[talk] How I stopped worrying, and learned to love GPG

[Isaac (.ike) Levy]

On 02/21/15 20:53, George Rosamond wrote:
> 
> 
> Isaac (.ike) Levy:
>> On 02/21/15 20:33, Brian Callahan wrote:
>>>
>>> On 02/21/15 20:23, Isaac (.ike) Levy wrote:
>>>> On 02/21/15 20:02, Brian Callahan wrote:
>>>>> Hi Ike --
>>>>>
>>>>> For reasons I can't figure out, Thunderbird has totally mangled
>>>>> your email so I'll reproduce the relevant parts here and reply.
>>>> I couldn't post about GPG without signing it, and enigmal/thunderbird
>>>> mangling it for you :)
>>>>
>>>>>> Who really trusts GPG these days?
>>>>> I guess I do, by way of the fact that I keep myself running the
>>>>> latest GPG-modern (2.1.2 as of now). I'll be excited when more make
>>>>> it over to this side of the fence and I can start using my EC keys
>>>>> for real.
>>>> EC.  Rad.  The future.
>>>>
>>>>>> And, my last question- the *BSD world is filled with so many
>>>>>> impacting cryptographers, and some of the most prolific
>>>>>> security-minded programmers in the world.  Why are we all still
>>>>>> OK with this gnu-pg stuff, and all this RMS-ware?
>>>>> tedu@ has a "simple, semi-modern wannabe PGP clone" called reop. I
>>>>> think it's in FreeBSD's ports tree. Code is here:
>>>>> https://github.com/tedu/reop Post about it:
>>>>> http://www.tedunangst.com/flak/post/reop With that said, I only
>>>>> know about it. Not used it. Would be interested in hearing Ted's
>>>>> thoughts on the current version of the code and future directions
>>>>> (but no idea if he's on this list or reads it).
>>>>>
>>>>> ~Brian
>>>> I'd be very interested in hearing about users practical experiences
>>>> with 'reop'!
>>>>
>>>> Yet, this OpenBSD key,
>>>> http://www.openbsd.org/advisories/pgpkey.txt
>>>>
>>>> Appears to be created using,
>>>> http://www.pa.msu.edu/reference/pgp-readme-1st.html
>>>> "PGP 2.6.3i is not an official PGP version. It is based on the source
>>>> code for MIT PGP 2.6.2 (the latest official version of PGP) and has
>>>> been modified for international use."
>>>
>>> That key was generated in 1997 :-)
>>> The newest item in that directory dates from mid-2002. I don't think
>>> that key is still in use.
>>
>> Shall I use it to send a bug report and ask for it to be removed?
>>
>> I'm not kidding :)
> 
> +1 Ike.  But revoking keys is one of those design issues never addressed
> in the pgp ecosystem AFAIK

Sure, but if it's no longer used, they could take down the link and the
key on the site :)

Best,
.ike


> 
>>
>>>
>>> These days, we sign everything with our signify tool (also written by tedu@)
>>> http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/signify.1
>>
>> Pretty darned nifty, for what it's designed to do, I must say.
> 
> The one thing well principle lives.
> 
> And it will get mass adoption in the Linux systems once it incorporates
> an ability to mount msdos slices and conduct its own random number
> generation.
> 
> g