Fri, 24 Dec 2004
Merry christmas and a happy new Year!
Wed, 22 Dec 2004
Nota bene: The girl, who made the cookies, resisted our assimilation efforts and is using SuSE. But she made cookies with swirls. She said: "Swirls are much easier than chameleons ;)
I just discovered that all but one of the twenty five users whose gpg-key I set to the Don't trust at all trust level (and believe me: I had good reasons for doing so) are Gentoo users or developers. I wonder if that's coincidence or system ...
Did I already mention that? Secure Email for one example.
Okay, there is gnupg. Works very well for me, but it's difficult to explain to unexperienced users (at least I failed many times to explain it to members of my family) and it isn't accepted everywhere.
I especially dislike the second point. Ordering some stuff from a shop or sending forms to agency could be quite simple. As in many other countries, we have a law for electronic signatures. But gpg and it's web of trust fails, since you need a central certificate authority for a valid certificate.
Okay, then there is Thawte and it's web of trust, where you can get this s/mime stuff, which you actually can get somehow running under Linux and mutt. You need to get enough points in there Web of trust install firefox or Mozilla, create somehow a certificate, which is magically signed by Thawte (although you created it locally), export it from Mozilla, import it with openssl, tweak your muttrc and it works. Perhaps.
Beside the point, that I didn't understand how it works in general, there are the normal points that suck: You get only certificates for e-mail for free from Thawte. And even then they might revoke it anytime, and tell you: Sorry, but we are a company and like to earn money. Please pay us, if like to get a working certificate. All in all: It's all the stuff I dislike about companies, and why I love community efforts.
A nice point is, that Thawte certificates strictly speaking not fulfill the german law for electronic signatures. IIRC Thawte would need to ... pass some tests defined in the law, which they didn't tried yet for unknown reasons. But they are quite often accepted. I think most people can't differ between officially trusted and untrusted ca's.
Now you might think that CAcert is the solution: It claims to be a community project and you'll get certificates for your other services than email (e.g. your web server), too. But it sucks, too. One point is, that their root certificate isn't part of any browser or email reader yet. So you need to tell your friends/customers/whoever to install their root certificate to trust you. Oh, and it seems to have some problems with democratic / community too. I talked to some former project members (actually: I know more former than actual members), which complained all about missing democratic and that everything, from their domain to the root account of the main machine, would be controlled by a single person. Being a regular association with an elected board sounds quite useless, if there is one person, who has the last word, doesn't it?
Oh, year, I forgot to mention the CAs where you can buy your certificate. As far as I know, there are two kinds of CAs: Those who are so expensive I can't afford it, or those, who create the private key for you and keep a copy (for security reasons, you might loose yours) or just sell you a complete set including SmartCard, reader and Software. You can see quite funny faces, if you ask the last group mentioned questions like Does it run with Linux? or May I see the source code of this software, so I can trust it?.
Sometimes everything sucks. Can't we start a really community effort for digital signatures and all this stuff? I really think we need something like this.
Today I've been at my local LUG to a joined x-mas and keysigning party. That was the most chaotic keysigning party I have ever been.
Two weeks ago, when someone came up with the idea of the keysigning party, it sounded quite easy: One volunteered to do a small talk about gpg, ssl, web of trust and all that stuff. He had no time to prepare something, so he did an improvised 10 minute talk (he would have been faster, if I didn't asked questions or clarified some points he didn't knew). Other problem was, that more people than calculated came.
However: The really big problem was, that somehow we tried to have three keysigning parties at once. One normal gpg/pgp party (with some people forgot to print enough fingerprints), one for Thawtes Web of Trust and one for CAcert.
Beside the normal problems of lost or expired passports, the whole situation got more complicated because unexperienced users didn't knew the difference of the three (although we send previously a small HOWTO), or didn't had copies of their passports for the later two.
Nice idea to do all that stuff in one go, but if we ever do such a thing again, we should really try to do it a bit less chaotic.