On Feb 01, Will Yardley [[EMAIL PROTECTED]] wrote: > yeah i think the issue is not so much of technical sophistication > (although that's an issue too) as of the fact that most people Don't > Care. > > 99% of the people i correspond with simply don't care, so i generally > don't bother to encrypt or sign my communications with them.
This is the issue of why-to-sign-mails-anyway, and it comes up often enough to ignore it here... for the purposes of the issue at hand (S/MIME compared to OpenPGP, especially their respective sig sizes), let's just assume that the mails in question *are* going to be signed. /me fears yet another thread that never ends. > also, there are pgp front ends and plugins for most browsers/ email > clients; obviously this isn't as good as built in support, but from what > i've seen it's not rocket science. The web of trust is close enough to rocket science for most people that we are never going to see encryption become a social norm through relying only on public acceptance of what that market offers now. S/MIME apparently makes it easy enough for average people that they can get benefits on basic, CA based encryption. That's not the ideal situation but it gets us closer to it than not. > however the fact is - using any sort of encryption requires some amount > of technical sophistication, as you have to understand some of the more > subtle issues at work (both technical issues, and issues of trust). > encryption used by someone without at least a basic understanding is > worse (IMHO) than none at all. Neither of these are necessarily true. HTTPS is a good example. Most ebay and amazon users have no idea of any of the technical issues involved with using SSL, but because they use it anyway, their communication is more secure than it would be without it. And because they use it, it is easily available to those of us that do understand it. And because it is a social norm and Big Companies even rely on it, when the US Congress recently suggested that they were going to break it all to stamp out terrorism, it was the big corporate guns that told them the idea was ridiculous. If they'd only attacked PGP and email encryption in it's current state, we wouldn't have gotten anything like that kind of support. There is certainly a point where misunderstanding or failing to understand what's going on will put you at more risk than not using any encryption at all, but that point is not reached by casual use of things like HTTPS or S/MIME. > i don't think the difficulty of PGP is totally a bad thing - PGP is > designed in such a way that you HAVE to come to a basic understanding of > some of these issues in order to use it. The difficulty of PGP is what's kept it from being publically accepted as a normal thing to do, and that in turn has made it so those that DO use it are limited to a few tech-savvy subsets and real revolutionaries, both of which are easily identifiable with simple traffic analysis. People need to consider encryption completely normal, so that everyone uses it as a matter of course. This will drive the industry forward and take basic threats of government intervention completely off the table as options. Those who don't understand it could still get some benefit from it, and those of us that do understand it would get quite a lot of peripheral benefit from having all traffic encrypted, even if a lot of it were encrypted poorly. People need to accept encryption the way they accept envelopes on snail mail. They never would have globally accepted these if you couldn't use one unless you knew how to make your own adhesive, ink, and stamps. I saw Phil Zimmerman speak a few months ago at ALS in Oakland, and he understands this more than anyone. He expressed a good bit of dismay at how clique-ish PGP usage is, and how much it has missed the mark of being a way to give encryption to the masses and make it normal. He endured all manner of government harassment to defend people's right to use this stuff, and yet years later, hardly anyone is taking advantage of it. It was really interesting hearing him speak. It's too bad he had to stop due to people in the audience arguing that there was no value at all in people using PGP unless they all used it completely securely (the main antagonist noted that he keeps his private keys on a CD and never has that near his computer unless it's completely disconnected from the network), which prompted a bunch more people to complain that there was too much talking and not enough key signing going on.
msg24103/pgp00000.pgp
Description: PGP signature
