[tptacek]

At one point in this essay, Matt suggests that every successful end-to-end encryption scheme has employed transparent (or "translucent") key management. What he's referring to is the idea behind, say, OTR: two people can use it without the key handshake required by PGP.

Matt is wrong about this. He's being victimized by a pernicious fallacy.

It certainly appears that the most "successful" cryptosystems have transparent keying. But that's belied by the fact that, with a very few exceptions (that probably prove the rule), cryptosystems aren't directly attacked by most adversaries... except the global adversary.

In the absence of routine attacks targeting cryptography, it's easy to believe that systems that don't annoy their users with identity management are superior to those that do. They do indeed have an advantage in deployability! But they have no security advantage. We'll probably find out someday soon, as more disclosures hit the press, that they were a serious liability.

There is a lot wrong with PGP! It is reasonable to want it to die. But PGP is the only trustworthy mainstream cryptosystem we have; I mean, literally, I think it might be the only one.

[matthewdgreen]

Hi Thomas. I used to think this way too. I think this is certainly a fine way to think about things if your goal is to keep encrypted email deployment limited to the 3-4% of email users who are either technical experts with nothing to say and/or people who are sending obviously sensitive documents. It doesn't scale much beyond that.

Moreover, I would argue that a 'translucent' key management infrastructure /can/ be better in all ways than PGP. For example, imagine that Google provided a transparent key distribution service for all its users, but also allowed you to verify key fingerprints manually before sending messages. Congratulations -- for users who care, you've got something that works every bit as well as PGP. Everyone else isn't sending plaintext! Sure an attacker can compromise them, but it requires an expensive MITM attack. They have to be targets a priori, not after the fact. I'm struggling to see how anyone is worse off here, except through the nebulous reasoning that 'making things easy' makes people careless. Making things hard definitely makes people careless -- I've seen this firsthand.

But more to the point, even paranoid users have a lot of options that are better than PGP. Using ZRTP to establish secure channels is a very safe way to do things, assuming your attacker can't really forge voiceprints (and this seems hard, even for the NSA). From that point you can push strong public keys out to a dedicated text/email app. That we don't do this is not so much because it's a bad idea -- it's because so far people haven't tried it.

[erikb]

You must worry by yourself if the key from the other person is trustworthy. If you let the software do it, you need to trust the software developers, the software providers (how did you install the software?), etc. Therefore taking key management out of the hands of the users might increase usability, but it automatically decreases security.

[exelius]

In many cases, this is an acceptable trade-off. Security is not one size fits all; your average user cannot afford to be NSA-level paranoid. Otherwise we would spend all of our time verifying keys and not actually doing anything.

[erikb]

True. But he will think he is NSA safe, if he uses an App on his iPhone with the word Secure in the name. And this is actually what many of the Apps out there are promising without being able to say for sure themselves.

[exelius]

You can't protect people who aren't willing to put in a little effort to verify the programs they use are safe. Security is all about trust, and you shouldn't trust an unknown entity. But if such a product came from Microsoft or Google, the user would have more faith that it's secure.

[unimpressive]

>They do indeed have an advantage in deployability!

Deployability is worth more than might be immediately obvious. The question of deployment is directly related to the business of availability. If 99% of people used a crypto system that provided no real security beyond thwarting a global adversary, which also had the option for further measures to confirm identity when necessary, we would be in a much better position than we are now because it would mean that when I do have contacts I would prefer to use encryption with the software will already be on their system and I only need to instruct them in how to use it.

There's a fallacy in saying that no measures are better than imperfect measures 'because then you don't have a false sense of security'. Regardless of security measures or not the false sense of security is baked into how people use computers.

I challenge you to go explain to anyone you know who does not identify as a 'computer person' how email routing works and why it's quite possible for a 3rd party to read their mail. If they even understand what you're talking about, the response is an almost universally cool 'Oh but so many other people do it, and what am I supposed to do stop using email?'

The vast majority of people will not stop talking just because in the abstract they might be overheard.

EDIT: As a note, I think any centralized system of key distribution is fundamentally insecure.

[Spooky23]

You educate them.

The way I did this in a past life:

- Explain that email is a postcard. - Give examples of information that should not belong in email. - Provide demonstration of the issues people creates for themselves by breaking the rules. - provide tools to accomplish business needs (file transfer in particular) - Tell them that their email is subject to audit. - Implement technical controls to warn/enforce suspect behavior.

