On 01/10/2010 03:24 PM, Mario Castelán Castro wrote: > Is not neseesary to comprehend cryptography to use it. In fact, the > pknowledge of the use of one thing and the knowledge to use it are > independient. I.e: don't know how to ride a bicicle, but I know how > they work
Crypto is not like this. Sure, you don't need to understand Feistel networks or large number theory in order to use crypto, but look at what you *do* need to understand: * Identity verification * Document verification * What a hash is * How hashes are used * How hashes are misused and shouldn't be used * Out-of-band verification * Type I versus Type II error ... and so on, and so on, and so on. I stopped at seven; I could easily go on for another seven, or more. These are all things that are necessary to use GnuPG successfully. As an example, a fairly tech-savvy friend of mine made a habit of signing all her emails. Her reasoning was, "if people ever see a message that's not signed, they'll know it's not from me." This reasoning sounds good, and many people on this list would probably agree with it. The problem is that it's incorrect. If someone using her name were to post a racist, hate-filled screed on the internet, would she really be able to persuade people she didn't write it just by saying "look, I didn't sign it"? Or would her critics say, "of course you didn't sign it, you wanted to be able to deny writing it!"? Likewise: people tend to be interested in who has signed a given key... but why? Anyone can sign anything, regardless of whether the key owner consents. There are all kinds of credibility attacks you could do on someone by putting a fake "StormFront Identity Verification <ver...@stormfront.org>" signature on a key -- and thus, have people infer from that signature that the key owner is a member of a racist hate organization. Crypto is a /highly/ demanding field. The skills required to use it effectively, and avoid incorrect and/or dangerously false reasoning about documents, are far, far beyond the realm of most users. OpenPGP is in many ways a failed standard. It's big, it's complex, it has a lot of subtle edge cases, and so on. However, for all its faults, I think it is by far the best email encryption standard we have. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
