On Thu, Sep 5, 2013 at 8:45 PM, Randy Bush <randy(_at_)psg(_dot_)com> wrote:
so, it might be a good idea to hold a pgp signing party in van. but
there are interesting issues in doing so. we have done lots of parties
so have the social protocols and n00b cheat sheets. but that is the
trivial tip of the iceberg.
o is pgp compromised? just because it is not listed in [0] is not
very strong assurance in these dark days.
o what are the hashes of audited software, and who did the audits?
o what are the recommended algs/digest/keylen parameters?
o do we really need eliptical, or is that a poison pill?
o your questions go here ...
I think our problems now go a lot further. The NSA is allegedly spending
$250 million a year infiltrating vendors and standards bodies. They have
also been pretty aggressive in hiring IETF folk for various consulting
contracts.
The big risk I see here is that there is a lot of finger pointing and every
bad decision that was made in the past that delayed the deployment of
strong crypto is now considered prima facie evidence of being a mole.
Not being a US citizen I see no reason to allow the NSA a backdoor in
anything I do. But looking at the carelessness and incompetence with which
they have guarded their own secrets I would not be anxious to allow them
access to mine even if I was a US citizen.
Seriously, this type of activity is an attack on the trust that is
necessary for collaboration. I doubt that the people who design and deploy
these programs had the slightest understanding of or concern for the costs
or consequences of their actions.
--
Website: http://hallambaker.com/