Updated OpenPGP Security (markdown)

OpenPGP-Security.md

@@ -57,6 +57,36 @@ TODO: Yes we must do this. Important TODO
 #### Support for Image Attribute Subpacket?
 No, in about 99% of all use cases there are better photos to be found in Android's contact database.
 
+### Thesis
+* OpenPGP is over-engineered
+* Web of Trust has failed
+* nobody understands tsigs
+* nobody understands different trust levels
+
+### Solution
+* Identities **are** certified or **not**
+* Alternately, trust is probabilistic. Keys have associated metadata which a potential user may examine to help in deciding whether to use them.  Web-of-trust and Keybase-style "proof" data could be included here, and it seems likely that other flavors of such metadata are likely to arrive.
+* Hide Web-of-Trust
+
+
+# Fingerprints and key IDs
+* Don't prefix "0x", average users do not understand this
+* handle key IDs like telephone numers
+* no monospace for key IDs (do you use monospace on telephone numbers? no)
+* Key IDs lower case to better differentiate numbers and letters
+* Don't show key ids? (https://www.debian-administration.org/users/dkg/weblog/105)
+
+# Key creation
+
+## User ID comments
+Considered harmful, so only in advanced key edit.
+See https://www.debian-administration.org/users/dkg/weblog/97
+
+## Password meters
+  * ["How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation."](https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final209.pdf)
+  * "Does my password go up to eleven?: the impact of password meters on password selection"
+
+
 ### Relevant links
 * https://gist.github.com/coruus/68a8c65571e2b4225a69
 * https://help.riseup.net/en/security/message-security/openpgp/best-practices