Pretty Difficult Privacy

3 April 2014

Disclaimer: I could write books about online privacy, freedom of speech and how encryption fits into that picture. There are others out there who can do a better job at that and who have way more experience in crypto than I have.

So, I got a keybase.io invite. Awesome. But what problem is keybase trying to solve?

I created my first GPG key in 2000 by way of checking out shiny new things. I’ve been happily generating GPG keys ever since, but I never really used GPG. There were three reasons for this:

  1. The tools, like GnuPG, are difficult to use.
  2. Integration with popular mail clients sucks.
  3. I only know two to three people with a public key.

To start with that last point, there is barely anyone I know that uses GPG. And I know quite a few technically oriented people, like developers and sys admins. No body seems to bother for GPG and the hassle it entails. Most people do have a public key available, but they simple have not setup anything to read and send encrypted or signed emails on a daily basis.

This brings us to points 1 and 2. The tooling, GnuPG, is not very user friendly. I’m not saying it’s unusable, but compared to the CLI interface that keybase provides, it’s arcane magic. Even with GPG setup and integrated in [Sup][3], I routinely make mistakes and get feedback from people I encrypted an email wrong and it’s unreadable by them.

Using this arcane magic in conjunction with normal applications, like mail clients, is quite difficult as well.

Luckily there’s GPGTools for Mac, which provides you with everything you need to get started, including a Mail.app plugin, key management and a Mac version of GnuPG.

With this software installed, as a normal user, you probably still have no clue what you’re doing.

It took me a few evenings to get up to speed again with how GPG works and, more difficult, how to manage your keys. This last part turns out to be the most difficult thing, mostly because the plenhora of options and settings to choose from. All the terminology is not helping: private keys, public keys, fingerprints, trust (of keys), trust (of users), key rings, signing, ecrypting, cleartext, photoids, shortids and key ids, key length, algorithms, validity, passphrases and expiration dates. Not to mention subkeys, signing of keys, capabilities and revokation.

That’s quite a lot of matter to understand before you can use GPG properly.

I think what keybase is doing is great. There are also a few flaws in their plan, and I think it’s not for the better of GPG and privacy. First and foremose, Keybase is becoming a central repository that stores user identities. That does not sound good, not even to mention they are running a business and a closed-source site. Besides, there is already the web of trust and public distributed key servers for GPG to use. Proving identity with a twitter account or github account is also not very powerful IMHO, as it’s easy to fake.

These things aside, keybase does not solve the fundamental issue of cryptography in general and GPG in particular: it’s difficult to use and does mostly not integrate nicely with other software.

For me, to get GPG to the general public, I think the tooling and services around GPG should:

If you can solve this problem, I thing you have gold. Get in touch with me if you have ideas on this topic. You can find info on my GPG key right here.