[talk] How I stopped worrying, and learned to love GPG

George Rosamond george at ceetonetechnology.com
Sat Feb 21 20:53:15 EST 2015



Isaac (.ike) Levy:
> On 02/21/15 20:33, Brian Callahan wrote:
>>
>> On 02/21/15 20:23, Isaac (.ike) Levy wrote:
>>> On 02/21/15 20:02, Brian Callahan wrote:
>>>> Hi Ike --
>>>>
>>>> For reasons I can't figure out, Thunderbird has totally mangled
>>>> your email so I'll reproduce the relevant parts here and reply.
>>> I couldn't post about GPG without signing it, and enigmal/thunderbird
>>> mangling it for you :)
>>>
>>>>> Who really trusts GPG these days?
>>>> I guess I do, by way of the fact that I keep myself running the
>>>> latest GPG-modern (2.1.2 as of now). I'll be excited when more make
>>>> it over to this side of the fence and I can start using my EC keys
>>>> for real.
>>> EC.  Rad.  The future.
>>>
>>>>> And, my last question- the *BSD world is filled with so many
>>>>> impacting cryptographers, and some of the most prolific
>>>>> security-minded programmers in the world.  Why are we all still
>>>>> OK with this gnu-pg stuff, and all this RMS-ware?
>>>> tedu@ has a "simple, semi-modern wannabe PGP clone" called reop. I
>>>> think it's in FreeBSD's ports tree. Code is here:
>>>> https://github.com/tedu/reop Post about it:
>>>> http://www.tedunangst.com/flak/post/reop With that said, I only
>>>> know about it. Not used it. Would be interested in hearing Ted's
>>>> thoughts on the current version of the code and future directions
>>>> (but no idea if he's on this list or reads it).
>>>>
>>>> ~Brian
>>> I'd be very interested in hearing about users practical experiences
>>> with 'reop'!
>>>
>>> Yet, this OpenBSD key,
>>> http://www.openbsd.org/advisories/pgpkey.txt
>>>
>>> Appears to be created using,
>>> http://www.pa.msu.edu/reference/pgp-readme-1st.html
>>> "PGP 2.6.3i is not an official PGP version. It is based on the source
>>> code for MIT PGP 2.6.2 (the latest official version of PGP) and has
>>> been modified for international use."
>>
>> That key was generated in 1997 :-)
>> The newest item in that directory dates from mid-2002. I don't think
>> that key is still in use.
> 
> Shall I use it to send a bug report and ask for it to be removed?
> 
> I'm not kidding :)

+1 Ike.  But revoking keys is one of those design issues never addressed
in the pgp ecosystem AFAIK

> 
>>
>> These days, we sign everything with our signify tool (also written by tedu@)
>> http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/signify.1
> 
> Pretty darned nifty, for what it's designed to do, I must say.

The one thing well principle lives.

And it will get mass adoption in the Linux systems once it incorporates
an ability to mount msdos slices and conduct its own random number
generation.

g



More information about the talk mailing list