12 Matching Annotations
- Jun 2024
-
weboftrust.github.io weboftrust.github.io
-
This start-over style of key rotation may well be one of the main reasons that PGP's web-of-trust failed [WOT]. Without a universally verifiable revocation mechanism, then any rotation (revocation and replacement) assertions either explicit or implicit are mutually independent of each other. This lack of universal cryptographic verifiability of a rotation fosters ambiguity at any point in time as to the actual valid mapping between the identifier and its controlling keypair(s). In other words, for a given identifier, any or all assertions made by some set of CAs may be potentially valid
-
- Dec 2022
-
teknikaldomain.me teknikaldomain.me
-
pgp.mit.edu pgp.mit.edu
-
- Apr 2022
-
protonmail.com protonmail.com
- Nov 2020
-
latacora.micro.blog latacora.micro.blog
-
Long term keys are almost never what you want. If you keep using a key, it eventually gets exposed. You want the blast radius of a compromise to be as small as possible, and, just as importantly, you don’t want users to hesitate even for a moment at the thought of rolling a new key if there’s any concern at all about the safety of their current key.
You want to blast radius of a compromise to be as small as possible
Therefore a long-term key is almost never what you want. You don't want users to hesitate about rolling out a new key if they suspect theirs is compromised.
-
PGP begs users to keep a practically-forever root key tied to their identity. It does this by making keys annoying to generate and exchange, by encouraging “key signing parties”, and by creating a “web of trust” where keys depend on other keys.
PGP encourages users to keep long-term keys tied to their identity. It does this by making it annoying to generate and exchange keys.
-
We can’t say this any better than Ted Unangst: There was a PGP usability study conducted a few years ago where a group of technical people were placed in a room with a computer and asked to set up PGP. Two hours later, they were never seen or heard from again.
The UX problems with PGP/GPG.
-
There are, as you’re about to see, lots of problems with PGP. Fortunately, if you’re not morbidly curious, there’s a simple meta-problem with it: it was designed in the 1990s, before serious modern cryptography. No competent crypto engineer would design a system that looked like PGP today, nor tolerate most of its defects in any other design. Serious cryptographers have largely given up on PGP and don’t spend much time publishing on it anymore (with a notable exception). Well-understood problems in PGP have gone unaddressed for over a decade because of this.
The meta-problem with PGP is that it was designed by crypto-engineers in the 90s and it is horribly outdated, yet due to its federated architecture, difficult to update.
-
-
moxie.org moxie.org
-
In 1997, at the dawn of the internet’s potential, the working hypothesis for privacy enhancing technology was simple: we’d develop really flexible power tools for ourselves, and then teach everyone to be like us. Everyone sending messages to each other would just need to understand the basic principles of cryptography. GPG is the result of that origin story. Instead of developing opinionated software with a simple interface, GPG was written to be as powerful and flexible as possible. It’s up to the user whether the underlying cipher is SERPENT or IDEA or TwoFish. The GnuPG man page is over sixteen thousand words long; for comparison, the novel Fahrenheit 451 is only 40k words. Worse, it turns out that nobody else found all this stuff to be fascinating. Even though GPG has been around for almost 20 years, there are only ~50,000 keys in the “strong set,” and less than 4 million keys have ever been published to the SKS keyserver pool ever. By today’s standards, that’s a shockingly small user base for a month of activity, much less 20 years.
The failure of GPG
Tags
Annotators
URL
-
-
blog.filippo.io blog.filippo.io
-
Then, there's the UX problem. Easy crippling mistakes. Messy keyserver listings from years ago. "I can't read this email on my phone". "Or on the laptop, I left the keys I never use on the other machine".
UX issues in GPG
Tags
Annotators
URL
-