Ben Laurie wrote:
I don't use PGP - for email encryption I use enigmail, and getting missing keys is as hard as pressing the "get missing keys" button.
Missing keys that do not exist or do not work (user forgot passphrase or revoked) are still missing keys, no? Considering how few users use PGP, we must assume that nearly all users have no keys.
Most of my encryption is done simply because its a good thing to do. If the wrong guy is reading it I'll find out in the end. For the few where I really care I'm prepared to go through that hassle.
After 15 years of PGP and PKI evolution, users still say it's just not working. The problem seems to be the methods, not the implementations. Notwithstanding people that do "the good thing".
Really? I just write "Ed Gerck" on an envelope and it gets to you? I doubt it. Presumably I have to do all sorts of hard and user-unfriendly things to find out and verify your address.
Perhaps I wasn't clear -- with postal mail you just write my name and address in YOUR envelope and it gets to me. With PGP and PKI you have to ask for MY "envelope" first; further, MY public-key creates the secure envelope that you now need to trust with YOUR secret...
If you handled your keys properly I would not need to ask you for anything.
My $0.02: If we want to make email encryption viable (ie, user-level viable) then we should make sure that people who want to read a secure communication should NOT have to do anything before receiving it. Having to publish my key creates sender's hassle too ...to find the key. BTW, users should NOT be trusted to handle keys, much less to handle them properly. This is what the users themselves are saying and exemplifying in 15 years of experiments. Cheers, Ed Gerck --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
