[messaging] OpenPGP Trust is broken Was: On Signed-Only Mails
Vincent Breitmoser
look at my.amazin.horse
Thu Dec 8 05:47:55 PST 2016
> 1) Assertions that impersonation makes the signatures worthless
This got a little mixed up with trust model discussions. My original
point was quite specifically that for general day-to-day communication,
signatures aren't useful, at least in their present form. I would at
this point phrase it less strongly, and say that the tradeoff they offer
in what they do, versus the complexity they introduce, isn't worth it.
I still stand by that point.
> A bank that is hacked and customer bank details are disclosed is in trouble
> but a bank that is hacked and has money stolen is in worse trouble and a
> bank who loses its account data and cannot recover it from backups is a
> ex-bank.
>
> All documents should be signed but only confidential documents need to be
> or should be encrypted.
>From the perspective of enterprise users, this makes a lot of sense. But
I'm not building enterprise software, and I don't know about the
requirements they have: I'm working on a consumer-oriented
implementation, for secure e-mail. I would really like to send
confidential mail to my tax advisor. And from that point of view,
signed-only mail add an order of magnitude in UI and ecosystem
complexity, quite possibly a sufficient amount that my tax advisor (or
their other customers, affecting me indirectly) doesn't want to bother
with pgp at all.
Compliance oriented enterprise applications are a valid use case. Secure
communication to counter mass surveillance are a valid use case. Trying
to fulfill the requirements of those in the same software and on equal
footing sounds like a bad idea.
- V
More information about the Messaging
mailing list