[Cryptography] What ever happened to end-to-end email encryption?

[Jeffrey Goldberg]

On Aug 20, 2021, at 7:31 PM, R Perlman <radiajpc at gmail.com> wrote:
> 
> The usability issues were not worked out. How would a user obtain a public key? How would a user get a certificate? How would a user know the public key of someone they are receiving from/sending to?

I was a huge advocate of PGP back in the 90s where I was postmaster at a post graduate engineering university in the UK. I was extremely well positioned to teach and support the use of PGP. (Well, other than the fact that as a US citizen, I couldn’t legally make PGP available to those in the UK, but that is another story.) 

One of the reasons for my  bring pretty good privacy to the masses is that for people to use it safely they needed to understand the distinction between trusting an identity and “trusting as an introducer.” Sure individuals are smart enough to understand that distinction if motivated to, but it is a lot to ask from users. UI can help, but it can’t make that problem go away.

As much as we all hate the system of CAs out there, it is enormously better for users than the web of trust. This brings us to S/MIME. Getting a proper S/MIME certificate for most people requires that the generate a CSR. UI can help, but it is also a really big ask conceptually. Website certificates work because users only have to deal with the (much improved in recent years) browser warnings. Only the site administrators have to deal with CSRs and renewals. S/MIME puts that sort of burden on the user.

Anyway, those reasons may not be why efforts failed, but I believe that they will need to be solved for efforts to succeed.