HomeBrainDump Page 2 - PGP and GPG: Email for the Practical Paranoid
A Textbook on Email - BrainDump
Cryptography is a difficult topic, but many people are interested in keeping their email communications private. Where can a "moderately skilled geek" find a good introduction that will teach them the practical skills? PGP & GPG: Email for the Practical Paranoid claims it can help. Quantum Skyline from our own Dev Hardware forums reviews the book.
PGP & GPG is laid out in an instructional format much like a textbook. It is intended to be read linearly. Skipping chapters to get specific bits of information is likely to confuse the reader. The first two chapters introduce the OpenPGP standard, PGP and GPG, and the differences between them before putting the reader through "Cryptography Kindergarten." Following the introduction, Lucas takes the reader through installing PGP Corporation's PGP desktop client, GPG, and a Windows interface to it called WinPT. When showing how to use or install the tools, Lucas devotes one chapter to PGP and GPG each, and Lucas reminds the reader to skip the chapters that are not useful for him- or herself.
Following the discussion on installation, in chapters 5 through 7 Lucas explains the concepts behind the Web of Trust and how to manage public keys in the Web of Trust. Chapters 8 through 10 talk about how to use the OpenPGP standard with commonly used email tools, and Lucas finishes the book with other considerations and caveats when using OpenPGP, as well as appendices on how to use the command line tools.
The introduction to PGP &GPG is rather enjoyable; Lucas does an excellent job of providing a summary of the history behind OpenPGP and Phil Zimmermann's story is quick and to the point. At the beginning of the first chapter, Lucas goes over common tasks that include public key cryptography and identifies what OpenPGP can do to address those tasks. His explanation of cryptographic terms is done at a high enough level that novices will understand the concepts, but those who are more familiar with cryptography may complain that he is skipping details in the book.
However, while Lucas did a good job of introducing and explaining the concepts and what OpenPGP provides, it seemed that he did not do an adequate job of motivating the case for why a regular user would begin using OpenPGP with their email. The closest he gets to that kind of statement is when Lucas states that "non-repudiation alone makes it worth while to use OpenPGP" and gives examples of some extreme situations where OpenPGP is a good idea. Given that the reader is not likely to be in a repressive country (although some would argue that this is where some western countries are heading), PGP & GPG does not specifically instruct the reader to evaluate his or her tolerance for risk and then decide what is appropriate. For a book that reads like a how-to document, this is a critical step that was missed.