[jdev] Re: JEP-0027 (OpenPGP) implementation question

Peter Saint-Andre stpeter at jabber.org
Mon Mar 6 22:37:53 CST 2006

Hash: SHA1

Trejkaz wrote:
> Peter Saint-Andre wrote:
>> Now, neither OpenPGP or S/MIME enable you to repudiate what you said,
>> and if people find that important then they would need to do
>> JEP-0116 (or something very much like it, such as Gaim's OTR plugin).
>> So in part the differences here come down to requirements and
>> philosophy.
> Requirements are exactly it.  The two camps will never agree on which
> style of cryptography to use, because:
> In the pro-OTR camp, everyone thinks that cryptography should be used in
> order to obfuscate what you said and remove traces that it was you who
> said it.  So OTR will appeal in use cases where you want some kind of
> pseudo-anonymity.
> (OTOH, Normal Person + Internet + Anonymity = Total Jackhole)
> Then you have the pro-OpenPGP camp, people think that cryptography
> should be used in order to be able to prove who said something,
> _especially_ at a later point in time.  This is useful particularly in
> business, when someone wants to archive conversations for later auditing.)

This seems accurate to me. Personally, I have realized that I am more
interested in identity than anonymity:


Which is why the OpenPGP / X.509 approach has become more appealing to
me than the OTR approach.

But I also understand that something like OTR is valuable in certain
contexts. E.g., if I were a dissident in a repressive society, I sure as
hell would prefer OTR to OpenPGP/X.509. But I'm not a dissident in a
repressive society, I'm an individual in what I hope can remain an open
society, so I tend to prefer OpenPGP/X.509 these days. FWIW. :-)

> X.509 certificates are certainly too hard to obtain for most users,
> mainly because they're worth practically nothing without the signature
> from the CA (CAcert is of course available for no cost, but it still
> takes time: time users can't be bothered to spend.)

Well, some people get X.509 certs as part of their organizational
identity, so for them certs are easy to obtain.

> With OpenPGP, creating the keys is easy, if not trivial.  Getting them
> signed (and hence trusted) takes the time.
> I guess you can blame a lot of that on the lack of a "simple" GUI for
> signing keys (by "simple", I refer not to KDE or GNOME simplicity, but
> MacOS simplicity.)
> I often wonder if an instant messaging client might one day provide that
> simple interface...
>    User: [initiates chat to a contact who has signed their presence]
>    IM Client: "Are you absolutely sure this person is the one you wish
>                to talk to? [Yes/No/Ask me again later]"
>    User: Yes
>    IM Client: [signs the key with a relatively low, but good-enough
>                trust value.]
> Add a nice indicator next to your contacts who have untrusted keys, and
> you have yourself an OpenPGP GUI which is almost as useful as the more
> advanced alternatives.  It's not with "The Spirit" of OpenPGP where you
> go and meet people in person, but it's certainly more realistic for the
> ordinary user.

The buddy list as the center of your trust universe? I like it.


- --
Peter Saint-Andre
Jabber Software Foundation

Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3641 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20060306/68ee2a8d/attachment-0002.bin>

More information about the JDev mailing list