NPR : E-Mail Encryption Rare in Everyday Use

[Ben Laurie]

Ed Gerck wrote:
> Ben Laurie wrote:
>> Ed Gerck wrote:
>>> Paul,
>>>
>>> Usability should by now be recognized as the key issue for security -
>>> namely, if users can't use it, it doesn't actually work.
>>>
>>> And what I heard in the story is that even savvy users such as Phil Z
>>> (who'd have no problem with key management) don't use it often.
>>>
>>> BTW, just to show that usability is king, could you please send me an
>>> encrypted email -- I even let you choose any secure method that you
>>> want.
>>
>> Sure I can, but if you want it to be encrypted to you, then you need to
>> publish a key.
> 
> This IS one of the sticky points ;-) If postal mail would work this way,
> you'd have to ask me to send you an envelope before you can send me mail.
> This is counter-intuitive to users.

We have keyservers for this (my chosen technology was PGP). If you liken
their use to looking up an address in an address book, this isn't hard
for users to grasp.

> Your next questions could well be how do you know my key is really mine...
> how do you know it was not revoked ...all of which are additional sticky
> points.

For revocation, keyservers again. If I cared whether it was really yours
(I don't), then I'd check the signatures, or verify the fingerprint
out-of-band.

> In the postal mail world, how'd you know the envelope is really from me or
> that it is secure?

I don't.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com