Werner Koch <[email protected]> wrote: |On Mon, 1 Sep 2014 12:48, [email protected] said: |> The web of trust hasn't failed? | |The WoT is only a part of OpenPGP and actually never specified. | |Sure, mass-acceptance of encrypted mail failed but not due to the WoT. |If you ask OpenPGP users you will notice that most of them entirely |ignore the key validity issue and at best use local signature to mark |keys valid. Does this help? No, people still complain that encryption |looks too complicated and they turn over to the next hottest
If with introduction of the new german passport every receiver had also obtained a set of usable PGP and OpenSSL S/MIME keys and/or certificates -- at best with a small info flyer which would have shown how to import those into the tools of the most widespread operating systems -- the situation would surely be better in Germany. Not that this means that some kind of people won't go with hypes anymore, but i am sure for most people, Germans that is, WoT had to be something from the "ultimate" (or only real) authority, and would then be used just the same way as one uses the passport. Note that this would also cutdown the complexity of key handling, the sheer amount of keys to be managed, which can be kind of frightening if you're unlucky. So unfortunately that didn't happen, and "ca-certificates" does no longer include CACert.org because people are playing games or misusing their anonymity for whatever reason, so where does a normal person get their free S/MIME environment from (the list already has seen those approaches that are not really usable for a normal person). Providers could include a free certificate with each account, which would enable their users to choose security by themselves (on a per-provider basis). A SMTP-server-chain-of-trust can prevent STARTTLS MITM by simply assuming TLS (which didn't become SMTPS via port 465 for reasons that i don't know, yet NetBSD's /etc/services still lists this relationship and my free mail provider offers the service as such). I personally never liked DNSSEC; UDP packet sizes can be enlargened etc., but usage of TCP is in the protocol, and then protected right away via TLS i would have preferred, and ca-certificates are installed wherever i am. Of course my opinion is rude and simple and doesn't deliver. --steffen _______________________________________________ Endymail mailing list [email protected] https://www.ietf.org/mailman/listinfo/endymail
