Thanks to everyone for the vivid discussion.
@HHH: Thanks for your text at
http://www.securemecca.com/public/GnuPG/TrustOfGPG4Win-2.txt
As my little discourse here should have shown to you,
Windows users as a group by and large just don't care about
securing their systems. They want a one stop solution and that
is now an iPhone or an iPad. You cannot do much with them but
people that are lazy [...]
I agree with you and think we won't get rid of this "lazyness". We will not
be able to change the fact, that most people use an insecure Windows or Mac
OS, neither. GIVEN THAT, can we provide a way of secure communication for
the majority of the people? This is what I want, since many of my friends
are no computer experts and will never be.
It seems quite easy to advice people to have an offline windows PC with
gpg4win on it and all their private stuff and a windows(?) online PC next to
it. They could transfer encrypted messages with an USB stick from one PC to
the other. I think this is a vector for an attacker, but how serious is this
problem? An attacker only seems to have a chance if he has a contract with
microsoft and windows secretly copies the private key, password or even any
decrypted "word file" on any USB stick. Could such a thing be spotted or
prevented?
There's another problem with the offline/online approach: convenience: Since
you would transfer the messages in plain text on the USB stick, you would
have to order them on the offline PC. You wouldn't have thunderbird there to
do this for you.
Another general problem is that you encrypt YOUR messages with another
persons public key and have to rely on this person that he protecs this
private key well. I think it is necessary that you know how he keeps his
private key (offline PC/online PC). I think everybody should note that in
his key ID. Do you agree? So if you communicate with someone who stores his
key on an online windows PC, it is not worth the effort to store your key on
an offline PC and to refrain from thunderbird doing the ordering for you. A
"solution" might be to offer your communication partner two kind of punlic
keys: An "offline key" he should use if he has an "offline key", too, and an
"online key" he should use if he also uses an "online key". Maybe this is
not satisfactory but somehow fair and might encourage people to get offline
PCs.
There's a lot more I have to say, but this has to wait now.
Best regards,
Jan
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
