Soatok Dreamseeker@soatok@furry.engineer
It's really funny watching career programmers that have strong opinions about design patterns and the single responsibility principle defend PGP.
My dudes, it's the God Class of cryptographic fucking risk.
Soatok Dreamseeker@soatok@furry.engineer
The Sleight Doctor π
π
@ApostateEnglishman@mastodon.world
@soatok@furry.engineer I once spoke to senior NSA whistleblower Thomas Drake, who mentioned that PGP was very good. Given the source I took that as authoritative. The Ed Snowdon docs also revealed that the NSA store PGP-encrypted content because they couldn't decrypt it...but that was an eon ago in tech years.
We all know it's about as user friendly as being repeatedly punched in the face, but what are the risks (assuming the endpoints are reasonably secure)?
Botch Frivarg@deetwenty@todon.nl
@soatok@furry.engineer From an historical perspective PGP kinda makes sense, in the 80s, and early 90s it wasn't considered something everybody would need, was to be mostly used by people in the know, and the whole idea of cryptography was still in its infancy (so e.g. it was deemed possible to set up a web of trust). In short "the 80s called and it wants it cryptographic design back"
@SpaceLifeForm@infosec.exchange
@soatok@furry.engineer
Do not use. Keysigning is a bottleneck.
It is possible to create public encryption keys, and public signing keys, and not require a meeting.
You can do this on the fediverse.
But, if you lose your private keys, you get to start over.
Orman@orman@furry.engineer
@deetwenty@todon.nl @soatok@furry.engineer I think we could have another go at web of trust, now that everyone is carrying a camera that can also do the required crypto literally all the time. It might be useful even on social media if it had different levels - both "I know this person IRL" but also "I don't know the person behind the screen but I've seen they're not a spam bot"
Botch Frivarg@deetwenty@todon.nl
@orman@furry.engineer @soatok@furry.engineer the problem with Web of Trust is that it is surprisingly hard to explain to non technical people. Yes you could provide QR codes which makes it easier, but you still need to explain the why, and it is still a barrier to entry. On top of that a web of trust becomes a lot less useful if not a majority of users participate. In theory web of trust is nice, in practice it comes with a lot of headaches. That said at a small scale for smaller groups it might still be a useful concept, but will never really scale up to work at large (read internet wide) scales
Soatok Dreamseeker@soatok@furry.engineer
@deetwenty@todon.nl @orman@furry.engineer Also, a lot of trust relationships have a half-life, and building that consideration into the UX without just expiring the keys themselves is frustrating
Soatok Dreamseeker@soatok@furry.engineer
@deetwenty@todon.nl @orman@furry.engineer Also, a lot of trust relationships have a half-life, and building that consideration into the UX without just expiring the keys themselves is frustrating
Katja ο½’Amethystο½£@VulpineAmethyst@social.treehouse.systems
@soatok@furry.engineer @deetwenty@todon.nl @orman@furry.engineer
another major consideration is that webs of trust require you to trust everyone that a given person trusts; there's no consideration for "Alice trusts Bob and Gary; Bob trusts Charlie, Denise, and Ellen; Alice does not trust Charlie", and there isn't really a good way to handle that in software without leaking associations.
Katja ο½’Amethystο½£@VulpineAmethyst@social.treehouse.systems
@soatok@furry.engineer @deetwenty@todon.nl @orman@furry.engineer
another major consideration is that webs of trust require you to trust everyone that a given person trusts; there's no consideration for "Alice trusts Bob and Gary; Bob trusts Charlie, Denise, and Ellen; Alice does not trust Charlie", and there isn't really a good way to handle that in software without leaking associations.