People want to do the right thing, but you must set clear expectations so they know what to do! The most secure email is one that is never sent.

[ownagefool]

As a 'computer Person' my response is much the same.

You can however get them to consider what they put in there by explaining "email is like a postcard; everyone who touches it can read it".

[MrUnknown]

> I challenge you to go explain to anyone you know who does not identify as a 'computer person' how email routing works

I usually use the "It's like mailing a postcard" comparison.

[bdamm]

PGP is only trustworthy if both parties treat key management with the utmost severity, and if everyone in the conversation maintains the integrity of a given thread (in the email case).

There are a precious few individuals for whom I have that level of trust in their management of their private key. I could not even trust my wife to manage a hardware key that I gave her, it would fall apart immediately; "I cannot use this key on my chrome book? I cannot use this key on my Galaxy? I cannot use this key on my iPad? Give me a soft key that I can use, or a cloud service..."

Therefore, PGP is not mainstream. There is a large population of people doing it incorrectly, and they must because they have no other real choice.

[tptacek]

Both of these statements can't possibly be true:

* PGP is only trustworthy if both parties treat key management with the utmost severity.

* Transparent key management systems that rely entirely on heuristics and click-through warnings are trustworthy.

[matthewdgreen]

Really they can both be true. They're just true for different constituencies. The vast majority of users are not targeted by active attacks, nor should they have reason to be. They may be hacked or subpoenaed after the fact.

[antihero]

I thought that "active" attacks is exactly what we were trying to guard against?

[michaelt]

Presumably the hope for transparent key management would be something like the CA system used in TLS, with certain reforms (certificate transparency? Namecoin?) which make it visible when a CA has been hacked or has collaborated with a global adversary.

So there's just a dozen or so central authorities who need to handle keys with the utmost severity.

[tptacek]

I'm baffled by that attitude (and CT, as well). So, you found out after the fact that the global adversary injected themselves in the middle of your conversation with a source. What do you do now? Move to an apartment in Russia?

Also the things that break transparently-keyed systems do so repeatedly. That's what transparent keying means: it's mediated by machines, and factored the slow, clumsy, human interactions out. CT? Audit logs? It's like Lucy and Charlie Brown with the football, except Lucy is hooked up to a for() loop.

[michaelt]

  So, you found out after the fact that the 
  global adversary injected themselves in 
  the middle of your conversation with a 
  source. What do you do now?

If you could reliably detect a CA issuing MITM certs to the global adversary, and if some unstoppable mechanism would respond to such detections by promptly dropping the CA's cert from clients' trust roots, and if being dropped from the trust roots put the CA out of business, then it would be extremely difficult to induce a CA to issue MITM certs.

[moreati]

What is CT in this context?

[croikle]

I believe it's Certificate Transparency, a Google project for globally monitoring SSL certificates.

http://www.certificate-transparency.org/

[nikrdc]

Can you (or anyone else) point me and others to a good text on properly handling keys? Thanks!

[DanBC]

I would freaking love it if some good designer with technical knowledge, or help from technical colleagues, would create simple flowcharts of "How to use Encryption".

Each chart would be one page. It would walk a user through one step of using a PGP / GPG. It would include links to in-depth reading.

The final sheet would be walking through common mistakes that users make.

This is one of the things I'd pay for if I had FU money. I'm sort of tempted to kickstart the idea.

[bdamm]

It's not doable, because there are major unsolved problems. Protection of a private key, for example.

The only outcome of such a chart would be reams of people utterly vulnerable and thinking that they are not.

If you constrain the environment, e.g. "How to use SSL certificates in Chrome on Mac OS X Lion" then there might be a chance that could fit on one page in an easy to understand format.

[Torgo]

> Protection of a private key, for example.

I have a master key that was created offline, and use a subkey on a usb smart token. It works good but it was a bitch to set up. Apparently Qubes OS has a hardware-virtualized PGP container for protecting private keys, but that's not a viable solution right now.

[frabbit]

The offline masterkey stored on an encrypted medium is the approach that makes most sense. This[1] guide is pretty decent, and somewhere on the Debian wiki is essentially the same information (but less nicely presented).

The OP's complaints boil down to two IMO: 1) poor UX; 2) trust is difficult to manage.

1) Seems solvable to me again with subkeys for encryption and signing (which I believe are created by default for GPG2.0 anyway).

