[Cryptography] Dark Mail Alliance specs?

Stephan Neuhaus stephan.neuhaus at tik.ee.ethz.ch
Sat Nov 23 15:11:05 EST 2013


On 2013-11-23, 13:30, Ralf Senderek wrote:
> People are using the internet, they are typing sensitive information 
> into textareas and send them off, and on the other hand
> "/usr/bin/gpg" is installed on almost every server, why can't we make
> Johnny Average use it?

That is almost exactly the title of a very old paper from 1999's
Usenix Security.  It's called "Why Johnny Can’t Encrypt:
A Usability Evaluation of PGP 5.0" and still a worthwhile read.  Things,
if they have changed at all since then, have changed very little.  For
example, I can't get OpenPGP's Thunderbird plugin to understand that I
have different private keys that I use for different purposes on the
same account. I always need to go through preferences to change it.
(N.B.: there *might* be a way to do it, but I couldn't figure it out.)

One big problem is that most crypto software is written by geeks who
then often simply map every feature of the command-line program to a GUI
and then think that their grandmothers can operate it as well as they
can.  I mean, they ought to try to explain to their grandmothers the
concept of a public key.  And if any geek is reading this, and if you
think that you have this wonderful metaphor that is so simple that
surely any grandmother will understand it, please do actually try it out
on an actual grandmother.  You might be surprised.

In my opinion, massive user-controlled email encryption will not happen.
 Not now, and not in the next ten years.

Fun,

Stephan

PS: GPG being installed *on the server* won't make Johnny use encryption
*on his client*.


More information about the cryptography mailing list