[liberationtech] pgp and e-mail resources?

Seth David Schoen schoen at eff.org
Thu Oct 28 12:09:08 PDT 2010 

Don Marti writes:

> The OpenPGP design is great, except for two things.
> 
>  1. Much of the difficulty is in the key management
>     ritual, not the UI.

Some Debian people have been working on using QR codes with mobile
phones to do key exchange.  Especially if this gets integrated with
desktop software, this is pretty awesome in terms of reducing the
overhead of the key exchange process, which is one part of key
management that has long antagonized prospective PGP users.  Instead
of reading the hex fingerprint, you would scan someone's business
card with your cell phone.  Your desktop software would ask you
something like "Hey, this says it came from Phil Zimmermann; is
that right?".

QR codes could potentially go a long way toward convenient use of
all kinds of public key applications in the future, including
things like credentials to administer devices (scan a barcode with
a phone camera to give your phone authority to perform a task!
maybe scan two barcodes one after another to do something like
Bluetooth pairing!).

Of course, this doesn't make the more general overhead and risk
of key management go away.  Users still have to understand issues
about the integrity and confidentiality _of the bar codes_ (for
example, don't leave authorization bar codes lying around in
public places; don't trust an e-mail public key barcode that
someone sent you as an image in unauthenticated e-mail; ...).
This is to say that users still have to understand the nature of
the authority or capability that particular keys are affording
them, and what their corresponding responsibilities are toward
those keys are under their (or other people's) threat models.

It's possible that these aspects of key management are ultimately
a bigger problem than the reading, typing, and comparing hex
strings part.

-- 
Seth Schoen
Senior Staff Technologist                         schoen at eff.org
Electronic Frontier Foundation                    https://www.eff.org/
454 Shotwell Street, San Francisco, CA  94110     +1 415 436 9333 x107

More information about the liberationtech mailing list