PGP on Email

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Noel Lee wrote:
> So, are you using Thunderbird? windows?

Well, let's see...

>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.5 (Darwin)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

That should tell you what you want to know.

> I also I want to know your usage of PGP.. are you using it alot?
>; because my problem is, most of my friend and recipient doesnt know
> how to use PGP.

I use it, but mostly because I want to show the world a commitment to
privacy rights. I don't use it in any expectation that it matters very
much, except in a couple of limited ways.

I went to college with a guy named John Hawley, who's now an
administrator for kernel.org. John hosts a couple of systems himself,
me being one of them. I strongly recommend to everyone the mix of
competent system administrators and old college buddies; it's lovely.
Anyway. One of the things John has been quite diligent about is
opportunistic SMTP encryption.

What this means in a nutshell is that when two mailservers talk to each
other, they can negotiate and see if each other is capable of encrypting
the communication link. If they are, then they communicate securely.
Otherwise, they send data in the clear. That's what it means to have
"opportunistic" encryption; if the opportunity presents itself, they'll
do it.

As it turns out, opportunistic SMTP encryption happens an awful lot on
the internet. Setting up Postfix to do this requires you to add five
lines to a configuration file, that's all.

Further, I check my email through SSL-secured IMAP. So... I'm encrypted
when I pull my mail off the server. I'm encrypted when I send email to
the server. And my server is usually encrypted when it's sending email
to other systems.

OpenPGP was originally meant to protect data while in transit. But
doesn't it seem like we need OpenPGP as a link-level security mechanism
less and less nowadays, as SSL and opportunistic encryption become more
commonplace?

It's true that opportunistic encryption doesn't keep email safe as it
sits on a mail server. Your sysadmin could read it, and that's a
privacy issue that OpenPGP still solves. So OpenPGP is definitely not
dead as a protocol.

But... in the early 1990s, when nobody was talking about link-layer
security, PGP was a link-layer protocol. Nowadays link-layer security
is a solved problem, and PGP isn't part of that solution. PGP is used
instead to provide _storage_ security--e.g., when data is stored on a
hard drive, whether that hard drive is in your laptop or whether it's in
a RAID array in your mailserver.

I'm not convinced OpenPGP is a good storage security protocol.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBCAAGBQJFNKXOAAoJELcA9IL+r4EJ9UgH/irbxr6otM7/MyR5XDsPi9Zf
/pWdKKOT1v6/XVu+EEp1MoJI1xmryyAbhq96J/B2TqjUJFP7VLe++zetsB9BRWo4
PB/8c6sYJONv8Aad/xsVfvKcNsO3xSuhotH1imQByDFGTsuS12jyBHX4oBPxDFxn
r52wTL7oBagzcw7NaUlfxVyZk5qlfYpFvy8hrSCo4J8urhnMjIVIDJ7coBjNgZcR
gf6PkC8dPzs2ypK3bcF6ZA0ZP5QE6M0ZIMeFCxb2HjxNXRxcpMyTCUWOqwDBtXc2
ebYmTu8LtO4RnAxLur/+fBCHTfWgm/dxTCzZzyK/XSvNNaM2kDLZteTt6yxAAuE=
=sZjf
-----END PGP SIGNATURE-----

Messages in this topic (9) Reply (via web post) | Start a new topic

.

Hi Robert,

I noticed that you are using RSA for your PGP, is it more secured than
DSA and Elgamal? I have been playing with my thunderbird tonight with
enigmail/PGP.

Btw, I am using SSL on IMAP and TSL on SMTP, hoped this secure enough

What OS you're using? me using Kubuntu 6.10.

Thanks.

