HomeBrainDump Page 3 - PGP and GPG: Email for the Practical Paranoid
Details of Instruction - BrainDump
Cryptography is a difficult topic, but many people are interested in keeping their email communications private. Where can a "moderately skilled geek" find a good introduction that will teach them the practical skills? PGP & GPG: Email for the Practical Paranoid claims it can help. Quantum Skyline from our own Dev Hardware forums reviews the book.
When describing how to use PGP or GPG, Lucas tries hard to ensure that the reader is comfortable working with the tools. PGP & GPG is laced with screen shots of how to use any of the programs, or, in the case of GPG from the command line, textual descriptions of commands and their output. It is also encouraging to see that Lucas provided instructions on how to use GPG on Linux. There is a large amount of text spent on step-by-step instructions on everything from installation to digitally signing email and managing identities. The instructions are complete, and are written in such a manner that a regular user with limited command line experience could actually perform the tasks described. Lucas' writing style is quite inviting, and he tends to insert some humor in areas of the book that would be quite dry otherwise. When explaining the output from command line GPG, Lucas highlights parts of the output and illustrates what they mean. This goes a long way towards making the use of the command line less intimidating for the reader, and complements the appendices.
However, while Lucas provides a large number of screen shots, PGP & GPG is almost completely devoid of pictures or diagrams. For example, it would be nice to have some diagrams in the chapters regarding the encoding, encryption, and signing of email so that the reader has a visual representation of how s/he is changing his or her email when using OpenPGP. PGP & GPG is the first book from No Starch Press that I have read and as a result, I'm not sure if it is representative of a particular style that No Starch Press is trying to use in its books or if this is indicative of Lucas' style of writing. He does make use of inset text and footnotes to give the reader some details that may be tangential or extra background information.
Lucas highly stresses certain things during the course of PGP & GPG. When he finds a topic that he wants to drive home, he repeats it throughout the course of the book so that the reader is left with the impression that a particular issue is important and always needs to be thought of when working with OpenPGP. For example, Lucas emphasizes the use of key expiration dates, and absolutely insists on keeping backups of private keys and revocation certificates. To further illustrate his points, he repeats his explanation as to why he believes these topics to be important by showing the potential consequences and their significance. In a book like this, these explanations are as important as the concepts themselves, because they allow the reader to understand why Lucas is taking a hard stance on a particular topic.
Chapter 11, "Other OpenPGP Considerations", is the chapter mentioned earlier that talks about caveats when using OpenPGP. This chapter is a must read, and dispels the majority of my worries that a reader might take the usage of OpenPGP as a panacea when it comes to email security. In this chapter, Lucas states that while OpenPGP is good, simple misuse can have a large effect on its effectiveness. Also, Lucas introduces "rubber hose cryptography" and shows that humans are the weakest link in systems like this. He also provides suggestions on how to manage keys when working in teams and when using shared systems in plain and simple terms.