[SGVLUG] Keysigning

Sean O'Donnell sean at seanodonnell.com
Mon Dec 2 21:18:38 PST 2013 

On 12/02/2013 07:38 AM, John Kreznar wrote:
> There are multiple issues with Web of Trust.
>
> One thing one wants to be able to trust is that a correspondent won't
> divulge the content of a message outside the intended set.  Can this be
> determined during a superficial encounter at a key signing party?
>

While I'm not entirely against the concept of the WoT, I must also agree 
that a physical encounter with a random stranger who happens to share a 
LUG mailing list, isn't a guarantee that the person is trustworthy. That 
is an entirely different matter, and probably way off-topic here, but I 
find it somewhat relevant to the statement above.

Overall, I've given-up the practice of using GnuPG signed emails, and 
have mostly abandoned the practice of email-communications entirely, 
outside of my internal work environment, and the occasional sgvlug 
topics, of course. =P

Why have I given up?

1) After losing my last private key to a physical disaster (apartment 
fire, no remote back-up of my private key, lazy mick!, I know).

2) The only people I know who actually use PGP/GPG signed emails are 
those (few) of you on this list, for which I receive zero encrypted 
contents from, anyhow.

3) The majority of people who I would otherwise communicate with 
(outside of this and other mailing lists, or my workplace), are the herd 
of smart phone users/drones who are essentially computer illiterate and 
obviously (if they are using these devices for email) there is no 
guarantee that any encrypted contents I'd send them, would not be 
circumvented once decrypted on their computing device.

There are so many problems with these stateless protocols 
(HTTP/SMTP/POP3/IMAP) in terms of security and trust, as well as SSL 
(RSA/DSS) algorithms vs. GPU crunching, amplified by mass adoption and 
dependence upon such a frail infrastructure, with no true 
source-verification capabilities, that I just assume everything (sans 
logic) is transparent at this point.

Unfortunately, protocol revisions such as HTTP2.0, do not fully address 
or resolve these issues. imo: There is no longer any concept of 'trust' 
with the current 'web' infrastructure.

-Sean

More information about the SGVLUG mailing list