Matt Green recently blogged about the shortcomings of PGP for e-mail encryption. He makes some valid points, and without a doubt the trust management of PGP and its clone GNUPG is probably its Achillies’ heel. The “web of trust” was supposed to counter the issues inherent in heirarchical certification authority schemes like X.509, and for the most part it does a reasonable job at doing just that when the number of group participants are small. In the real world it suffers from much of the same human factors that have brought the CA style model into question over the past decade. There isn’t an easy answer to this ongoing engineering problem and until a reliable, decentralized way of establishing identity is developed. I suspect that the ultimate solution will draw inspiration from current cryptocurrency “proof of work” type systems.
Seeing as I have unfortunately been away from this blog for a while I figured it best that I update my canary document so that nobody need concern themselves that I have been compromised. I will endeavor to return to providing a high quality commentary on the current matters of concern within our industry within the following few weeks as my personal situation slowly returns to normal.
I have been away from this blog and most of my other responsibilities for a little over a week as a result of tending to some family issues and preparing ourselves for a move across town.
Fortunately I will be back on track in the next few days and will update this blog again very shortly.