We need a keyring at a company. Because there's no other media for communicating, where you reach management and technical people in companies as well.
And we have massive issues due to the fact that the ongoing-decrying of "shut everything off" and the following non-improvement-without-an-alternative because we have to talk with people of other organizations (and every organization runs their own mailserver) and the only really common way of communication is Mail.
And when everyone has a GPG Key, you get.. what? an keyring.
You could say, we do not need gpg, because we control the mailserver, but what if a mailserver is compromised and the mails are still in mailboxes?
the public keys are not that public, only known to the contenders, still, it's an issue and we have a keyring
You need a private PKI, not keyring. They're subtly different - a PKI can handle key rotation, etc.
Yes there aren't a lot of good options for that. If you're using something like a Microsoft software stack with active directory or similar identity/account management then there's usually some PKI support in there to anchor to.
Across organisations, there's really very very few good solutions. GPG specifically is much too insecure when you need to receive messages from untrusted senders. There's basically S/MIME which have comparable security issues, then we have AD federation or Matrix.org with a server per org.
> You could say, we do not need gpg, because we control the mailserver, but what if a mailserver is compromised and the mails are still in mailboxes?
How are you handling the keys? This is only true if user's protect their own keypairs with strong passwords / yubikey applet, etc.
Okay, that's it. i think i will do some data analysis and do a talk at some place next year about the outcome of the analysis which talks are there and if there's really a trend. :D
The user had more arguments than just "it's all politics". What level of scrutiny does his statement have to hold up to? Because as far as I am concerned this is not here to find scientific truths.
I don't know man. It's always the same debate: It's either "too much politics" or
"no change at all" whenever this issue comes up and the "nothing changed" crowd keeps on reminding everyone that C3 "was always like that". I'm not requesting a scientific study but if you're this convinced that nothing changed despite may old school attendees chiming in to confirm the opposite, perhaps it would be helpful to compare old and new schedules.
I find it strange you didn't latch on to the original comment, which has the exact same problem you complained about, but reacted to the response. The best action is to ignore threads and sub-threads you don't care about and leave others who do to their fun.
can please someone build a iphone+ android app which does conveniently what cimbar (cimbar.org) does? than we do need much less of those filesharing activities, because videos go up to a few mb, and bigger than that.. well you can encrypt, share key via such an app and then upload to whereever.
> The real lesson here: If you're successful, don't skimp on security/software! Also, don't abandon software/firmware security support for your products so quickly.
to be honest, i am kinda wondering, why mailserver do not publish on some http service:
- whom the accept mails from under which conditions
- who's blocked and why
- perhaps hashed-and-salted-email-addresses for verification
- how much spam (as the receiver understands it) happened from where
- that you produce tokens with hashcash, so you unknown senders can verify themselves with that per mail/receiver
reply