On 08/28/2012 04:20 AM, pants wrote: > On Tue, Aug 28, 2012 at 03:54:19AM +0200, No such Client wrote: > >> Why put your pubkey up forever, to make it easier to socially or >> technically attack your comms? >> > I mean, by having access to a public key turns the technological attack > on encrypted data from an intractable one to an intractable one. You > might now have a problem that goes with some smaller number raised to > the n, but that grows exponentially with n nonetheless. > > # -> ¨from an intractable one to an inctractable one¨ (you mean ¨ẗractable¨ > yes?) On a sidenote, If you have.. 5 gpg keys for example, one with real > name, one backup, one for a group that you are a member of, one for your > close relatives, and one for a former colleague, if the goal isnt to whore > your public keys to be publically signed, how it is a problem to have a small > series of people who each have different keys (the goal is to sign/encrypt > with various social spheres of your life. ) >> Perhaps it is different in your country, however in the military, we >> often have to think pragmatically of the human weakness, and when >> symmetric or pKI is appropiate. Otherwise, others are at risk. >> > Yes, it is fortunate that I, and indeed most of the cryptographic > community, will likely never face any sort of physical coercion. # very fortunate, however it also is why those that do, are often frustrated or ignored by those who simply can never imagine the situations, and how things are often not as simple as signing keys, or using keyservers, or the tactical risks inherent something, which in the ¨normal world¨ would be quite routine and harmless. Even cryptographers have social biases. > I, for > one, am more concerned with privacy than with any serious data > sensitivity. # sure, and that is your prerogative to shape your security stance to your personal risk-assessment, which ofc is shaped by your views, experiences, interests, intentions. Nothing wrong with that. What is wrong is when some (not saying you personally) , assume that their intended usage or views of crypto is the same as all others, and apply their personal views, opinions, or biases to others and judge them with their own standards. I personally use gpg for work, play, family, and friends because of the fact that I do not want to risk my loved ones, or friends being hurt if I made a mistake. for sensitive data, simply lower the cryptolength of keys.. ie, use 1d - 1w expiring keys, transmitting data, and ofc having stringent controls of pubkey dissemination for operational security. > But the addition of a frail human element into the problem > is certainly interesting. #agreed. I believe there is a field which deals with such things as trust, loyalties, psychology, interests, motivations, power, coercion, psychology.. Such a field might be stereotypically depicted in the popular media, however cryptography goes hand in glove, with such a (under)world. Crypto is what keeps our secrets safe, and our civilizations safe. It is a powerful weapon, and like any other weapon, is a double-edged sword. Layering this to mitigate against human weakness is .. common sense if you have something to lose. If your family was in some kind of unpleasant situation because someone *thought* that you were working against their interests, I am confident that you would take steps to protect them ja? Both digitally, and physically no? Crypto is another tool that protects you from the wolves. > If one can torture a passphrase or key out of > someone, what is to stop them from extracting the encrypted data from > the person as well? # I never said that the person you encrypted it to was the end recipient. If you are a digital courier, you can have something encrypted to you, however upon decryption, you find that it is -R´d again to another party, and you are simply given an email address, or physical address to relay it to.. Or you put it on a flashdrive, and leave it at a pre-arranged locale. Even if you are tortured for your part, the ciphertext is still not within your means to decrypt. If you used a symmetric password, then you might be able to namedrop, and now others are at risk as well.. Someone down the line can give up the password. Now the torturers dilemna, is that you could never fully prove your innocence, and the torture could never fully prove your guilt. Using crypto in the first place stands out, and is in the torturers eyes, a sign of guilt. Telling them that you cant decrypt something, will make them think that you are lying. Even if you are able to decrypt the first file, which could be -R´d, for example , by the time you give in, and try to say that the second file is really not within your ability to decrypt, the overseeing party would be foolish to believe you. So their only recourse is to continue torturing you, even if you are fully honest, or fully lying, as they can never know when you are ¨spent¨, and have told all that you know, as there is always a risk, that you are just resisting them, holding something back.. While you can never prove that you honestly have no way of decrypting the data (as it can be -c -R as well... which means that you can never prove yourself innocent. Anyone that signed your key, can also be grabbed.. And I know you might think of the xkcd, however in the real world, when you have someone using electricity, or a cold water and a sjambok, or worse, coercing you via your friends and family.. It doesnt matter what you or cryptographers think. All that matters is what the person who has your family thinks.
(The movie unthinkable speaks to this dilemna, albeit obliquely) > After all, in the situations you hint at, it is > this which is actually relevant to the torturing party. > # not neccesarily. They most likely will be sadists, (http://en.wikipedia.org/wiki/Reservoir_Dogs#Cast) , and they may want information about who you deal with, or to prove a point to you.. Ie, you are sng´d (snatched and grabbed) , torturing you, for who you deal with, not what you deal with is far more revealing. And then they release you, so that your friends and family, and allies, all think that you revealed something. Which makes them distrust you. You feel alienated, especially after watching tv, as every time you go to a store, you think of that coke bottle up yer ass.. And you feel cut off, and if they beet your feet, well you wont be walking too well.. Electricity and water are both deniable. However, now you feel powerless, you arent sure who to trust (they told you that your friends are really their friends), and you might be shunned from whatever you were a part of, as they have to assume that you compromised others. So.. You might find yourself just a smile, and a pawn in a bigger game. You made a sadist happy, and sow distrust and panic in whatever organization your opposition has a dispute with. More importantly, they will grab you, and see which birdies chirp about your arrest. You were essentially just bait. And they will naturally monitor you, and see who approaches you, or is worried about you. This is all far more relevant than the ciphertext. Its who you know, and what you are about. Not what you hide. Thats easy. If thinking in this light, you could see why some are keyserver/ keysign averse (lsign only) ... > pants. > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
