[jdev] Re: JEP-0027 (OpenPGP) implementation question
stpeter at jabber.org
Mon Mar 6 22:37:53 CST 2006
-----BEGIN PGP SIGNED MESSAGE-----
> Peter Saint-Andre wrote:
>> Now, neither OpenPGP or S/MIME enable you to repudiate what you said,
>> and if people find that important then they would need to do
>> JEP-0116 (or something very much like it, such as Gaim's OTR plugin).
>> So in part the differences here come down to requirements and
> Requirements are exactly it. The two camps will never agree on which
> style of cryptography to use, because:
> In the pro-OTR camp, everyone thinks that cryptography should be used in
> order to obfuscate what you said and remove traces that it was you who
> said it. So OTR will appeal in use cases where you want some kind of
> (OTOH, Normal Person + Internet + Anonymity = Total Jackhole)
> Then you have the pro-OpenPGP camp, people think that cryptography
> should be used in order to be able to prove who said something,
> _especially_ at a later point in time. This is useful particularly in
> business, when someone wants to archive conversations for later auditing.)
This seems accurate to me. Personally, I have realized that I am more
interested in identity than anonymity:
Which is why the OpenPGP / X.509 approach has become more appealing to
me than the OTR approach.
But I also understand that something like OTR is valuable in certain
contexts. E.g., if I were a dissident in a repressive society, I sure as
hell would prefer OTR to OpenPGP/X.509. But I'm not a dissident in a
repressive society, I'm an individual in what I hope can remain an open
society, so I tend to prefer OpenPGP/X.509 these days. FWIW. :-)
> X.509 certificates are certainly too hard to obtain for most users,
> mainly because they're worth practically nothing without the signature
> from the CA (CAcert is of course available for no cost, but it still
> takes time: time users can't be bothered to spend.)
Well, some people get X.509 certs as part of their organizational
identity, so for them certs are easy to obtain.
> With OpenPGP, creating the keys is easy, if not trivial. Getting them
> signed (and hence trusted) takes the time.
> I guess you can blame a lot of that on the lack of a "simple" GUI for
> signing keys (by "simple", I refer not to KDE or GNOME simplicity, but
> MacOS simplicity.)
> I often wonder if an instant messaging client might one day provide that
> simple interface...
> User: [initiates chat to a contact who has signed their presence]
> IM Client: "Are you absolutely sure this person is the one you wish
> to talk to? [Yes/No/Ask me again later]"
> User: Yes
> IM Client: [signs the key with a relatively low, but good-enough
> trust value.]
> Add a nice indicator next to your contacts who have untrusted keys, and
> you have yourself an OpenPGP GUI which is almost as useful as the more
> advanced alternatives. It's not with "The Spirit" of OpenPGP where you
> go and meet people in person, but it's certainly more realistic for the
> ordinary user.
The buddy list as the center of your trust universe? I like it.
Jabber Software Foundation
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3641 bytes
Desc: S/MIME Cryptographic Signature
More information about the JDev