Abstract: In a post-Snowden society, protecting your private company and personal information is more important than ever. But rather than blindly jumping into encryption, we'll take a look at how (and why) tools like PGP/gpg were created, their purpose, and what their purpose is NOT. We'll also address some of the issues that come up with the so-called Web of Trust.
Tags: Crypto, Trust
Self-presentation: why encrypting is an issue / Anti-surveillance policies in the US / iddsc / Snowden as a catalyst / crypto party & crypto wars of the 90s
History of cryptography
What is the problem?
Definition: what does it mean to trust a key? What does trust mean?
RFC - (looking up RFC 4880 "OpenPGP message format) Signature types
Loose definition, probably left open by standard writers intentionally
Search results on the MIT-tool for a key ("oxd255...")
I created a trust tool:
Example "pgpring –S -k keystore" output
- Possible to have multiple identities with the sub field
OpenPGP Message Format principle -- I made it easier and converted it to a text file, matches up all the elements, whether it's public key or something else. It is defragmented for the user.
What email providers have "secure" users?
What news organisations have "secure" users?
What "intel" agencies have "secure" users?
How do universities use PGP?
Frequencies: Seem to be rather trial than actual use.
Who has signed the most keys?
Keybase.io: if you are a new user and use a key by default it stores the private key and compromised your security.
Participant: So they have a copy of a private key?
It's perline party, targeted, binary / I understand why you are upset with them, it's a struggle, they have a noble mission to make it easier.
I agree, it's not only me, having your private keys stored anywhere else is compromising of your security. E.g. a PGP encryption, there's principle of mathematics - key instructed is that you have 2 public keys who share the 3rd prime
Interesting talk about key factoring that was referenced in the talk: http://crypto.2012.rump.cr.yp.to/87d4905b6d2fbc6ad2389debb73f7035.pdf(NSFW title)
Participant: What I've never understood is having a store of keys
-: the trust store, the key store is completely useless. My tool is not online right now.
(Explanation of the key)
Also means you can do a neighbour kind thing, Meta data, and have interesting connections with that.
Participant: I disagree, those are 2 different kinds of trust paradigms. One is public, you can change it. Trusting keys is establishing some initial relationship.
Answer: PGP issue: if you show up, have trusted key -- the data is still there, internet never forgets them.
Participant: But that is impossible to solve.
Answer: PGP is a fantastic tool for encrypting, but bad for privacy and anonymity.
Participant: Based on names, it is completely unreliable.
Participant: What's frustrating is that the government requires us for getting rent from them, but many researchers are from other countries, and many other countries have different requirements for names. One thing that makes trust hard on internet lies in us being human beings, we're organic stuff, we meet and see each other, and you can't do that online.
Answer: I don't agree, when we're chatting, we are establishing and have established relationships. Example: how Anonymous changed in the chat room and how other in the chat room realized his change in behaviour.
Participant: And in the trust-PGP-context it doesn't mean to trust a person, it means trusting a key!
Participant: If I enter "Edward Snowden has this key" (...)
Participant: What do you think about your knowledge in public key store, people actually communicating with each other there?
Answer: In the key store you can
1. Connect to each other, sign the key randomly
2. Time stamp for when a key was signed is difficult issue (state now, state 10 years ago)
And PGP was created in the early 90s..
Participant: the data we get to another zone is very small
Answer: The issue is not so much signing keys, but posting them publicly.
Participant: I think that one of the biggest trust contributions PGP made was that for the first time a reliable crypto reached mass market.