[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Cryptography] Avoiding PGP
- From: Jason Cooper <cryptography AT lakedaemon.net>
- Subject: Re: [Cryptography] Avoiding PGP
- Date: Thu, 15 Mar 2018 19:51:19 +0000
- Arc-authentication-results: i=1; mx.google.com; dkim=neutral (body hash did not verify) firstname.lastname@example.org header.s=mail header.b=Ps6W6upb; spf=pass (google.com: best guess record for domain of cryptography-bounces+ben=bentasker.co.uk AT metzdowd.com designates 18.104.22.168 as permitted sender) smtp.mailfrom=cryptography-bounces+ben=bentasker.co.uk AT metzdowd.com
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:cc:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:to:from:date:dkim-signature :delivered-to:arc-authentication-results; bh=rQyVoBWxDVLmHGPeqWJhJ9Re393VCDGWLJcwCAFnD1Y=; b=YRDDATPp0PC+g1zWo1PTACXLShBIXJlJpy5O23VAuKBZbK9JMxIhjW++38liAyxEZe sYjlxUHIw3vbLIcR3gcSgXPUbUGIdKX48A0rhDTeu9rRuyJ51YDaoI0eGQ+viWoweOSE DdG5vXNYALOp0N7GXy9x0h8USgkb7Q3xBybv0Kbcr1+cjXN6xn8E9/WqkpBAIiq6wWhO iOYgvUtzqyCafGSKHlLjighqeDt2ZlnBaTGdq/uJft2Baj+5Y2ozU6BexWXKHuufKheC 1MruIKWEKT0s30U+9jom8UWz1p6gWjM8DacGmu33xse8MfDkJX1weJboUSpoYrvxwl5U l8JA==
- Arc-seal: i=1; a=rsa-sha256; t=1521175270; cv=none; d=google.com; s=arc-20160816; b=fy0WQ29JJVi0TDFCDYmz8Wvq4SszWbBuG8+EtBBA8Cxh8vlEbtCOkexH0YG7ZVGw+f 8FhJrfM22dLR3cD1lGQMliV+F7GP1dfHHLI16hPWbo5dzgD5L++WizypA17CpBwZme5M 8BU1FaG0wzJ+RuDJg68o6NR5FQJsg55C64nYt1wAKYMvCo2UQtYLyJI9JCVTnO7xjG1L U/lCtD1nJzSxHXAR365IYLHH596zj2u1TzSvZ4319alKRo7qP03UCL622/VQEWmitGPM 7ClvSM7DqcnNCXSCHFG55m9HrqOdHwmrDe49KUqPHrI/z8jduXjN1LleLagSS7JF6u2c SrRg==
- Cc: "cryptography AT metzdowd.com" <cryptography AT metzdowd.com>
- List-archive: <http://www.metzdowd.com/pipermail/cryptography/>
- Sender: "cryptography" <cryptography-bounces+ben=bentasker.co.uk AT metzdowd.com>
- To: Carlos Alas <carlosalas7 AT protonmail.com>
On Wed, Mar 14, 2018 at 01:56:38PM -0400, Carlos Alas via cryptography wrote:
> I have been reading advice on not to use PGP, some very well founded
> (the third one below by Filippo Valsorda deserves attention), I am
> including the top 3 results from google on the query: "PGP not worh
> My question is: Is there any substitute or equivalent? And I am aware
> that many people advice to use Signal, however I am wondering about an
> e-mail specific alternative.
Well, having worked at several companies that have required all internal
email communication to be encrypted, there are really only two
options (In commercial / business sector). PGP/GPG, and S/MIME.
I've used both systems for at least a year each. PGP suffers from two
problems. Symantec (Intel) deviated from the PGP specification, and
their apps generally suck unless you mindlessly sit at desk using
Windows as IT configured it for you. Even then it falls over
frequently. The deviation from the spec has resulted in a staring
contest between PGP Universal and GPG implementers. PGP doesn't care,
and GPG folks refuse to add compatibility shims to make it "just work".
And even if the impasse weren't there, users have to think *way* too
much. So the second bullet is that the cognitive burden is simply too
high. Personally, I only use GPG to sign an occasional email, or to
sign a git tag for a pull request.
S/MIME, however, works dang near everywhere. If you politely ignore the
fact that IT hands you your .p12 and the password for it. This includes
the private key. Ergo, most deployments implement key escrow. You
don't *have* to, users could create keys on-device, and submit CSRs
(remember, internal email only, corporate devices, add private CA).
The problem with S/MIME, though, no one, outside of business, uses it.
But for business it works fairly well.
In either case, remember to keep your old keys when you rotate to new
ones. Otherwise you won't be able to read old archived messages.
But yeah, seriously, you're looking at a tremendous maintenance and
admin burden for either one. Just use signal. :-)
The cryptography mailing list
cryptography AT metzdowd.com