devroom.io/content/posts/2014-04-03-pretty-difficult-privacy.md

+++
date = "2014-04-03"
title = "Pretty Difficult Privacy"
tags = ["security", "privacy", "gpg", "php", "gnupg"]
description = "I have been mildly interested in digital security and privacy for years. With the introduction of Keybase.io that interest gotsparked again and I investigated the current state of GnuPG."
slug = "pretty-difficult-privacy"
+++
_Disclaimer: I could write books about online privacy, freedom of speech
and how encryption fits into that picture. There are others out there who
can do a better job at that and who have way more experience in crypto
than I have._
 
So, I got a keybase.io invite. Awesome. But what problem is keybase trying
to solve?

I created my first GPG key in 2000 by way of checking out shiny new things.
I've been happily generating GPG keys ever since, but I never really used GPG. 
There were three reasons for this:

 1. The tools, like GnuPG, are difficult to use.
 2. Integration with popular mail clients sucks.
 3. I only know two to three people with a public key.

To start with that last point, there is barely anyone I know that uses
GPG. And I know quite a few technically oriented people, like developers
and sys admins. No body seems to bother for GPG and the hassle it entails.
Most people *do* have a public key available, but they simple have not
setup anything to read and send encrypted or signed emails on a daily
basis. 

This brings us to points 1 and 2. The tooling, GnuPG, is not very 
user friendly. I'm not saying it's unusable, but compared to the CLI
interface that keybase provides, it's arcane magic. Even with GPG setup
and integrated in [Sup][3], I routinely make mistakes and get feedback from
people I encrypted an email wrong and it's unreadable by them.

Using this arcane magic in conjunction with _normal_ applications, like
mail clients, is quite difficult as well.

Luckily there's [GPGTools][1] for Mac, which provides you with everything
you need to get started, including a Mail.app plugin, key management and
a Mac version of GnuPG.

With this software installed, as a normal user, you probably still have
no clue what you're doing.

It took me a few evenings to get up to speed again with how GPG works and,
more difficult, how to manage your keys. This last part turns out to be
the most difficult thing, mostly because the plenhora of options and 
settings to choose from. All the terminology is not helping: private keys,
public keys, fingerprints, trust (of keys), trust (of users), key rings,
signing, ecrypting, cleartext, photoids, shortids and key ids, key length,
algorithms, validity, passphrases and expiration dates. Not to mention
subkeys, signing of keys, capabilities and revokation.

That's quite a lot of matter to understand before you can use GPG properly.

I think what keybase is doing is great. There are also a few flaws in their
plan, and I think it's not for the better of GPG and privacy. First and 
foremose, Keybase is becoming a central repository that stores user 
identities. That does not sound good, not even to mention they are running
a business and a closed-source site. Besides, there is already the
web of trust and public distributed key servers for GPG to use. Proving 
identity with a twitter account or github account is also not very powerful 
IMHO, as it's easy to fake.

These things aside, keybase does not solve the fundamental issue of
cryptography in general and GPG in particular: it's difficult to use and
does mostly not integrate nicely with other software.

For me, to get GPG to the general public, I think the tooling and 
services around GPG should:

 * be understandable and usable by the average user
 * be open source
 * be distributed in nature
 * integrate easily with third party applications

If you can solve this problem, I thing you have gold. Get in touch with
me if you have ideas on this topic. You can find [info on my GPG key right
here][2].

[1]: https://gpgtools.org/
[2]: http://ariejan.net/gpg/