[talk] How I stopped worrying, and learned to love GPG

Isaac (.ike) Levy ike at blackskyresearch.net
Sat Feb 21 19:47:23 EST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi All,

So I'm sure many of us have seen bits and pieces of the recent
monitary shot in the arm the GPG project has received,

http://www.propublica.org/article/the-worlds-email-encryption-software-relies-on-one-guy-who-is-going-broke

> Update, Feb. 5, 2015, 8:10 p.m.: After this article appeared,
> Werner Koch informed us that last week he was awarded a one-time
> grant of $60,000 from Linux Foundation's Core Infrastructure
> Initiative. Werner told us he only received permission to disclose
> it after our article published. Meanwhile, since our story was
> posted, donations flooded Werner's website donation page and he
> reached his funding goal of $137,000. In addition, Facebook and the
> online payment processor Stripe each pledged to donate $50,000 a
> year to Koch’s project.

http://arstechnica.com/security/2015/02/once-starving-gnupg-crypto-project-gets-a-windfall-but-can-it-be-saved/

https://www.schneier.com/blog/archives/2015/02/gpg_financial_d.html

- --
To me, this whole thing begs some very serious and important questions:

- - Who really trusts GPG these days?
As the article states, it's written by one guy.  Werner's work is
obviously a classic- I don't want to rip on his implementation, nor do
I want to dive into tinfoil hat bits- but it's really serious when one
human being is the sole contributor to a tool with such relative
security/crypto importance.

- - Are there any viable PGP spec implementations in the world that are
under more active development?  (There are literally dozens of really
great starts- and half-implementations, I'm looking for something that
is outright on-par with gpg, but with more active development and
review of the codebase.)

- --
And, my last question- the *BSD world is filled with so many impacting
cryptographers, and some of the most prolific security-minded
programmers in the world.  Why are we all still OK with this gnu-pg
stuff, and all this RMS-ware?

Best,
.ike



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJU6ScbAAoJEF3x9fylaZ851lQP/0gMJFeOBN9LByHUHsdt6ZY4
JuDYZTWf6XQWYNowT06DmkWx6eY+VUPHmIg/RjiK1fvLYerW2WM4i+quAAW+dP0s
ntCxGG1WWhqGy86winttNGa4MA8yaQh4IIEc52oRbO3dOd7UFc/kQUwME5ksDJ1U
Z6W4ff5VMRwzBVGMIQS22hbsq6inky0RazeR4kjDbj+IwcWt74G2OG2w94g4Q9q5
WCChUEpkEOY91sgG7b3y7I5a6y2NjyCmk/1typeC2a6z6Jaqc+iblyMz+PZYOqem
Piv1QhGXBP2llXMU/MbcW0omj1gQICZR2r8ytACVge1mYVBZ/LT7aYrwYi92pAS/
Gwm1klf09uJtLqVKF1HwZJVCaM10+HjSqS+AJBxM22AQSCPo5rS9xkHTTysVl2Go
9AvwlXO3su0RwvgrhQvbf1XFoU/KqO1hwFguc1gajDFmX5O5ONQe853UfMPbe5wx
m7Q1bM8lISWfzIvTOvPnkFInZ6vbCAYQvzA+LBQYt9dHu9JGTczrenxBhf3seKrZ
8pV2Do8nklY0+fZh9tiRbGb9SiAtk4WeQYXF6nBC7qGvWeo9umaqyDuLv11490Os
XeuA7+azSwLKiWsRXBHRwGE294FW5PxhZ3XnYFNDzVYbJOiyLPbuxC6UgUK8LRiz
WtSLJ9J6eE2ZO45+rTIK
=gthD
-----END PGP SIGNATURE-----


More information about the talk mailing list