On Thu, 23 May 2002, Lucky Green wrote: > Adam wrote: > > Which is too bad. If NAI-PGP went away completely, then > > compatability problems would be reduced. I also expect that > > the German goverment group currently funding GPG would be > > more willing to fund UI work for windows. > > Tell me about it. PGP, GPG, and all its variants need to die before > S/MIME will be able to break into the Open Source community, thus > removing the last, but persistent, block to an instant increase in > number of potential users of secure email by several orders of > magnitude. > > Here's to hoping,
Good god, Lucky. Are you serious? If S/MIME were actually usable and accessible to the end user today, PGP and GnuPG would be irrelevant. You think that a smattering of Open Source users are what is preventing widespread usage of S/MIME? That's too kind to both the "Open Source Community" and to S/MIME. S/MIME support is in just about every popular email client out of the box. Why is PGP more widely used? This shouldn't be the case -- installing PGP, configuring it to work with your mail program, etc., isn't trivial. As much as I would like to say that security issues, such as the inability of Alice to prevent Bob from encrypting messages to Alice with a 40 bit cipher, are what puts PGP in the lead, the truth is that many users would likely be happy to use a less secure mail encryption program if it meant one less installation step. No, the many version and implementation incompatibilities in the S/MIME space, coupled with the reliance on a central third-party CA, are S/MIME's downfall. Thinking that PGP's existence has anything to do with this is silly. Remove PGP, and you won't find more S/MIME users. You'll see more unencrypted email, and more "new proposals" for encrypted email (such as the zero-UI and passive attack protection systems that Brad Templeton and Bram Cohen have been passing wind about for a few years now). There are three main classes of mail encryption users: 1. The people who demand true security. These are the cypherpunks, the government agencies, the savvy drug dealers, financial traders, etc. They won't trust S/MIME, they won't trust EnvelopeMail, and they won't use Zixit. They might use PGP, though if they have the resources they'll use something developed securely in-house. This class is fairly small. 2. The people coerced into using encryption by [1]. This is the government contractors, cypherpunks' relatives, the drug couriers, and other business partners of the first class. These people will use whatever standard is dictated by the people with whom they must do business. This class is also small, but makes up the majority of mail encryption users today. 3. The people who might use it if it is easy. This is Joe Sixpack. This is who you are worrying about, wanting S/MIME to deliver on its promises. This is Templeton is worrying about, wanting opportunistic mail encryption. Public key crypto is a complicated, confusing concept. To date, no one has even proposed a system that would be both secure under a reasonable threat model for [1] and simple enough to be groked by [3]. And guess what? [3] doesn't care. [3] isn't asking for it. [3] might use it if it existed, but you'd be lucky to be appreciated for your troubles. Most likely, you're only in for a lot of criticism when your solution doesn't measure up to [1]'s standards. If you want to be the guardian of Joe Sixpack, go right ahead. Be warned that it is a thankless job. -MW-