On Tue, 2006-10-17 at 04:43 -0500, Robert J. Hansen wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Noel Lee wrote:
> > So, are you using Thunderbird? windows?
>
> Well, let's see...
>
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v1.4.5 (Darwin)
> >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> That should tell you what you want to know.
>;
> > I also I want to know your usage of PGP.. are you using it alot?
>; > because my problem is, most of my friend and recipient doesnt know
> > how to use PGP.
>
> I use it, but mostly because I want to show the world a commitment to
> privacy rights. I don't use it in any expectation that it matters very
> much, except in a couple of limited ways.
>;
> I went to college with a guy named John Hawley, who's now an
> administrator for kernel.org. John hosts a couple of systems himself,
> me being one of them. I strongly recommend to everyone the mix of
> competent system administrators and old college buddies; it's lovely.
> Anyway. One of the things John has been quite diligent about is
> opportunistic SMTP encryption.
>
> What this means in a nutshell is that when two mailservers talk to
> each
> other, they can negotiate and see if each other is capable of
> encrypting
> the communication link. If they are, then they communicate securely.
> Otherwise, they send data in the clear. That's what it means to have
> "opportunistic" encryption; if the opportunity presents itself,
> they'll
> do it.
>
> As it turns out, opportunistic SMTP encryption happens an awful lot on
> the internet. Setting up Postfix to do this requires you to add five
> lines to a configuration file, that's all.
>
> Further, I check my email through SSL-secured IMAP. So... I'm
> encrypted
> when I pull my mail off the server. I'm encrypted when I send email to
> the server. And my server is usually encrypted when it's sending email
>; to other systems.
>
> OpenPGP was originally meant to protect data while in transit. But
> doesn't it seem like we need OpenPGP as a link-level security
> mechanism
> less and less nowadays, as SSL and opportunistic encryption become
> more
> commonplace?
>
> It's true that opportunistic encryption doesn't keep email safe as it
> sits on a mail server. Your sysadmin could read it, and that's a
> privacy issue that OpenPGP still solves. So OpenPGP is definitely not
> dead as a protocol.
>
> But... in the early 1990s, when nobody was talking about link-layer
> security, PGP was a link-layer protocol. Nowadays link-layer security
> is a solved problem, and PGP isn't part of that solution. PGP is used
> instead to provide _storage_ security--e.g., when data is stored on a
> hard drive, whether that hard drive is in your laptop or whether it's
> in
> a RAID array in your mailserver.
>
> I'm not convinced OpenPGP is a good storage security protocol.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iQEcBAEBCAAGBQJFNKXOAAoJELcA9IL+r4EJ9UgH/irbxr6otM7/MyR5XDsPi9Zf
> /pWdKKOT1v6/XVu+EEp1MoJI1xmryyAbhq96J/B2TqjUJFP7VLe++zetsB9BRWo4
> PB/8c6sYJONv8Aad/xsVfvKcNsO3xSuhotH1imQByDFGTsuS12jyBHX4oBPxDFxn
> r52wTL7oBagzcw7NaUlfxVyZk5qlfYpFvy8hrSCo4J8urhnMjIVIDJ7coBjNgZcR
> gf6PkC8dPzs2ypK3bcF6ZA0ZP5QE6M0ZIMeFCxb2HjxNXRxcpMyTCUWOqwDBtXc2
> ebYmTu8LtO4RnAxLur/+fBCHTfWgm/dxTCzZzyK/XSvNNaM2kDLZteTt6yxAAuE=
> =sZjf
>; -----END PGP SIGNATURE-----
>
>
>
>

Messages in this topic (10) Reply (via web post) | Start a new topic

.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Noel Lee wrote:
> I noticed that you are using RSA for your PGP, is it more secured than
> DSA and Elgamal?

For some definition of 'security', sure.

One of the things we talk about in the world of software engineering is
"failure analysis". Think about a bridge. If the bridge develops
problems, you're going to see small cracks form, or girders slightly
bend, or some other warning problem long, long before the problem
becomes catastrophic. That lets people know there's a problem and fix
things before they get terrible.

On the other hand, consider, say, Windows. When Windows has a failure,
you're usually looking at a Blue Screen of Death that happens without
warning, and you can't recover from it.

We say the bridge fails gracefully and that Windows fails hard.

DSA has a very hard failure mode that isn't present in RSA. This very
hard failure mode is _very unlikely_ to occur in practice, let me
emphasize. It's so unlikely that many knowledgeable people discard the
possibility altogether.

But I'm a professional software engineer, and I try to take my
discipline seriously. Because of that, I want to take the algorithm
that has the fewer hard failure modes.

> What OS you're using? me using Kubuntu 6.10.

Darwin.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iQEcBAEBCgAGBQJFNQWWAAoJELcA9IL+r4EJTGEIANAUvYHJgp8yHei7U70awBNt
dHoKE16idsXoW45o+0l14jigvWNEx8ZwaUl8AlCfyRwnpJuzzSM0Cjwxh+;/gd2Bt
4k2GnLZ7/9/wZZd1fdtrRUyudXIaaCIxD+n/zU39wlL3fLBcWhnwW/ehKGTwAeLR
jp6QgtMDBeIZptF2+O2pbkUVEWsDUTIrC0Qq7OHo/GdYfiuPnSJyZ61uRRGdoIZ5
dulqzRQhCKBrsvgjS5IqnA8/PcRM5Nm8CsSt1r86gQHlR90hX4BrVeWgg2ruukOw
QnQt2G23snnyXkBhsSU5It7cam9OBZ/AEfudOWpL0CnBldXhRbZIdT9QYKXfKUs=
=d39D
-----END PGP SIGNATURE-----

Messages in this topic (11) Reply (via web post) | Start a new topic

.