I never recommend a solution without knowing a fair amount about the specific challenge it is supposed to address. I typically start with an understanding of the general environment, the financial and/or human issues, the threat profile, the protection environment, the other dependencies and protection factors, and other factors related to the reasons for protection. Once I have this understanding, I make value judgements about how much I trust things relative to the requirement for trust and other limitations presented by the situation.
Ok. IMHO, that's a perfectly valid position. Under what circumstances do you consider pgp to be a suitable tool? Do you think there is a better tool under similar circumstances?
That's a tough one. I generally follow the supreme court's view of not handling hypotheticals, but I will give you some ideas about my view. I think that PGP is almost always suitable for casual conversation that is to be kept from casual snooping. Without specifically recommending its use in any particular situation, I generally think that it is suitable for select applications where: - The threat profile does not include well-funded professional cryptanalysts, police agencies, governments, serious financial rivals, criminals, or other high-grade threats. - The implications of corruption, non-delivery, repudiation, or traffic analysis are not extremely important. - The implications of leakage isn't financially or otherwise catastrophic. - No lives are at stake. - My reputation doesn't depend on it. I think that PGP is an excellent tool in many ways, however, I have numerous difficulties with the lack of adequate interface to it in other packages. I am not really keen on its keyring concepts and other similar things, but that's not a real issue in this frame of reference. I have serious concerns about the fact that use of this system does not prohibit people who are not knowledgeable about the limitations of public key cryptography from using it in ways that may result in the revelation or weakening of private keys or other similar potential problems. For that reason, I would not advise the use of PGP for any non-casual application outside of the context of a comprehensive information protection program designed to provide assurance of its proper generation, configuration, installation, application, and use. There are almost certainly other concerns that I would express in an evaluation for any particular purpose. -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236