On 7/31/2012 8:17 AM, peter.segm...@wronghead.com wrote: > Correct me if I'm wrong, but it is unreasonable to expect anybody > to successfully and safely use gpg without understanding the > concepts and mastering the skills essential to the WOT:
This is not at all the case. Set up a trusted introducer/certificate authority and presto, bang, you're off to the races. When Alice comes on board at the company, the local authority generates a certificate for her, sets up her Thunderbird+Enigmail installation (or choose-your-preferred-MUA), signs her certificate, and has her certificate recognize the CA as a trusted introducer. All Alice needs to do is choose her passphrase. She can now communicate securely with anyone inside the organization. In order to communicate securely with someone outside the organization, she calls up the certificate authority and says, "I need to email some documents to Bob over at another firm. Could you please make this happen?" The CA then calls Bob, does the identity check, fingerprint verification, etc., and at the end of it signs Bob's certificate and introduces Bob's certificate to the local keyserver. The CA calls Alice back and says, "Grab Bob's certificate from the local keyserver: you're good to go." At no point does Alice need to know anything about the Web of Trust. All she needs to know is -- 1. She needs to keep her passphrase secure 2. If she wants to send secure email, she needs to check to see if her recipient's certificate is on the keyserver 3. If it's not, she needs to call the local CA The rest can all be done automatically. > Most users in this group have no single computer they operate on. > Occasionally they must be able to create cipher-text on "drive-by" > computers This cannot be done safely. You must have physical control over the hardware for GnuPG to be used safely. "Drive-by" machines have uncomfortably high malware infection rates. Don't use GnuPG except on machines that you physically control and are confident are free of malware. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users