[conspire] Offering GPG/PGP Workshop at CABAL

Daniel Gimpelevich daniel at gimpelevich.san-francisco.ca.us
Thu May 15 03:44:40 PDT 2008 

On Thu, 15 May 2008 00:06:40 -0700, Rick Moen wrote:

> Quoting Daniel Gimpelevich (daniel at gimpelevich.san-francisco.ca.us):
> 
>> I am not in any way disputing that to be the current state of affairs.
>> PhilZ said: "An argument could be made that as a matter of solidarity with
>> the rest of the population you should encrypt your email."[1] If this is
>> to be accomplished with PGP/GPG, the entire "rest of the population" must
>> be participants in the web of trust. I investigated this possibility a
>> couple of years ago, and found the OpenPGP functionality in the GPG
>> software thoroughly incapable of such an endeavor.
> 
> Having personally wrestled GnuPG into submission for my own use a number
> of years ago, I was astonished at how utterly user-hostile it was and
> remains, even by the standards of Unix command-line crypto utilities.
> (That's one of the reasons I wrote my lecture notes, to compensate in
> part.)   To this day, I can't reliably remember most of its basic
> command functions, and keep having to pore through its manpage.

That is way too obvious to mention. I was instead asserting that the PGP
model is wholly inadequate for the above-stated purpose with regard to GPG
_even assuming every e-mail user on Earth could magically be able to use
it properly_.

> By contrast, the verified PGP "strong set" (http://pgp.cs.uu.nl/plot/)
> is currently a bit smaller than the total number of "verified users"
> (whatever that means) CAcert says it services, but there is no
> bottleneck for scaling at any single point (only a rather excessively
> geeky technological burden on each individual participant.[4]  And I'm
> guessing that PGP/GnuPG keys are, on average, a good bit more useful,
> but that's just my guess.

Ah, now we've come to the quux of the matter: The above assertion is
absolutely false. There _is_ a scaling bottleneck at _every_ point when
using GPG. The investigation I mentioned above consisted of an attempt to
traverse the keys then in my pubring.gpg file as a tree, adding to the
file every key which was used to sign any key already in the file.
Evidently, upon every invocation, the gpg command parses the entire file,
because I found that as the file grew, the wait after invoking gpg before
gpg would respond in any way also grew. Some time after I got to the point
where every invocation of the gpg command was taking more than two full
days to complete, I gave up. I still don't know how many licks it takes to
get to the center of that Tootsie Roll Pop.

More information about the conspire mailing list