Re: pgp signing in van

Phillip Hallam-Baker <hallam@gmail.com> Fri, 06 September 2013 02:27 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FC4711E821A for <ietf@ietfa.amsl.com>; Thu, 5 Sep 2013 19:27:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a31pLgpL8amB for <ietf@ietfa.amsl.com>; Thu, 5 Sep 2013 19:27:20 -0700 (PDT)
Received: from mail-la0-x232.google.com (mail-la0-x232.google.com [IPv6:2a00:1450:4010:c03::232]) by ietfa.amsl.com (Postfix) with ESMTP id 6658C11E8218 for <ietf@ietf.org>; Thu, 5 Sep 2013 19:27:19 -0700 (PDT)
Received: by mail-la0-f50.google.com with SMTP id es20so2326068lab.9 for <ietf@ietf.org>; Thu, 05 Sep 2013 19:27:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=9KZ/tym7U/xVsAa126zLZumW9LoAC28Oks6Lw9++IfY=; b=vhXVlnWIzMbm9iUONokT3sPzAyK57XVRTxyAb4xS8TRLGKsXfhha1a4fL/7WGNvE/9 /svybfq3efL6APSfK8Rl0G72IfuGXimAbZK6PttEXpDE46pclkw3AKwBzdebraUeF4rv SERExVdnjsHn45AmzyM/a29KjsRJ7K8rqLAbemu7etPWWIZSm1q0OwphVBTfpUCcA8+P 7D6HwjPOMIobQxHemf8y9rIC3wItmhBlngxHQZhZrFsmPOPsHZm+wge2++gbv+p64VQD W5wsmr8MpJEJ/gF3VUZwskmYGpzf/ZS1vOiifElcFOX/4wbwrsxpkf4i/SEAGVu6nqLg H/sA==
MIME-Version: 1.0
X-Received: by 10.112.143.3 with SMTP id sa3mr850252lbb.12.1378434432716; Thu, 05 Sep 2013 19:27:12 -0700 (PDT)
Received: by 10.112.148.165 with HTTP; Thu, 5 Sep 2013 19:27:12 -0700 (PDT)
In-Reply-To: <m2zjrq22wp.wl%randy@psg.com>
References: <m2zjrq22wp.wl%randy@psg.com>
Date: Thu, 05 Sep 2013 22:27:12 -0400
Message-ID: <CAMm+Lwiu0QvAF-jH+iiq44Mku77gD1QdAWiqPRe95d0moKXCfw@mail.gmail.com>
Subject: Re: pgp signing in van
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Randy Bush <randy@psg.com>
Content-Type: multipart/alternative; boundary="089e011827aeb556a504e5adc6a5"
Cc: IETF Disgust <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Sep 2013 02:27:21 -0000

On Thu, Sep 5, 2013 at 8:45 PM, Randy Bush <randy@psg.com> wrote:

> so, it might be a good idea to hold a pgp signing party in van.  but
> there are interesting issues in doing so.  we have done lots of parties
> so have the social protocols and n00b cheat sheets.  but that is the
> trivial tip of the iceberg.
>
>   o is pgp compromised?  just because it is not listed in [0] is not
>     very strong assurance in these dark days.
>
>   o what are the hashes of audited software, and who did the audits?
>
>   o what are the recommended algs/digest/keylen parameters?
>
>   o do we really need eliptical, or is that a poison pill?
>
>   o your questions go here ...
>


I think our problems now go a lot further. The NSA is allegedly spending
$250 million a year infiltrating vendors and standards bodies. They have
also been pretty aggressive in hiring IETF folk for various consulting
contracts.

The big risk I see here is that there is a lot of finger pointing and every
bad decision that was made in the past that delayed the deployment of
strong crypto is now considered prima facie evidence of being a mole.

Not being a US citizen I see no reason to allow the NSA a backdoor in
anything I do. But looking at the carelessness and incompetence with which
they have guarded their own secrets I would not be anxious to allow them
access to mine even if I was a US citizen.


Seriously, this type of activity is an attack on the trust that is
necessary for collaboration. I doubt that the people who design and deploy
these programs had the slightest understanding of or concern for the costs
or consequences of their actions.

-- 
Website: http://hallambaker.com/