odinn odinn.cyberguerrilla at
Fri Jan 16 01:11:05 PST 2015

Hash: SHA512

On this whole point of Gnupg (gpg) and some of the issues with using
it (and transitions etc), may I (well, I just will) recommend this,
from sources I've compiled in a way that people seem to like and have
found helpful:

Crazy Strong: @gnupg "learn or die" in 2015 #31c3 All systems
See also

on twitter as:

which has caused Gnupg / thunderbird / etc. awareness to reach 14,685
accounts that might otherwise not have seen it.

based on an analysis from
Learn or die folks.

but you may ask, what about the transitions? new machine? older key
issues? proper use? getting stronger new key? etc.

valid questions! which is what I am asking myself right now (since I
have some old key issues that I am trying to work through and I didn't
have good answers).

fortunately, rysiek came to the rescue in a very timely way, and gave
me permission to republish (rysiek's) statement which appears below:
rysiek explains:
GPG Key Transition:
Zmieniam klucz GPG:


The instructions are very clear and helpful.  (Thank you rysiek!)

I'll be developing my own transition statement at some point soon
using rysiek's page as a guide. Not sure of when, but rysiek's page
will be my guide.

Cathal Garvey:
>> So far, as far as I can see, you're not even inflicting PGP on
>> us here, let alone your friends.
> I did for a while, but then I moved hardware and didn't see any
> reason to set up PGP again. At best, it was a signal to people that
> I cared about security/privacy, at worst it was making everything I
> posted non-repudiable for no useful reason.
> The fact that miniLock is authenticated but repudiable makes it a
> better bet for PGP-usecase purposes *anyway*, and my minilock ID is
> in my signature (again, had lapsed by accident) for people who want
> to use miniLock outside of peerio.
> But, miniLock isn't (opportunistic pun) "turn-key", it requires 
> launching, authenticating, dropping a file to encrypt, typing in a 
> miniLock ID to encrypt to (encrypting to yourself probably makes
> it non-repudiable if someone acquires your private key, beware!), 
> downloading the encrypted file, and then transmitting the encrypted
> file out-of-band.
> Now, implementing Peerio server is something I endorse. If I
> weren't too busy, I'd investigate doing it myself, it looks like
> fun. If anyone does feel like it, they have miniLock for JS-based
> servers, and deadLock for Python-based servers (needs some
> work/bugfixes).
> On 15/01/15 16:44, rysiek wrote:
>> Dnia czwartek, 15 stycznia 2015 11:20:22 Cathal Garvey pisze:
>>> If the server code were open, how would you know the server was
>>> actually running that code anyway?
>> Not much. But it would allow others to run the server code and
>> offer similar service, at the very least.
>>> Having the protocol documented so thoroughly makes the task of 
>>> writing an alternative server trivial if time-consuming. I'd
>>> obviously prefer the server were AGPL, and I hope someone will
>>> write an AGPL'd server and federation.
>> Of course. The "time-consuming" part is what bothers me. I
>> *could* throw in an hour or two to set-up a peerio server had the
>> code been available; I have absolutely *no way in hell* of
>> throwing in days or weeks of work to implement their protocol.
>>> For now though, the client is open source, the crypto doesn't
>>> suck, the UX is excellent, and the threat model is pretty
>>> transparent. I'm *never* going to inflict PGP on friends, but
>>> I'll happily inflict this on them.
>> So far, as far as I can see, you're not even inflicting PGP on
>> us here, let alone your friends.

- -- ~
"a protocol concept to enable decentralization
and expansion of a giving economy, and a new social good"


More information about the Testlist mailing list