On 10/9/2019 Tony Lane <codeg...@gmail.com> wrote: > On 10/8/19 9:21 AM, Jeff Allen via Gnupg-users wrote: >> Sure it's a solution. I have accounts at both. Most of my email is not >> encrypted because, as the original poster pointed out, most people I >> communicate with are not particularly interested in privacy. When a >> private discussion _is_ required, I suggest that we have it on one of >> those platforms. > > That seems terribly inefficient. Do you intend to maintain accounts on > each of these platforms and take all of the risks of each into account? > You must have a lot more trust than I do, but I digress. I think his whole > point is "We should use e-mail as an insecure transport protocol and do > secure end-to-end encryption on an agnostic encryption module such as GPG".
Of course we should. I'm happy to do that when the person with whom I want to communicate privately is willing to do the same. Most aren't, and I am unwilling to let the perfect be the enemy of the good. > And it makes sense to do things this way if you want to be secure. > And before you point me to how PM stores your private keys (I've read it), > remember that all of that salting and hash/password storage is done using > business logic they developed, which means anytime there's an update, > hidden or announced, you are running a risk of a backdoor being introduced. > Can you even audit that code? Personally, I am not capable of auditing code, including that of GnuPG. It is unrealistic to think most users, even most power users, have the time and ability to audit the code of their security software. My threat model is not overly demanding. Mainly I want to avoid getting targeted pharma ads or being denied insurance if I discuss a medical issue in an email. I'd prefer that Google not be able to surmise my income sources and net worth based on information I share with family members. Were I worried about being targeted by NSA, law enforcement or a civil court order, I'd be a lot more demanding of my correspondents and myself. I have used PGP since at least version 2.6.x. I can do OpenPGP via Thunderbird/Enigmail, mutt, GPGShell, Geany, Kleopatra or the command line and don't find any of them to be particularly daunting. What I haven't been able to do is convince many people to do the same. Jeff
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