2) Asking technology to solve the problem which only each individual can answer ("do I trust this person to be evaluate other people's identities as carefully as me?") is not doable.

The example of someone getting a journalist's pubkey and being stung by the (fixed) bug whereby the wrong key may be imported is again letting the user off the hook. If someone is not actually using GnuPG's abilities to examine the WoT and see who has signed the journalist's key etc then it's an example of magical thinking with "encryption" replacing any other nostrum.

I don't believe that problem can be solved with technology.

1. https://alexcabal.com/creating-the-perfect-gpg-keypair/

[ef4]

See the [GNU Privacy Handbook](https://www.gnupg.org/gph/en/manual.html).

[Spooky23]

That's probably because like most people, you don't really need to have a completely secure communications channel with your wife.

All security decisions boil down to some calculus of risk, impact and cost. The most sensitive conversations that my wife and I typically have remotely aren't ones that justify the cost (both in terms of hassle and $) of carrying a secure device around.

Personally, if I were in a situation where I was remote and my physical safety or livelihood could be compromised from an email, my wife and I would probably suck it up and run around with secured netbooks or something. In my case, I don't see that risk/impact calculation adding up to requiring PGP.

[e12e]

Someone else might need to have a secure communication channel with his wife. I never read the comment as "I can't communicate securely with my wife", more "My wife is not in the set of people with which anyone can communicate securely" (because secure key management is hard).

[Spooky23]

That's fine. Just don't expect to do it transparently with your iPhone.

[DanBC]

See, for example, "De-Anonymizing alt.anonymous.messages" for an example of people doing crypto -including PGP- wrong.

[exelius]

I think the argument is that PGP is so difficult to use that by and large people just won't bother.

Yes, transparent key systems would likely be less secure than PGP. If the usability were significantly better and people used them, that is better than the alternative of using nothing. For many of these solutions, there is a window of vulnerability surrounding the key exchange that closes if you aren't snooping traffic at that moment, so it's not like they're completely insecure options; just that their attack vectors that may be considered acceptable risks in many situations.

[tptacek]

An irreconcilable difference between you and I on this point: you think it's a good thing if people use bad crypto instead of no crypto, and I don't.

I don't think bad crypto makes the global adversary go "aw, shit, we better target someone else". I think it makes them go "excellent, something else we can get a secret appropriation to go break".

[exelius]

There's a difference between bad crypto and easier to use crypto. Just because it isn't 100% secure all the time doesn't mean it's not useful. If they have to go through the trouble of breaking each individual message rather than just gathering everything in a dragnet; that's good enough in my mind. You have to make mass surveillance expensive enough that it's no longer worth it.

You as an individual cannot fight a state actor. It doesn't matter how secure your crypto is; they can hold a gun to your head and force you to give up the key (or in more civilized countries, throw you in prison forever). If you become an individual target to a state actor, there is literally nothing you can do to stop them unless another state actor is willing to protect you: they have the resources of an entire economy behind them and there's no security solution you can cobble together that will be able to keep them out.

Even Snowden, who practices a paranoid level of OpSec, just assumes his electronic communications are being read. The only reason the CIA hasn't done an extrajuducial rendition on him is that he is living under the protection of another state actor (Russia).

[_delirium]

My impression (I could be wrong) is that a lot of OTR users in particular are worried mainly about the local adversary: someone on the coffee-shop wifi, or the corporate IT administrator, sniffing their IM traffic. In that case you just have to have an encryption setup that's good enough to circumvent whatever analysis that class of adversary is likely to use.

[bad_user]

If a global adversary can do it, then it is only a matter of time before a local crime syndicate can do it as well, after all stealing credit cards and other sensitive info is a booming business.

And what really bothers me is that this will give people a false sense of security. At least right now I'm seeing regular folks refraining from exposing sensitive info online out of fear of evil hackers that are often the subject of news. So yes, I think unencrypted email is better than a solution that isn't secure.

[_delirium]

I agree, and I think that's especially a good argument for email. For mail submission at least, I think most users for that use-case are now either using or moving to encrypted SMTP AUTH with certificate checking, which should be fairly robust on the local side (between you and your ISP/company), modulo the problems that exist with the CA system. For IM though I think lots of people are more worried about embarrassment than crime: someone grabbing & posting your cybersex logs online; or your comments about office politics (or an affair, or whatever) being read by snooping IT staff, that kind of thing. Some people specifically use IM for office-politics stuff rather than email, because they assume (probably correctly) that IT staff can more easily pry into their email.

