Mailing List Archive

On future of GnuPG
On 2021-01-05 Stefan Claas via Gnupg-users - gnupg-users@gnupg.org wrote:
> ... but why are then SKS key servers
> still in operation, which allows third parties to look up who signed
> who's key and with what trust level and GnuPG's WoT support, compared
> to sq and Hagrid?

The landscape has changed dramatically from the times when the
original PGP fundamentals were introduced. Today, for any secure
personal communication system to be of practical use, it must
be designed from the ground up observing the following simple
principle: *anonymity is the necessary condition of privacy*.



_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On future of GnuPG [ In reply to ]
> The landscape has changed dramatically from the times when the
> original PGP fundamentals were introduced. Today, for any secure
> personal communication system to be of practical use, it must
> be designed from the ground up observing the following simple
> principle: *anonymity is the necessary condition of privacy*.

This borders on ridiculous.

One of the problems we have in privacy discussions is there is no
single agreed-upon definition of privacy. Privacy is defined by
culture, and unless we share a culture we're very unlikely to share a
privacy definition.

In the United States, the prevailing culture cares a lot more about
government's ability to learn things about me without a warrant than it
does about the ability of corporations or businesses. And we also
believe that government limiting our ability to speak infringes on our
privacy: "why the hell is the government getting in my business if all
I'm doing is sharing true things with my buddy?" Whereas in Europe,
right-to-be-forgotten laws, enforced by the government, are seen as
wins for privacy, in America they would be (a) blatantly unlawful and
(b) considered massive invasions of our privacy by the government.

In Europe it's a lot different. There, the prevailing culture cares a
lot more about limiting the ability of businesses to learn things about
a person than with limiting the ability of governments. The national
security exemption in the GDPR is big enough to drive a truck through:
it is so all-encompassing that I, as an American, look at the GDPR and
think it's a nightmare for privacy rights.

And, you know, *this is okay*. Privacy is culturally defined. Enjoy
your culture, accept or reject its definition of privacy as you like.
Just don't think that your culture's definition is somehow the only
one, or universally agreed-upon, or...

If there is no agreed-upon universal definition of privacy (and there
isn't), then any attempt to make sweeping statements like "anonymity is
a necessary condition of privacy" is just a bunch of freshman
Philosophy 101 crap that's entirely disconnected from the real world.
Re: On future of GnuPG [ In reply to ]
On Tue, Jan 5, 2021 at 9:05 PM <markus.rosco@neverbox.com> wrote:
>
> On 2021-01-05 Stefan Claas via Gnupg-users - gnupg-users@gnupg.org wrote:
> > ... but why are then SKS key servers
> > still in operation, which allows third parties to look up who signed
> > who's key and with what trust level and GnuPG's WoT support, compared
> > to sq and Hagrid?
>
> The landscape has changed dramatically from the times when the
> original PGP fundamentals were introduced. Today, for any secure
> personal communication system to be of practical use, it must
> be designed from the ground up observing the following simple
> principle: *anonymity is the necessary condition of privacy*.

That the landscape has changed dramatically everyone will
(hopefully) agree and your phrase is perfectly fine, but I do not
consider GnuPG or OpenPGP apps as tools giving users anonymity.

What you say would fit more for a cross-platform OpenSource app
like Bitmessage, compared to PGP's or GnuPG's privacy philosophy.

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On future of GnuPG [ In reply to ]
On Wed, Jan 6, 2021 at 12:09 AM Stefan Claas
<spam.trap.mailing.lists@gmail.com> wrote:

> What you say would fit more for a cross-platform OpenSource app
> like Bitmessage, compared to PGP's or GnuPG's privacy philosophy.

Regarding Bitmessage and OpenPGP. There was an announcement
made last year about an Bitmessage OpenPGP chan, where people
can discuss all things around OpenPGP anonymously and globally.

I am a bit out of the loop regarding Bitmessage but here is the
address for interested parties:

OpenPGP
BM-2cU9MZTNKThqH9nDPycVaPGAduisN6Nnm1

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On future of GnuPG [ In reply to ]
12021/00/04 08:01.47 ?????, markus.rosco@neverbox.com ??????:
>
> On 2021-01-05 Stefan Claas via Gnupg-users - gnupg-users@gnupg.org wrote:
> > ... but why are then SKS key servers
> > still in operation, which allows third parties to look up who signed
> > who's key and with what trust level and GnuPG's WoT support, compared
> > to sq and Hagrid?
>
> The landscape has changed dramatically from the times when the
> original PGP fundamentals were introduced. Today, for any secure
> personal communication system to be of practical use, it must
> be designed from the ground up observing the following simple
> principle: *anonymity is the necessary condition of privacy*.

