[OT] CLI for noobies: The keys to GnuPG

Clinton MacDonald yellowdog-general@lists.terrasoftsolutions.com
Thu Jul 1 07:59:01 2004 

Albrecht:

(I feel a rant coming on -- feel free to move on to the next message if 
you feel this is off topic.)

Albrecht DreĆ wrote:
> Am 30.06.04 13:50 schrieb(en) Clinton MacDonald:
>> While only a few of us have any real need for strong encryption, 
>> [...]
> 
> This is correct if you think only of mega-confidential stuff in 
> companies. But the privacy of private communication -phone calls, 
> letters, and, yes!, e-mails- is protected by law in most countries.

You are right, of course! I was oversimplifying in my earlier e-mail. We 
can all use strong encryption in our daily lives, and most of us do -- 
every time we log into a secure Web site to make a transaction, we are 
using strong -- and seamless -- encryption. Most users of the Internet 
are probably unaware of the complex electronic negotiations that go on 
during those transactions.

And if Web browsers can do strong encryption without making the user 
know about keychains and 256-bit encryption algorithms, why can't 
e-mail? There are plenty of reasons a law-abiding citizen would want to 
encrypt e-mail -- sending financial information to companies, for 
instance. Businesses should probably *require* encryption on sensitive 
e-mails... but they don't, because it is too hard. Finally, digital 
signing of documents can be useful to us all for creating electronic 
"paper trails."

I remember setting up GPG for Apple's Mail.app on my Mac OS X box, once. 
I wanted the ability to authenticate my e-mails with a digital 
signature. The process took about 1-1/2 to 2 hours, and I had to visit 
three or four sites to gather all the instructions and pieces. Even 
then, the installation required several trips to the command line and 
registration with a third party for every single individual in my 
address book. Having set up encryptions, I played with it for a day or 
two then abandoned it. Every time I sent an e-mail, the encryption 
plug-in threw up a dialog box asking whether I really wanted to send the 
e-mail, whether I really wanted to sign it, and whether I remembered my 
rather long passphrase. I turned it off.

Four things need to happen before encryption/signing for e-mail becomes 
universal:

[1] one standard encryption scheme must be agreed to by the appropriate 
governing bodies (such as has happened with secure Web transactions)

[2] a third party must be entrusted with keys for escrow (apparently, 
this is a major stumbling block for businesses)

[3] all the "major" e-mail clients (for some definition of "major") must 
adopt the standard more or less at the same time

[4] the implementation would have to be as seamless as that in every Web 
browser, where we need not even know we are interacting with a secure 
site unless we look at the little padlock icon -- no command line!

Unfortunately, by "major" e-mail client ([3]), we are probably talking 
about Microsoft Outlook here (although Apple's Mail.app could be a dark 
horse in this race). More unfortunately, if Outlook were the first 
client to take the leap, the "trusted" third party ([2]) would probably 
be Microsoft -- whom very few people actually trust (they failed with 
their Hailstorm initiative for this very reason).

The Mozilla folks might be able to do this, either in Mozilla or in 
Thunderbird, their break-out e-mail client. They already have security 
built into the browser component. Apple could add encryption to Mail.app 
and "test drive" it with the Macintosh user base (as they did with the 
iTunes Music Store). However, I don't imagine that enough Apple 
customers have requested encryption to make a business case for this. Sigh.

ITConversations had an interview with Philip Zimmerman, the "father" of 
PGP encryption technology:

<http://www.itconversations.com/shows/detail116.html>

In the interview, Zimmerman admitted that he rarely uses encryption or 
digital signing anymore -- it is not widely enough adopted, and it adds 
an additional step to sending every e-mail. Sigh.

> So, encrypting your mail is also a demonstration that you know your  
> rights, and that you are willing to defend them. Even if the contents 
> is  just a "Hello" to your mom. Just my € 0.01...

For me to send an encrypted "Hello" to my Mom would be a major breakthrough!

Thanks for listening to my rant, folks!

Best wishes,
Clint

-- 
Dr. Clinton C. MacDonald | <mailto:clint DOT macdonald AT sbcglobal DOT net>