Of course for that use-case you don't really need end-to-end encryption: an encrypted connection to the IM server would be fine, and maybe actually better. But a bunch of services don't support that (though Google Talk does).

[XorNot]

You need end-to-end encryption anytime the IM server isn't under your control. It's a reasonable assumption that if they could log everything, some manager somewhere has ordered them to do it regardless of legality.

[click170]

This is a fair point and one I hear often, but can you be sure that for as long as you live, you will never have a reason to fear the global adversary?

I trust my government (within reason) at the moment but I'm not comfortable betting that they will never ever turn anti-gay and start coming after me.

[exelius]

I said this above, but I'll say it again here: if your government has identified you as a target, there's very little you can do but hide and hope you can find another government willing to protect you.

That said, crypto is useful in avoiding their gaze in the first place. For this, vulnerable crypto is better than nothing: assuming the vulnerable crypto requires a non-trivial and non-repeatable process to break, it's unlikely that even a state actor is going to bother breaking it for the entire population.

[alsetmusic]

> That said, crypto is useful in avoiding their gaze in the first place.

I'm not entirely sure that I agree. I've long thought that using encryption above and beyond what the average person employs would be a great way to appear on 'their' radar. I don't have the need, so I'm happy not trying to find out. That said, if everyone had strong encryption enabled by default, no one would stand out, which I support.

[bad_user]

Or you know, move to a country functioning under the rule of law. I don't get this mentality, but regardless, if you're paranoid then encrypt/decrypt your messages on a computer that's never connected to the Internet. There, problem solved.

[drcube]

That's what ROT-13 and secret decoder rings are for.

[romaniv]

This elitist attitude is why I have no faith in typical "security experts" improving the overall situation with communication security for normal people.

Widely adapted open-source "bad crypto" can: - Raise user's level of awareness about security. - Create a market that can later be serviced by better crypto. - Encourage creation of infrastructure that can be later used in better crypto. - Encourage investigation of better UI.

Also, other poster are right about increasing the difficulty of executing an attack.

[derefr]

> Widely adapted open-source "bad crypto" can ... raise user's level of awareness about security.

You know that study that showed that people wearing seatbelts drive more recklessly, effectively exactly compensating for the increase in safety provided by the seatbelts?

I have a feeling people who think they're using a secure cryptosystem will speak much more freely than those who don't--meaning that the net effect of convincing users to use "bad crypto" is giving the global passive adversary† more interesting morning reading.

† Do we have a name for this guy in cryptography placeholder terms yet? Nathan (the NSA agent), maybe?

[exelius]

> You know that study that showed that people wearing seatbelts drive more recklessly, effectively exactly compensating for the increase in safety provided by the seatbelts?

Err, the first part of that statement may be true, but I don't think anyone ever put forth a claim backed up by data that they cancelled eachother out. People may drive more recklessly with seatbelts, but the law undoubtedly saved a lot of lives. You may be thinking of motorcycle helmet laws; which seems more plausible given that high-speed motorcycle accidents are much more likely to be fatal regardless.

As for the "global passive adversary", I tend to side with the term "state actor" since the only entities with the power to collect data on that scale are governments as they can legally force every telecom company in their jurisdiction to install taps while keeping their existence classified.

You're probably right about the risk compensation here; with the caveat that anyone who rises above the level of a "common criminal" would simply not trust online communication at all. Islamist terror groups use a known-courier system for all planning and communication because they just assume all electronic communications are being monitored.

[romaniv]

I have a feeling people who think they're using a secure cryptosystem will speak much more freely than those who don't--meaning that the net effect of convincing users to use "bad crypto" is giving the global passive adversary† more interesting morning reading.

I'd rather have that than the society where everyone silently accepts global surveillance as a norm and treats any kind of self-expression that gets you into trouble as pure stupidity on the part of the speaker (e.g. blames the victim).

What we have right now is a vicious cycle. "Normal" people have no cryptographic capabilities. So they simply adapt their beliefs and behavior to this reality. This makes them think of themselves as different from people who do have cryptographic capabilities. This means they develop "us and them" mentality and can no longer empathize with anyone seeking any level of digital privacy. This means there is no popular support for crypto. So "normal" people have no cryptographic capabilities.

