Two GCC stories

Posted Jul 2, 2010 8:17 UTC (Fri) by tialaramex (subscriber, #21167)
In reply to: Two GCC stories by fsateler
Parent article: Two GCC stories

It's dismissive to say "the problem is between the chair and computer" when a human fails to do an exact bit-for-bit comparison between two public keys, meaningless strings of thousands of bits.

PGP humanises public key cryptography by associating keys with identities. Someone who refuses to take advantage of that (like yourself) is asking for trouble precisely because humans aren't very good at such bit-for-bit comparisons.

What did you want this "trusted but unidentified" behaviour for anyway?

to post comments

Two GCC stories

Posted Jul 2, 2010 16:23 UTC (Fri) by fsateler (subscriber, #65497) [Link] (1 responses)

That was precisely my point, that GPG does not help in this situation.

And I want that behaviour for online collaboration. It is not always possible to build a GPG trust path to someone, but you can work enough with people to decide you trust them.

trust and identity

Posted Jul 3, 2010 20:32 UTC (Sat) by tialaramex (subscriber, #21167) [Link]

You trust them? How do you trust them? You apparently don't believe you know any way of identifying them, not even by a pseudonym or a drop box email address. And you have no realistic way to distinguish one of these people you supposedly trust from any of the others.

Let me suggest that, in fact, you do associate these trusted keys with identities. You can sign this association, and that creates a cryptographically trustworthy mechanism for PGP to tell you "Abraham sent this" or "Bethany sent this" when it processes a future message signed with those keys - and that at last sounds like something you might be able to make use of in "online collaboration".

PGP is not a cloud application. The fact that you, on your PC, decided that this particular key belongs to "Abraham" is not automatically a fact shared with the whole world or even with "Abraham". You are not obliged, technically or ethically, to publish it, or tell anybody else. Similarly you are not required or expected to trust that whatever "Abraham" tells people (including by publishing signed keys) is true. You need never tell "Abraham" that you've assigned it this name, and if you prefer you can use outlandish or ridiculous names, "Mr Run-on-sentence" or "Flopdeedoodle"

Identity and trust are separate issues BUT for humans it isn't practical to hang trust on raw thousand-bit key values, so you must do SOMETHING about the identity issue first. That's all PGP/ GPG asks you to do.