[Cryptography] Avoiding PGP

Phillip Hallam-Baker phill at hallambaker.com
Sun Mar 18 11:56:23 EDT 2018


On Wed, Mar 14, 2018 at 6:08 PM, Alexander Klimov via cryptography <
cryptography at metzdowd.com> wrote:

> On Wed, 14 Mar 2018, Carlos Alas via cryptography wrote:
> > My question is: Is there any substitute or equivalent? And I am
> > aware that many people advice to use Signal, however I am wondering
> > about an e-mail specific alternative.
>
> As far as the use-case is to send messages to offline users you know,
> PGP is simply perfect. Practically, as far as family and close friends
> go, you can set it up for your kids or grandma and it simply works.
>
> The problem only starts then none of the users is tech-savvy or only
> one is and he cannot support the other. I think this is quite rare
> use-case and it is very unlikely that someone without knowledge or
> support will be able to use any cryptographic system securely, so we
> should not blame GnuPG here.
>
> --
> Regards,
> ASK
>

​Perfect? Good grief... only if you haven't used any application developed
since 1995 or so.

If you think it is perfect you understand nothing about usability. When
people blame the users rather than the developers, they are always wrong
because the users have no ability to change anything, only the developers
do.


I was utterly dumfounded ​when I used the GPG plug in and received my first
encrypted email and had to tell the app to decrypt it. No, that is not
acceptable.

WoT sounds great until you realize that most people just use the keys on
the MIT key server and make no effort to validate them whatsoever. So
really good trust has been downgraded to none.

There is no infrastructure to manage private keys for users so they can
receive mail on multiple devices. PGP/MIME isn't really standardized, etc.
etc.

S/MIME has problems as well. And the biggest problem of all is the format
war between the two is still going on.

Neither is fit for purpose today. If not for the standards war, I would say
lets fix one or the other but that isn't possible when one has mindshare
and the other has deployment. We never really got past the VHS/Betamax
standards war either, that was ultimately decided when Sony started work on
DVD.


​What I am trying to do with the Mesh is two step:

1) Make it as easy as possible to use PGP and S/MIME ​today by performing
all the private key operations for users, automating all the make work
maintenance tasks etc.

2) Introduce a new secure messaging infrastructure that provides
functionality neither PGP nor S/MIME offer, that is group messaging and
document level encryption. The infrastructure that lets you securely share
your Word and Powerpoint documents online can also be used for
intra-enterprise mail and messaging and is secure and can also be used
externally because it is an open standard.

Users win because they get secure messaging apps that are exactly as easy
to use as their current insecure apps.

Enterprises win because this is security people will use.

Vendors win because they can sell new stuff even if it isn't strictly
necessary.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180318/c2a99fc4/attachment.html>


More information about the cryptography mailing list