[Enigmail] and for my first mistake...

Robert J. Hansen rjh at sixdemonbag.org
Mon Jun 30 17:42:35 PDT 2008 

Faramir wrote:
> The problem is most people don't really know (including me) how does 
> encryption really work. I mean, we hear 64 bits WAP is easily broken,
> by just watching packages being transmitted. Then we have 128 bits
> WEP, and it is supposed to be better... but some people say it is
> still vulnerable...

Those are protocols, not encryption algorithms.

64-bit WEP is easily broken because of mathematical weaknesses in the
protocol.  The underlying algorithm, RC4, is believed strong when used
properly.  WEP's problem is it doesn't use it properly.

128-bit WPA has its own problems -- problems of protocols, not algorithms.

The OpenPGP protocol is fairly well-designed, even with its many warts
and flaws.  It uses encryption algorithms in ways that are unsurprising
(save for the weird CFB mode) and extremely orthodox.

RSA, DSA and Elgamal are encryption algorithms, not protocols.  Used
correctly, any of them in 2kbit strength is going to be a lot more than
you need.

> So it is easy to see OpenPGP keys and "feel" it follows the same
> principle.

Right, and this is my biggest problem with most forms of computer
security.  Computers are nothing more nor less than phenomenally capable
engines of mathematics -- but the average person cannot think
mathematically.  Thus, rather than dealing with computers on the basis
of facts and reasoned analysis, people deal with computers according to
superstition.

> Certainly, if I go to USA, I would be carrying a passport, but I
> don't know if USA citizens use to have a passport, if they have never
> travelled outside USA.

Only about one American in six has a passport.  Up until very recently,
very few Americans needed one; we could travel in Canada and Mexico with
just our driver's license for ID.  That meant we could travel from Guam
to Maine, from the North Pole down to Cozumel, without a passport.  With
that kind of access to the world, why bother filing for a passport?

Since 2001, though, border controls have become much tighter.  Passports
will get you through borders much faster.  Many more Americans are
getting them nowadays, as compared to a decade ago.

I've held once since 1993, when I was an exchange student in Germany.

> I am not planning to go to USA, but... what ID document should I 
> require in order to sign a key there?

A passport is the gold standard.  In my experience, most people who
attend keysigning parties will bring passports with them.

You can require any form of ID you want.  Looking through my wallet, I
see... two credit cards, a University of Iowa ID, an Iowa driver's
license, my Association for Computing Machinery membership card, and an
Iowa Permit to Acquire Pistols and Revolvers.  So that's three forms of
government-issued identification (the University being government-funded).

My own personal rules for identification: either a passport, or else two
forms of government-issued ID which show your full name and have a
photograph of you.

More information about the Enigmail mailing list