[Users] autocrypt

Mark Wagner mark+claws at carnildo.com
Mon Dec 4 21:12:51 CET 2017

On Mon, 4 Dec 2017 11:15:04 -0500
"Michael A. Yetto" <myetto1 at nycap.rr.com> wrote:

> On Mon, 4 Dec 2017 10:15:40 +0100
> Andrej Kacian <andrej at kacian.sk> writes, and having writ moves on:
> >On Fri, 1 Dec 2017 16:51:31 +0100
> >Michael <codejodler at gmx.ch> wrote:
> >  
> >> What do you think about https://autocrypt.org ?    
> >
> >It looks... interesting, I guess, although I haven't had the time yet
> >to fully read what it is about. From the brief glance I assume it is
> >some sort of user-friendly verification framework built on top of PGP
> >keys?
> >  
> Does this quote make it appear to be built on a framework of PGP, or
> one of Warm-Fuzzy.
> "Autocrypt first aims to provide convenient encryption that is neither
> perfect nor as secure as traditional e-mail encryption, but is
> convenient enough for much wider adoption."
> Verification seems to be controlled, or at the least strongly
> influenced by, the party wishing to be verified. No method is
> mentioned for avoiding man-in-the-middle attacks. 

My reading of it is that it's essentially PGP implemented the way that
most people use it: keys are authenticated on the basis of "trust on
first use".  Yes, an active attacker can subvert it easily, but in the
real world, active attackers are vanishingly rare, and the real threat
is passive eavesdroppers recording as much Internet traffic as they can.


More information about the Users mailing list