[ale] Keysigning get-together?

[Michael H. Warfield]

On Fri, 2011-10-21 at 20:38 -0400, Jim Lynch wrote: 
> On 10/21/2011 02:06 PM, Michael Trausch wrote:
> >
> > I would like to know if anyone has any interest in doing a PGP 
> > keysigning get-together.  My motivation is, of course, that I need 
> > signatures on my key. :)
> >
> > Would anyone else be interested?
> >
> >
> I hate to be the dissenting member but why?  I don't understand what we 
> information we interchange amongst us that need such security.

Do you put mail in envelopes?  Why not just put it on postcards?  Why?
You don't care if anybody reads your mail, right?  You'd put your credit
card on a postcard and drop it into a mailbox.  Right?  Nobody else can
read it but the mailman and he can be trusted.  Right?  I don't think
so.

> If we 
> were collaborating on some top secret project then sure, but I haven't 
> seen any topic that merits this level of security.

That's the red herring that has haunted us and impeded progress since
the early days of PGP.  It's a false statement and it's a false
question.  The real question is "why wouldn't we?"  The question "why
would we" is a lie and backwards.  We don't need "a reason to" any more
than we need a reason to put a letter in an envelope and seal it so
nobody else could read it before mailing it.  It's our business and we
don't need a reason.

> I thought we were a bunch of individuals that were interested in Linux 
> and wanted to share our experiences, or were looking for assistance with 
> respect to Linux not extremest radicals wanting to take over the world.

And that last bit was utter nonsense.  Do you use secure web sites
(https)?  You do?  You RADICAL!  What are you trying to do?  Take over
the world?  You're using encryption!?!?  What are you trying to hide?

Linux is all about freedom and so it PGP (which is as old as Linux).  We
had a long LONG struggle getting cryptography into the Linux kernels
thanks to the US crypto restrictions.  Well, we finally won and it was a
hard fought battle for people like use that constantly fought against
those regulations and restrictions.  No difference.  Part and parcel.
Linux is about freedom.  PGP is about freedom.  PGP was originally
released as open source a very long time ago, same year Linus released
Linux, and epitomizes the the very principles of OpenSource we cherish
in Linux.  Asking why do we do this is as much as asking "why do we us
Linux".  I would ask in return "why shouldn't we?  "We're free to and
it's an exercise of our freedom to."

Fact is, there are many people who use cryptography routinely just to
conduct ordinary affairs and to protect themselves and we do it
routinely.

In some cases, I'm now required by government regulations to employ
cryptography, for very good reasons.  Criminals are in the news
constantly having compromised computers and drives and phones that
should have been encrypted and thousands of people are put at risk
because they were.  Latest Android (ICE Cream Sandwich) is going to have
encryption available and LUKS encryption is available on earlier
versions if you root your device and install Cyanogen Mod.

PGP is not just about encryption and confidentiality (though it is
cryptography) it's also about authentication and validation.  You can
still read my E-Mails.  Yet, did you noticed all my E-Mails are signed?
They are signed with GPG and can authenticate that they came from me.
Do you understand that those signatures have force of law and can be
introduced into court and can be used in transacting government
business?  This was passed into law here in Georgia years ago.

I don't give a flying flip if anyone validates that only I could have
sent this particular message, but they can.  I use to get asked by noobs
why I signed everything.  Yet, it should be obvious (it is to
experienced people).  By signing everything, you develop a baseline
"preponderance of evidence" that this is your key.  You also establish
this more formally by having others sign your keys and extending the web
of trust.

The web of trust is the opposite end of a continuum of authentication
with "certificate providers" (CAs, SSL Certificates, aka big bucks $$$)
at the other end.  Yeah, they've been a great success at authentication
and verification with multiple fake certificates out there including
fake code signing certs for MS and the whole Diginotar debacle.  The web
of trust is to PGP / GPG what certifying authorities are to SSL.  It's
just that we are our own certifying authorities and a keysigning party
is exactly the exercise of that certification authority we all posses.

> I have no reason to communicate with anyone on this list any information 
> that I wouldn't what someone else to view.  Is everyone as paranoid as 
> Aaron?

I've heard this since the early days of PGP.  Stale, worn out, replayed
nonsense typically quoted by people with vested interests in you NOT
preserving your privacy and arguing you have no right to privacy.  You
don't have to be paranoid but they are out there and they are out to get
you.  They don't WANT you to be able to protect yourself.  "Oh, if we
only protect and save even one little child from child pornographers
then we should prohibit encryption like PGP" (actually said to Phil
Zimmerman and me at a show while he and I were chatting years ago here
in Atlanta).  These people really exist.  THEY'RE the paranoids.  They
don't want us doing this because they don't trust what WE'RE doing.  You
think WE'RE paranoid?  You have not experienced the paranoid of the
lunatic fringe.

It has also been said that one major problem with current encryption
practices is in the element of "traffic analysis".  If you encrypt
something, that automagically implies you are hiding something and, as
such, worth breaking into.  So you're act of protecting something makes
it more vulnerable.  You can't deny the attacks are out there.  So you
can protect what is vulnerable by encryption (putting in envelops away
from prying eyes) EVERYTHING so, therefore, nothing stands out
different, valuable or innocuous.  If everything is encrypted, how do
you decided what to try to decrypt.  Even the simplest of encryptions is
effective if EVERYTHING is encrypted because then you would have to
decrypt everything just to determine what was interesting enough to go
to the trouble, and there's not enough computing horsepower in the
universe in that circumstance.

> Not that I don't want it to happen, but what's the point?  I'm not Aaron.

I think I've listed more than enough points above.  But...  I'm not
Aaron and I've been a strong enthusiast for PGP since the very early
days were even the US government was openly persecuting Phil Zimmerman
for years for his creation of PGP.  The point is to insure THAT level of
paranoia (on the part of governments, law enforcement, and enforcers of
the status quo, religious right, lunatic fringe paranoids, and
criminals) can never return again.  The point is to preserve and protect
our freedoms, some of which have been won with more difficulty than
others.  After 9/11 there was serious talk about returning to a time
where cryptography was regulated and restricted and we managed to quash
that noise.  I've lived through those times and lived under those
regulations and I have stood nose to nose with a couple of the lunatic
fringe paranoids who would deny us those freedoms.

I believe my identity and my privacy and my security is in my hands to
maintain, when ever and where ever I chose to exercise it.  And that IS
the point and that is why I participate in these things and promote
them.

> Jim.

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20111022/d3c75f3d/attachment.bin