On Thu, Jun 5, 2014 at 10:37 AM, Black Fox <fox@vbfox.net> wrote:

On Thu, Jun 5, 2014 at 4:48 AM, Alfie John <alfiej@fastmail.fm> wrote:
>
> On Wed, Jun 4, 2014, at 10:19 AM, tpb-crypto@laposte.net wrote:

> > That's why there is not foocking way to trust proprietary software.
> > Companies are forced to act like criminals on behalf of the government.
> > There is no loyalty, respect, ethics, honesty or even business which the
> > US government won't try to trample upon.
>
> Someone's already submitted a bug report:
>
> https://code.google.com/p/end-to-end/issues/detail?id=9

Cute, but the threat model of the submitter seem unclear to me, in
what is it different here from gpg binaries provided by a linux
distribution package ?

If even only one person have access to the packaging keys and is of
american nationality he can receive a National Security Letter and
would have to comply (Rubber hose is obviously working too if they
want to risk it). Using quantum insert they don't even need to change
the packages for everyone, only you.

Updates for any software executing with access to your private data
are dangerous.

I don't see why this subject is present in the issue tracker of an
extension... it's a lot more general issue (Except for the fact that
Google bashing is cool today).

This seems like a good project, that will move PGP usability and standards forward. It's also a big deal for Google to throw its support to the project, since it is in direct tension with the business model Gmail is built on (scanning your emails).

The auto-update feature is a big deal that will have to get wrestled with openly as this moves further. Perhaps they'll work out a separate update policy for it, who knows. But it'll also have applications outside of a place in the Chrome Web Store.

For example, hopefully much of this work (especially the JS crypto work) will also turn out to be reusable in Firefox.

konklone.com | @konklone