> Don't write "I will encrypt this message"[1] in every mail hoping that the > recipient deduces that you want to do secret stuff, and leaving them to deduce > from the absence of that message that you want to do the regular stuff. Hoping > that other people will infer meaning from things that are totally not > apparent, /that/ is error-prone.
There also seems to be something else at work here: an allergy to rigor. GnuPG is most often used in a slipshod, half-thought-through manner. People don't articulate a security model, much less establish a plan to mitigate those threats, much less negotiate a policy with their correspondents to mitigate threats held in common. Sometime watch the movie _Crimson Tide_. It's a good action film and the central premise revolves around a message that violates policy. A nuclear ballistic missile submarine is given a legitimate order to launch missiles at a Russian city. While preparing to launch, the submarine receives a second message telling them to abort the launch -- but due to forces beyond their control that message is received only as a fragment. The captain refers to the policy: "Any message that does not fully conform to the policy must be completely disregarded." The captain insists on launching, since the last policy-conformant message was a launch order. The executive officer insists, "We received an abort signal; at the very least we need to delay the launch until we can confirm it." The executive officer insists on deviating from policy. I cannot think of the last time I saw a Hollywood blockbuster that was built around what is, at its heart, a very technical question about how high-security communications operate. It's worth viewing. The short version is -- if you don't have a policy established, you're not going to be using GnuPG to provide its fullest amount of communications security. That policy also needs to tell people how to handle messages that don't conform to policy. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
