NPR : E-Mail Encryption Rare in Everyday Use

[Ed Gerck]

Ben Laurie wrote:
> I don't use PGP - for email encryption I use enigmail, and getting
> missing keys is as hard as pressing the "get missing keys" button.

Missing keys that do not exist or do not work (user forgot passphrase or
revoked) are still missing keys, no? Considering how few users use PGP,
we must assume that nearly all users have no keys.

> Most of my encryption is done simply because its a good thing to do. If
> the wrong guy is reading it I'll find out in the end. For the few where
> I really care I'm prepared to go through that hassle.

After 15 years of PGP and PKI evolution, users still say it's just not working.
The problem seems to be the methods, not the implementations. Notwithstanding
people that do "the good thing".

> Really? I just write "Ed Gerck" on an envelope and it gets to you? I
> doubt it. Presumably I have to do all sorts of hard and user-unfriendly
> things to find out and verify your address.

Perhaps I wasn't clear -- with postal mail you just write my name and address
in YOUR envelope and it gets to me. With PGP and PKI you have to ask for MY
"envelope" first; further, MY public-key creates the secure envelope that you
now need to trust with YOUR secret...

> If you handled your keys properly I would not need to ask you for anything. 

My $0.02: If we want to make email encryption viable (ie, user-level viable)
then we should make sure that people who want to read a secure communication
should NOT have to do anything before receiving it. Having to publish my key
creates sender's hassle too ...to find the key.

BTW, users should NOT be trusted to handle keys, much less to handle them
properly. This is what the users themselves are saying and exemplifying in
15 years of experiments.

Cheers,
Ed Gerck

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com