Gnupg (gpg) [was Re: Pond and Keybase [was peerio.com]]

odinn odinn.cyberguerrilla at riseup.net
Fri Jan 16 01:48:02 PST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

tl'dr

Look... Cathal, I do like what you've done in the tiny realm of code ~
short, simple, and to the point, some examples being:

Deadlock ~ dead simple encryption
https://pypi.python.org/pypi/deadlock


P2P, serverless microstatus system in 30 lines of pure python
https://github.com/cathalgarvey/tinystatus

(slooooowwwwww claaaaaaaappssssss)

So with that out of the way, I have to say, though, your criticism
which has appeared on my TL before of PGP is in my view, unwarranted,
because,  GnuPGP just aren't getting the funding need(ed) to get what
should be done, done.  It's been done essentially by one person.  And
frankly they could use a bit of help in getting out the word.

Here's a thoughtful post from bytemark on this subject:
(Please read it)

https://blog.bytemark.co.uk/2014/12/31/gnupg-funding-drive
(from Dec. 31, 2014)

Then go on to read this thing:

https://gnupg.org/donate/index.html

As you see they accept all kinds of payment vehicles (and also bitcoin
is one of them)

And now here's the kicker:  This two-person team which they are trying
to get funded, IS NOT FUNDED!

Take a look here:

https://gnupg.org/index.html

Again:

NOT. FUNDED.

And yes, interfaces like Keybase.io _are_ the future (I've been
playing around with it and currently have it in my signature, though I
use a different key block (not keybase) for people to use for to
import in association with my e-mail), because they make it easier for
a larger number of people to access keys either through something like
keybase service where they host keys, or through a CLI where you hold
all that closely.  Merkle tree, blockchain, etc.  But this begins in
my view with a strong froundation, which we have from the work which
was done from Gnupg.  (In fact, Keybase.io, and any business like it
in the future, relies on Gnupg.)  If I was rolling in dough ($$) right
now I would dump a giant fat amount of 86,000 € that they are missing
so that they would be able to get going on the Gnupg second
developer's work right away.

So... enough of the rambling on, can someone who knows someone who has
benefited from this economic ups and downs, please forward this e-mail
on to them and ask them if they'd be willing to contribute to
https://gnupg.org/donate/index.html

I have absolutely zero financial interest in seeing this happen but I
know it would help make a better world.

- -O








Cathal Garvey:
>> How about Pond as email replacement?
> 
> I've looked at Pond long enough to see that it calls upon Tor for
> most of the anonymity heavy-lifting, and that it is clearly
> targeted at technical users. Most of the people in my life who I
> speak privately to are not technical. I don't think trivial UX is
> near in Pond's development roadmap.
> 
>> I'm curious what you (and others here) think about Keybase, which
>> also seems heavily targeted at normal users. There was some
>> discussion here in mid 2014, but Keybase has been tweaked a lot
>> since then. I'm quite impressed with its usability, but I don't
>> have the expertise to properly evaluate its security. I am
>> uncomfortable with the option of uploading private GnuPG keys,
>> and counting on symmetric encryption for securing them. Better I
>> think would be helping users understand how to properly migrate
>> keys between devices, or perhaps to use smartcards.
> 
> Keybase could have been a great way to encourage PGP uptake among
> normal people years ago when things were accepted to be difficult
> universally, but PGP's days are behind us. PGP makes a good way to
> sign code but remains a terrible way to communicate securely,
> because although it's "uncrackable" when used correctly, it's very
> easy to accidentally screw up using PGP on either end of the
> conversation. Also, the lack of PFS ignores parts of the modern
> threat model that were speculative when PGP was created.
> 
> Suffice to say that, even ignoring the issues with Keybase
> encouraging key escrow by "allowing" or encouraging key upload
> (!!!), I don't think it helps. Perhaps as a basis on which to build
> a web-of-trust that can be transposed into newer cryptosystems, but
> the key escrow part makes falsification of trust a real
> possibility.
> 
> Anyway, maybe that's just me.
> 

- -- 
http://abis.io ~
"a protocol concept to enable decentralization
and expansion of a giving economy, and a new social good"
https://keybase.io/odinn
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJUuN5SAAoJEGxwq/inSG8CdKAH/2/gttWAuEztLTgK5OnrGwQR
Qe0kBfxRr8rlG64jtVvRp9nJODiCOMZdQczbN1Vs4GvKmTEAfULLj/m3PbRMkfSB
lJw6sXZtF2XjjstqWgvrFpi49htRtlxT+xa9kMc26jxatR9ux62mcdQLyKPx78NW
sjv/Hhd1xGLGsWm0o2so3f+9SX6cfBJS50OvgxEHyZqX/S/4AK6F+td1lurt0H+K
haTAR3VssPVmz2g+jXcakLUoD1EdCW1t57ODFul+93y2QyOBUReLbAvkdLXyY8fl
BNu+fQnSIKrUMQScu87XKqews1VBt3BqeEmYmGdacQt1f545RrJTNyzd9tJL/+Q=
=ntrD
-----END PGP SIGNATURE-----

More information about the cypherpunks mailing list