On Sep 9, 2013, at 9:58 AM, Ted Lemon wrote:
Seriously, this perfectly illustrates the reason why PGP hasn't seen
widespread deployment: it doesn't address a use case that anybody understands
or cares about, and it appears to address a use case that people actually
would like to avoid.
Here is the current use model for PGP:
(1) I generate a key and sign all my email with it
(2) People reading my email see an obscure indicator somewhere in my email
that indicates that it was signed by either an unknown key (nearly always) or
a known key (I don't even know what that looks like)
(3) ???
(4) WIN!
First of all, this does nothing to preserve privacy, so I don't know why
we're even talking about it. PGP in principle could be used to encrypt
communication, but because we don't really have an agreed-upon trust model,
this is a use case that only occurs when people are _highly motivated_ to
protect their privacy, and that's not most people, and not most of the time.
This stuff matters. Thinking about the use model for the tools we build is
_the most important aspect_ of protecting peoples' privacy. If we don't
think about these things, we're just producing cool toys that will never see
general use.
+1! The use model is critical. I have tried numerous times over the past many
years to get PGP used for email (either signing or encrypting) within various
groups but outside of small groups of more paranoid security-types it has never
really taken off because it has been way too difficult for the average user to
get configured and use regularly.
Even in the groups where PGP was (and is) being used, usage is inconsistent in
part because people are now accessing their email using different devices and
not all of them have easy access to PGP/GPG. If you receive an encrypted
message... but can only read it on your laptop/desktop and not your mobile
device, and you are not near your laptop/desktop, how useful is the encryption
if you need to read the message? You have to either wait to get back to your
system or ask the person to re-send unencrypted.
For PGP to really get any real usage for email, it has to "just work" for the
average user.
My 2 cents,
Dan
--
Dan York dyork(_at_)lodestar2(_dot_)com
http://www.danyork.me/ skype:danyork
Phone: +1-802-735-1624
Twitter - http://twitter.com/danyork