That depends heavily on your threat model, though. For many people, the goal isn't to keep their identity safe from the people they're talking with. Rather, the goal is to keep the contents of their messages safe from _everyone else_ (including CIA, NSA, shitty governments, etc).

In many ways, security and anonymity are at odds, since if I can't easily verify that <x> is the person they claim to be, I have no way of knowing if I'm telling them stuff they shouldn't know. While there are ways to ensure confidentiality and integrity of the *communication channel* while preserving anonymity, there isn't really a way of ensuring the integrity of the *conversation* while preserving anonymity. Pretty much any way of properly resolving this dilemma requires de-anonymizing both participants, and then we're right back where we started.

If, instead, we acknowledge that most use cases require integrity of the communication channel *and* the conversation, then we can use common identifiers (like phone numbers) or (mostly) verifiable identities (like GPG keys hosted on WKD) to ensure the integrity of the conversation (I say mostly verifiable because there's always a chance the domain is compromised and the keys are replaced). Once anonymity isn't really as much of a concern, we get things like Signal, which is decidedly *not* anonymous (with the exception of using VOIP numbers to sign up) but is most assuredly private (they don't know what you're saying and neither does anyone else, apart from the people you're messaging).

Regards,

Chiraag
--
?????? ??????
Pronouns: he/him/his
Re: On future of GnuPG [ In reply to ]
On 05-01-2021 23:07, Robert J. Hansen via Gnupg-users wrote:

As always, it probably depends on who you have the most to fear from:
your government, corporations, or maybe someone else?

> In Europe it's a lot different. There, the prevailing culture cares a
> lot more about limiting the ability of businesses to learn things about
> a person than with limiting the ability of governments.
That is changing. Now that governments are ourtsourcing censorship to
corporations in their struggle against unwelcome news (these days they
call that often "fake news" or "Russian propaganda" and voices are
getting stronger to censor unwelcome messages directly, recently
enhanced by protests against the covid measures, protection against the
government are getting more important in Europe as well. But that is not
yet much reflected in actual policies being made, mainly because those
policies are made by the very people we need protection against.

--
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On future of GnuPG [ In reply to ]
On Tue, 5 Jan 2021 17:07, Robert J. Hansen said:

> I'm doing is sharing true things with my buddy?" Whereas in Europe,
> right-to-be-forgotten laws, enforced by the government, are seen as
> wins for privacy, in America they would be (a) blatantly unlawful and

I don't think that the right not to be listed prominently in search
results is related to privacy. This ruling is more similar to rules
that you are not required to wear a badge that you spent some time in
jail or need to state this in your CV.

> In Europe it's a lot different. There, the prevailing culture cares a
> lot more about limiting the ability of businesses to learn things about
> a person than with limiting the ability of governments. The national

Like all over the world governments work on terminating all rules which
limit their power. It seems to be a never-ending task to counter that.

Speaking of Germany: There are a lot of barriers between administrative
entities to share data - there is not even a central database of all
citizens. There is no shared access between the databases of the police
and the spooks. The spooks tried to tell us that it is okay to
eavesdrop as long as no German citizen is part of the communication but
courts declared such a workaround as illegal. But yes, all these laws
and rulings wind up faster and faster :-(


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: On future of GnuPG [ In reply to ]
>This ruling is more similar to rules that you are not required to wear
>a badge that you spent some time in jail or need to state this in your CV.

It is a ruling that gives more power to the government, whatever the
"declared goal" actually is. The actual usage of this rule is to hide
blatant evidence of corruption of government officials from public
sources.


Werner Koch via Gnupg-users <gnupg-users@gnupg.org> writes:

> On Tue, 5 Jan 2021 17:07, Robert J. Hansen said:
>
>> I'm doing is sharing true things with my buddy?" Whereas in Europe,
>> right-to-be-forgotten laws, enforced by the government, are seen as
>> wins for privacy, in America they would be (a) blatantly unlawful and
>
> I don't think that the right not to be listed prominently in search
> results is related to privacy. This ruling is more similar to rules
> that you are not required to wear a badge that you spent some time in
> jail or need to state this in your CV.
>
>> In Europe it's a lot different. There, the prevailing culture cares a
>> lot more about limiting the ability of businesses to learn things about
>> a person than with limiting the ability of governments. The national
>
> Like all over the world governments work on terminating all rules which
> limit their power. It seems to be a never-ending task to counter that.
>
> Speaking of Germany: There are a lot of barriers between administrative
> entities to share data - there is not even a central database of all
> citizens. There is no shared access between the databases of the police
> and the spooks. The spooks tried to tell us that it is okay to
> eavesdrop as long as no German citizen is part of the communication but
> courts declared such a workaround as illegal. But yes, all these laws
> and rulings wind up faster and faster :-(
>
>
> Shalom-Salam,
>
> Werner


--
Vladimir Nikishkin (MiEr, lockywolf)
(Laptop)

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users