ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: pgp signing in van

2013-09-09 15:12:09
from [Dan York] [Permanent Link] 

On Sep 9, 2013, at 9:58 AM, Ted Lemon wrote:


Seriously, this perfectly illustrates the reason why PGP hasn't seen 
widespread deployment: it doesn't address a use case that anybody understands 
or cares about, and it appears to address a use case that people actually 
would like to avoid.

Here is the current use model for PGP:

(1) I generate a key and sign all my email with it
(2) People reading my email see an obscure indicator somewhere in my email 
that indicates that it was signed by either an unknown key (nearly always) or 
a known key (I don't even know what that looks like)
(3) ???
(4) WIN!

First of all, this does nothing to preserve privacy, so I don't know why 
we're even talking about it.   PGP in principle could be used to encrypt 
communication, but because we don't really have an agreed-upon trust model, 
this is a use case that only occurs when people are _highly motivated_ to 
protect their privacy, and that's not most people, and not most of the time.

This stuff matters.   Thinking about the use model for the tools we build is 
_the most important aspect_ of protecting peoples' privacy.   If we don't 
think about these things, we're just producing cool toys that will never see 
general use.


+1!  The use model is critical.  I have tried numerous times over the past many 
years to get PGP used for email (either signing or encrypting) within various 
groups but outside of small groups of more paranoid security-types it has never 
really taken off because it has been way too difficult for the average user to 
get configured and use regularly.  

Even in the groups where PGP was (and is) being used, usage is inconsistent in 
part because people are now accessing their email using different devices and 
not all of them have easy access to PGP/GPG.  If you receive an encrypted 
message... but can only read it on your laptop/desktop and not your mobile 
device, and you are not near your laptop/desktop, how useful is the encryption 
if you need to read the message?  You have to either wait to get back to your 
system or ask the person to re-send unencrypted.

For PGP to really get any real usage for email, it has to "just work" for the 
average user. 

My 2 cents,
Dan

-- 
Dan York  dyork(_at_)lodestar2(_dot_)com
http://www.danyork.me/   skype:danyork
Phone: +1-802-735-1624
Twitter - http://twitter.com/danyork
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  What real users think [was: Re: pgp signing in van], Brian E Carpenter
Next by Date:  Re: What real users think [was: Re: pgp signing in van], Dave Crocker
Previous by Thread:  Re: What real users think [was: Re: pgp signing in van], John C Klensin
Next by Thread:  Re: pgp signing in van, Ted Lemon
Indexes:  [Date] [Thread] [Top] [All Lists]