I believe that "consumer cryptography", even if it's weak, would break this cycle.

[lmm]

Any crypto is about increasing the cost to attackers. There's no perfect crypto, and even if there were we would still have the $5 wrench attack. Security enhancing crypto is anything which is more expensive for the attacker than for the implementer, and I think encrypting with an unauthenticated key is firmly in that category.

[nodata]

When I ask people for their e-mail address, they give it to me.

When I ask them to verify their pgp key, it's less easy.

How could the verification of the key be built into the address they give me? Something DNSSEC based I guess.

[tptacek]

Yes. DNSSEC. Because what we need is a trusted arbiter, and who better to fulfill that role than the governments of the US, or whatever country happens to own the TLD I use?

[marcosdumay]

Well, it's at least better than X500. With DNSSEC you only have to trust one government, not all of them.

And you can also get more than one domain, in more than one TLD. Not very practical for automatic verification, but for surviving a manual verification several governments would have to collude against you.

I still think that there must be something better. But I'm probably not good enough to create it.

[mentat]

Governments, always trustworthy, especially for their own citizens.

[jimktrains2]

Why is it not easy to verify a key (fingerprint)? Put it on a business card with the email address or read it over the phone?

Also, DNSSEC isn't much more secure than our current CA system.

[Tomte]

Now your collection of business cards is susceptible to tampering (no cryptographic authentication!).

Do you never leave your collected business cards unattended at a conference or trade fair? Possible, if you put them into your shirt pocket.

Do you store them in a vault lomg-term? Probably not.

Is it impossible to impersonate you, either with a human sound-alike or by voice generation software?

If you want perfect security against everyone, it quickly spirals out of control. You should probably remove the wallpapers in your house regularly and inspect what's underneath. ;-)

I'm not entirely serious here, but I'm surprised at the optimism about what the individual can possibly achieve.

[jimktrains2]

I was imply it was a person-to-person handing of a business card and that if it wasn't then it could be handled via the phone (which you would need from something other than the business card). But, yes, I didn't explain that as well as I could have.

[frabbit]

"Now your collection of business cards is susceptible to tampering (no cryptographic authentication!)."

You are missing the part where it was suggested that the recipient of the business card telephones you and asks to verify the fingerprint.

[frabbit]

In response to Tomte's criticism, this all boils down to the certification level http://tanguy.ortolo.eu/blog/article9/pgp-signature-infos 1) A fingerprint on a possibly compromised business card == 0 2) A fingerprint verified by phoning someone == 1 etc, And associated with that independently is of course the level of trust.

Sorry Tomte for not replying immediately to your message, but I've posted too much on this apparently.

[Tomte]

You are missing both the "or" in his sentence (i.e. he describes alternatives, not cumulative measures) and my retort to the verification by phone.

[bradleyjg]

Either you need a trusted third party or you need to pass something that looks like (at best): 4UpbRAXYMgrESrAwiLPYymNNni1hwyL2JEK7zz2SN52t

You could do that by printing it on a business card or reading it over the phone, and then the other guy is going to have to type it in somewhere.

The reason trusted third party keeps on coming up, despite all the myriad fundamental problems, is exactly because slinging that around is so unattractive.

[acqq]

There IS a nicer way to present fingerprints to be much more human readable: map every few bytes to the whole dictionary word. There is a RFC for that:

http://www.ietf.org/rfc/rfc1751.txt

[bostik]

I've seen business cards with PGP fingerprints encoded as QR codes. That's a pretty neat idea.

[nodata]

Except you never notice when someone switches the QR code, as Tomte says.

[bostik]

Which is a very good point indeed.

[leni536]

"Hi, my email is john@doe.com and I'm johndoe on keybase.io" could work.

[Spooky23]

You nailed it. I stopped reading and started laughing when iMessage was hailed as a successful platform addressing these issues. The only thing securing iMessage is the procedure for processing law enforcement requests.

PGP is a tool that requires expertise to operate effectively. That isn't good or bad, it just is.

[matthewdgreen]

I think if you read it that way you probably didn't click the link to the extensive criticism I've written about iMessage's key distribution. Saying something is better than plaintext is not the same as saying it's good enough to send secret documents.

http://blog.cryptographyengineering.com/2013/06/can-apple-re...

