[Security] About the Firefox 3 Security Dialog & others

Dirk Meyer dmeyer at tzi.de
Sat Aug 23 08:21:48 CDT 2008


Duane at e164 dot org wrote:
> Jonathan Schleifer wrote:
>
>> The problem with GPG is that this is geeks-only.
>
> It doesn't have to be, a decent interface has been lacking for a long time.
>
> I'm trying to put togeather a suitable framework within the keys
> themselves to be more useful, but that still leaves the end user
> interfaces lacking.
>
> http://www.ietf.org/internet-drafts/draft-groth-openpgp-attribute-extension-00.txt

There is a very important point in this document:
"Alice on the other hand is gullible. While you trust Alice, you don't
trust the verifications she makes."

Yes, that is something OpenPGP needs.

About your user interface: if you open a XMPP secure channel using
TLS-SRP (or maybe SAS) you know that you are talking to the right
person. So if that person presents you his gpg fingerprint, you know
it is right. So using TLS-SRP helps you populate your keyring. After
SRP/SAS you only need a small dialog asking how much you trust that
person and how much your trust their verifications.


Dirk

-- 
Wash: This is gonna get pretty interesting.
Mal: Define "interesting".
Wash: Oh God, oh God, we're all gonna die?
    - Serenity (2005)


More information about the Security mailing list