-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA224 On 08/22/2012 02:59 PM, peter.segm...@wronghead.com wrote: > GPG is on the other hand so tightly integrated with WOT that no > matter what, it is unavoidable that any user will sooner or later > stumble upon some of WOT anatomy or physiology minutia, and that > will have at least one of two rather detrimental consequences:
As has been pointed out to you by at least two separate people, by having a single trusted introducer who serves as the gatekeeper for the entire system this problem goes away. The problem you are talking about is routine. I faced it when I was the chief sysadmin for a law firm and deployed GnuPG to 150+ desktops. Pretty much anyone who has ever deployed GnuPG and/or PGP has faced it. Solutions to this problem exist, are well-known, and pretty thoroughly tested. Deploying PKI is nowhere near as big of a problem as convincing people that PKI adds benefit to their lives. > This thinking pretty well follows the contemporary computer > security dogma: the user need not understand any of the > [underlying] concepts, the user just has to trust whoever has > designed and implemented the system. You don't need to understand statics, the modulus of compression, the difference between shear and torque, the modulus of expansion, or any of those other things to use a bridge: you just walk or drive across it. For those who build the systems, of course they need to understand it in detail. Users, though, need to be insulated from these things as far as is practical. Right now the number one thing killing PKI is the fact nobody wants to adopt it. If you state, "well, before someone can use PKI they must understand the underlying concepts," you're automatically selecting for the upper 1% of computer users. I think the other 99% deserve better. > It's not to say that Alice must be proficient in the design of > crypto algorithms, but she ~must~ understand and have the > confidence in data formats and the protocols. One of the data formats used in GnuPG is PKCS12. I doubt that anyone on this list fully understands the PKCS12 data format and protocol. A while ago Werner condemned it as "even by ASN.1 standards a nightmare to parse." You don't want to hear my opinion on parsing PKCS12: my language would make the lands near me barren. If you say Alice *must* understand and have confidence in the data formats and protocols, well, where do you draw the line? Because if you draw the line at a very high level, then you're adopting my position. If you draw the line at a very low level, then you're saying she needs to understand how PKCS12 works. And if you draw the line anywhere in between, then you're adopting my position but just quibbling over precisely where you want the line to be drawn. (Now, it's true that PKCS12 is normally not used as part of OpenPGP; it's more closely associated with GnuPG's S/MIME code. But I trust that the point is made.) -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iFYEARELAAYFAlA2Y20ACgkQI4Br5da5jhDTyQDfRSRKH2kote7F8nkAoSQ7rsP+ YYWLgX4lspbx3gDdGL1v0PT5FQDLQps8WnHRPKwWj91yIr6PGGXjrg== =Ro6a -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
