That’s as good or bad as the current situation. If not, we can still resort back to a (plain) list of Email addresses and their key ids. Eventually one of these approaches wins the race. Many approaches for making initial key discovery work have been proposed. For example, revocations are pretty much a fire and forget thing whereas other key updates are not necessarily interesting in twenty years from now. I think we can solve some of these problems better if we separate them. Currently, it is used for initial key discovery, key updates, and revocations. My takeaways are: The keyserver network needs a replacement. I wonder whether anybody has implemented pq-schemes for GnuPG, or any other OpenPGP implementation, yet. He wants post quantum crypto to defeat the prying eyes. And we currently have no good way of having what people call “perfect forward secrecy” so a future key compromise makes the messages of today readable. He said that we know that big agencies are storing message today for later analyses. And in fact, he wants the crypto of tomorrow. He wanted the spec to be more modern and more aggressively pushing for today’s cryptography rather than for the crypto of the past. Phil Zimmermann, the father of PGP, mentioned a few issues he sees with the spec, although he also said that it’s been a while that he was deeply into this matter. when GNOME Keysign sends the encrypted signature, I would want the recipient to decrypt it and send it back. I would want my key exchange to be automated further, i.e. Outlook, I think, can do simple stuff like voting for of many options or retracting an email. I think I’ve mentioned earlier that I still think that it’s a bit a sad that we don’t have the necessary interfaces to run protocols over Email. Anyway, countermitm defines “verified groups” which involves a protocol to be run via Email. Defending against active attackers is hard so having sort of a plan is great. Assuming MTA-STS) and if you care about not storing plain text messages in your mailbox, you could encrypt them already now. As of now, Emails are encrypted along their way (well. Because without the vision of how to go from Autocrypt Level 1 to Level 2, you may very well question to usefulness. Oh, and of course, it implements Autocrypt, so your clients automatically encrypt the messages.Ĭontinuing the previous talk, Azul went on to talk about countermitm, an attempt to overcome Autocrypt 1.0‘s weaknesses. Sometimes, the other MUA snatches the email before Delta.chat sees it, I think. I still get to occasional email I cannot decrypt and interop with my other MUA listening on the very same mailbox is hit and miss. I’ve used this for a while now and my experience is mixed. It’s trying to provide an instant messaging interface with an email transport. If you haven’t tried it yet, give it a go. Unfortunately, I was lured away by another interesting session about keyserver and GDPR compliance which ran in parallel.įor the plenary session, Holger Krekel reported on the current state of Delta.Chat. My interest was in visual security indication, as triggered by this story. That is, someone proposed what to discuss about and the interested parties then came together. The sessions were organised in a bar-camp style manner. It’s been an intense weekend with lots of chatting, thinking, and discussing. Others have written reports, too, which are highly interesting to read. It’s been a tiny event graciously hosted by a local company. I also attended the OpenPGP Email Summit in Brussels a few weeks ago. The discussions were fruitful and I got sent a few references that might be useful in determining a way forward. For example, testing GNOME Keysign requires a user not only with a set up MUA but also with a configured GnuPG. Security stuff must be hard, right?! So how do measure the success of your security solution? Obviously you can test with users, but certain things are just very hard to get users for. For example, Simone mentioned in her talk that certain users don’t trust a software if it is too simple. I presented some case studies and reported on the challenges that I see. I got to talk about how I believe GNOME is in a good position make a safe and secure operating system. She presented outcomes of her Prismacloud project which also involves fancy youtube videos… First, Simone Fischer-Huebner from Karlstadt University talked about her projects which are on the edge of security, cryptography, and usability, which I find a fascinating area to be in. Just like last year, I managed to be invited to the Privacy Enhancing Technologies Conference to talk about GNOME.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |