[conspire] Offering GPG/PGP Workshop at CABAL

Wed May 14 14:19:52 PDT 2008

Quoting Daniel Gimpelevich (daniel at gimpelevich.san-francisco.ca.us):

> On Wed, 14 May 2008 12:35:42 -0700, Rick Moen wrote:
> 
> > You seem to have missed the main point:  A crypto identity that merely
> > says "Hi, I represent person X.  Trust me" has a bootstrapping problem.
> 
> Absolutely, and just like the bootstrapping problem a computer has when
> powered on, this problem is easily worked around.

Nice handwave, but that's not going to work.

A PC BIOS's int13 boot services know inherently what are the valid
devices to poll, because that knowledge is encoded into the BIOS CMOS.
(A PC that can't trust its BIOS CMOS has bigger problems than booting
correctly.)  The knowledge of how to find sector zero on each of those
devices is hardcoded into the standard, along with how to hand off
control to whatever's in sector zero of the first valid boot device,
and the ability to load and validate the chain bootloader.  

The ability to find and load a valid OS kernel is hardcoded into the
chain bootloader, and the ability to mount a root filesystem is
hardcoded into the OS kernel (or had better be, or startup will fail).

None of those relies on key distribution and vetting, which does not
happen automagically.

> > And how does one know that an S/MIME cert _is_ from a specific
> > individual, if that individual neither conveyed it to you directly nor
> > paid to have it attested to by a notary whom you both agree to trust?
> 
> You just quoted the answer to this question, yet you still ask it...

Fine.  _You_ go around handing your personally generated, non-notarised
S/MIME certificate personally to everyone whom you intend to communicate
with.  You can even give us a nice little lecture about how well that
worked out.

(And no, invoking CAcert.org as a magic talisman isn't going to make
the key-verification problem go away painlessly, either, but I'm
presently inclined to let you find that out for yourself.)

> If you have any stories of a GPG signature being accepted anywhere an SSL
> signature certified through the CAcert web of trust had just been
> rejected, please share.

My _own_ GnuPG key happens to be very widely signed by very widely
recognised open source people and thus is very easily validated and 
honoured.  Don't take my word for that; feel free to conduct a survey
the way Drew Streib did, or for that matter feel free to check his
(now-aging) results, which I seem to recall did include my key.

Meanwhile, you seem to have -- perhaps inadvertantly -- changed the
subject, as SSL certs are not the same as S/MIME certs.

> > Nobody with a grain of sense trusts that cert to begin with, except me
> > and the people I've helped verify that it really is reliable.  Which I
> > believe also helps underline my point.
> 
> I believe the latter part of that _is_ my point.

What's that old saying about not trying to teach your grandmother to
suck eggs?

If you're (rather rudely) trying to ask me why I haven't bothered to get
my Web site https cert issued/signed by CAcert, the answer is that it's
way too much trouble for way too little benefit.  If you want more
detail than that, you'll need at bare minimum to ask a whole lot more
nicely.