<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, Dec 16, 2014 at 8:19 AM, Paul Hoffman <span dir="ltr"><<a href="mailto:paul.hoffman@vpnc.org" target="_blank">paul.hoffman@vpnc.org</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span>On Dec 15, 2014, at 5:37 PM, Tony Arcieri <<a href="mailto:bascule@gmail.com" target="_blank">bascule@gmail.com</a>> wrote:<br>
> However, they're trying to raise the usability bar, but the first thing you have to do is install Node.js and run a bunch of crap from the command line.<br>
<br>
</span>Not at all. You can use their web UI without doing anything from the command line. This brings in some completely terrible features involving your private key, but no one has proposed any other way of doing what they do in a browser context with less terrible things.</blockquote><div><br></div><div>Please see the work Google E2E is doing:</div><div><br></div><div><a href="https://github.com/google/end-to-end">https://github.com/google/end-to-end</a></div></div><div><br></div><div>Google is collaborating with Yahoo to ensure their implementations are compatible:</div><div><br></div><div><a href="http://www.infoworld.com/article/2860435/security/googles-work-on-full-encryption-chugs-along-with-yahoos-help.html">http://www.infoworld.com/article/2860435/security/googles-work-on-full-encryption-chugs-along-with-yahoos-help.html</a><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span style="font-size:13px">Do note that that article does not give any actual solutions for people who do not completely trust their enterprise or service provider. A better description of the article is "we can and should make life much easier for those who trust others with their keys and identity".</span></blockquote><div><br></div><div><div><span style="font-size:13px">Google proposed a CT-like transparency protocol which would help users identify if their directory misadvertized their keys:</span></div><div><span style="font-size:13px"> </span></div><div><a href="https://web.archive.org/web/20141117091459/https://code.google.com/p/end-to-end/wiki/KeyDistribution">https://web.archive.org/web/20141117091459/https://code.google.com/p/end-to-end/wiki/KeyDistribution</a> </div></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span style="font-size:13px">However, many of us tell our friends not to do that, particularly with high-value keys or identities.</span></blockquote><div><span style="font-size:13px"><br></span></div><div><span style="font-size:13px">Making users responsible for their own key management is a great security practice, and key management forms a huge part of my day job, but asking Johnny to manage his own keys doesn't help Johnny encrypt.</span></div><div><span style="font-size:13px"><br></span></div>-- <br><div>Tony Arcieri<br></div>
</div></div>