'round and 'round Turns the Wheel of Crap | Main | Name That Rogue

April 6, 2004

Web of Weedle

Posted by Mike on April 6, 2004 9:43 PM

Over the past few days a friend & I have discovered the joys of Fire's support for GnuPG. I don't really have any need for hard crypto in my instant messaging, but it's pretty entertaining to know any random musing my remote buddy sends my way is protected from the prying eyes of, er, Them.

Some quick things as the result of my minor consciousness raising via Google (not to be confused with complete thoughts):

The GnuPG page has a section on how to build your web of trust, which advises:

In order to use to communicate securely with others you must have a web of trust. At first glance, however, building a web of trust is a daunting task. The people with whom you communicate need to use GnuPG, and there needs to be enough key signing so that keys can be considered valid. These are not technical problems; they are social problems. Nevertheless, you must overcome these problems if you want to use GnuPG.

So far, the only widespread use of GnuPG I've seen has been in signing security advisories and packages among assorted *nix distributors and in fairly small circles on mailing lists, where it's just part of the culture. There's also the OpenPGP comment plugin for MovableType, which has a short list of adopters. So how do people overcome the social problem? And how small is the percentage of the overall population involved in these webs of trust? How did they convince each other to change IM networks long enough to coordinate a key-signing?

On the technical issue side:

I noticed over on the page for Nitro (yet another Jabber client) that "GPG support has been taken out again awaiting implementation of a proper E2E [end-to-end] jabber standard." That might explain why it only seems to work between a pair of Fire instances, and not between, say, Fire and Psi, another Jabber client with the advantage/disadvantage of being cross-platform and built on Qt (for that "not-quite-native" feel). A mail from Peter Saint-Andre of the Jabber Software Foundation, notes that end-to-end encryption is a matter of severe apathy among home users (who are more likely to make fun of people who think they need it or want to just make the point by using it) and some level of hostility among "enterprise" users:

"...many companies have corporate or government requirements related to auditability of all messsage traffic. This is especially true in financial services, where SEC regulations require full auditability of all "compliance events" for years after the message was sent. Similar if less stringent rules often apply in healthcare and even customer service. In these environments, end-to-end encryption is a MUST-NOT-IMPLEMENT feature, however much we security elitists may desire it, and an IM client that generated an encrypted message would be considered a rogue application on the network."

So, the average home user doesn't care and the average enterprise has government-mandated control freakery to take into account (plus whatever internal control freakery might exist). Where's Jabber's incentive to work on the issue, then? I know, I know: It's got a split development model with a company handling the "what enterprise customers want" side while the virtuous open source hackers do the good work of "the community."

For me, goofing around with GnuPG has been a matter of idle curiosity, but the more I goof around with it, the more I wonder what the allure is. Besides the social difficulties of building critical mass and a web of trust, there are technical issues (not the least of which is the amount of discipline it takes to maintain an identity, which involves a little more than, say, a Yahoo! account or a Microsoft Passport). Anyone? Why? How?

A Little Later: My public key is here, btw.