sends encrypted message.) It is hard to find actual use case except superficial lifestyle choice ("look ma, I'm encrypting!") Public key servers are hackable, thugs will sign keys on key signing parties, so one would have to be out of her mind to count on authenticity of the key not received directly from the target when serious secrecy is required. The other argument for PGP, in the early days, was to prevent mass interception and casual surveillance. That has been pretty much taken care of by SSL and its strains (again, metadata requires additional measures.)

So the whole argument is fake, a red herring, as it dissects the false use case.

that. It's about the long-term PGP key model -- be it secured
by Web of Trust, fingerprints or Trust on First Use -- and how
it failed me.

#  distributed via <nettime>: no commercial use without permission
#  <nettime>  is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info:
#  archive: contact:
#  @nettime_bot tweets mail w/ sender unless #ANON is in Subject: