To use PGP, or not to use PGP...

From: David White 
------------------------------------------------------
I'm working on a presentation I'll give next month at a conference geared
towards folks working for smaller Christian / missionary-focused nonprofits
on "Introduction to Security."

Some of the folks who attend my presentation will probably be a 1-man shop
with very little general IT knowledge, and others will probably know oodles
more than I about security and information systems.

Anyway... I installed OpenPGP into Thunderbird a few months ago, although
I've rarely (if ever) used it to sign or encrypt legitimate messages,
partly due to the fact that almost no one that I email uses PGP or have
ever heard of it.

Recently, I've been doing some research into how useful it actually is, and
whether or not it is actually secure.

My findings so far is that the current version of PGP is very secure.

Indeed, according to Wikipedia, there is no known method to breaking PGP
encryption: http://en.wikipedia.org/wiki/Pretty

=============================================================== From: Dan Lyke ------------------------------------------------------ This. And it's deeper than the obvious first pass. I mean, sure, you get keys from people you correspond with, you verify those key signatures over additional channels, you import those keys, you exchange email. Maybe you think about chains of trust, if you're super sophisticated... But... * In most situations, you still have to think about encrypting that email. * Metadata about the email is not encrypted. * Most of us don't use passphrases, so any app running as us can read ~/.gnupg or equivalent, and thereby scarf our private keys. Given how many machines are virus infected, do you *know* that you don't have trojans running? Do you trust every vendor of every app you've installed with all your secrets? * Security is a system: Alice sends the s00p3r s3kr1t passphrases to Bob over a trusted channel, Bob prints 'em out and puts 'em on his cube wall for easy reference. The channel is not the problem. So: is PGP/GnuPG good and relatively secure? Only as much as the overall system you put it into. Dan