[Spooky23]

I'm not terribly familiar with your writing, but I disagree that plaintext is inferior to ineffective crypto. The problem with convenient things is that you are giving up control in exchange for expediency.

In my professional life, I've provided communications solutions to a variety of true VIPs in key executive and other roles. The advice that their counsel gave on most occasions was simple: exchange secrets orally, and in person.

That means don't use the courthouse wifi, don't conduct critical deliberations via email or public telephone networks. If you google around, you can see plenty of referenced to US state governors only communicating via Blackberry text or obscure phone lines, mostly to control short term leaks and keep deliberations out of the public record.

The point of all of this is that keeping secrets is hard, and if you must exchange them electronically, you need a strong set operational protocols to keep those secrets.

[mike_hearn]

> In the absence of routine attacks targeting cryptography, it's easy to believe that systems that don't annoy their users with identity management are superior to those that do. They do indeed have an advantage in deployability! But they have no security advantage. We'll probably find out someday soon, as more disclosures hit the press, that they were a serious liability.

You're probably talking about the PKI here. However, after a year's worth of Snowden leaks (and perhaps other leakers too) there have been zero documents discussing routine or even occasional sabotage of the PKI.

You suggest that we'll "probably" find out "someday soon" that only PGP works and everything else sucks, but we already went through that acid test. PGP was such an epic failure Snowden and Greenwald failed to connect entirely, and there were no big reveals about certificate authorities.

That doesn't mean the CA system is infallible, just that attacking endpoint security is easier. But as Matt's GPG example shows, GPG endpoint security is just as pathetic. Heck I didn't realise that GPG couldn't safely import public keys by fingerprint. How the hell does software like that, which has been around so long, fail to do such a basic check? QUANTUM would have made mincemeat of anyone trying to communicate securely using mainstream PGP implementations, whereas most S/MIME implementations I know of wouldn't have been fooled so easily.

Hand-waving about how anything other than PGP is trustworthy doesn't fly with me: there's too much real world evidence from real world adversaries that it sucks and other systems work better.

[mrb]

I strongly agree with Matt that a transparent key exchange is crucial to boost PGP adoption. In fact, a few weeks ago I proposed a mechanism to do precisely that, over automated email responses, see http://blog.zorinaq.com/?e=76 (the mechanism I describe also solves a bunch of problems regarding how to share other personal information).

I would love to hear input from HN readers...

[secalex]

I gotta back Matt here. While none of the three of us would endorse the iMessage key exchange model, the truth is that the team that implemented iMessage crypto have kept more communications safe from dragnet surveillance than everybody commenting on this HN article combined.

I personally think there is a good middle ground where identity management is invisible to most users and customizable by users with more challenging threat models. That is what we are aiming for.

[tptacek]

Hold on. The iMessage key exchange model works in part because it has trust anchors; it's not a pure peer-peer system. You can see the tradeoff it makes by looking at any discussion of iMessage ever and noting how people discount its security because of those trust anchors.

[sorbits]

> […] with a very few exceptions (that probably prove the rule)

Off topic and pedantic but exceptions do not prove rules.

A specific exception like “you are allowed to do X when Y is true” may be used as proof of an (unwritten) rule about X being forbidden.

I.e. here we use the exception (when Y is true we are allowed to do X) to prove that there is a general rule saying that X is forbidden.

[gecko]

That's also wrong. The expression uses an archaic transitive "prove," which means "to test." Thus, "the exception tests the rule," which makes more sense.

[sorbits]

Do you have a source for that?

From http://en.wikipedia.org/wiki/Exception_that_proves_the_rule

"The exception [that] proves the rule" means that the presence of an exception applying to a specific case establishes ("proves") that a general rule exists. For example, a sign that says "parking prohibited on Sundays" (the exception) "proves" that parking is allowed on the other six days of the week (the rule). A more explicit phrasing might be "The exception that proves the existence of the rule."

[nktr1]

Just an idea that might not be very practical but what if there was X number of "master" public keys managed by trusted groups that could be used to verify other public keys and they were posted in plain text on billboards across towns (maybe could replace CAs?)... just like you can use the Debian keys to verify the Tails OS key..

[dsr_]

If it became at all popular, some people would have to know the private key half (or be able to decrypt it for use, same thing)... and those people would be subject to bribery, coercion, and rubber-hose cryptanalysis. I would not want to be one of them; I have relatives whom I love.