On 04/22/2014 10:49 PM, Hauke Laging wrote:
We do agree that crypto is by its nature difficult...
I agree, but I believe the statement should be more specific, i.e.,: ...Web-of-Trust is by its nature difficult... If I can propose a "we do agree" statement, it would be the following: *We do agree that the WoT is the principal obstacle to a wider adoption of GnuPG.* (What we might or might not agree on is whether GPG without the WoT is still GPG: an indispensable communication security tool, one of the best around) If the complex structure of the beast is not reasonably well understood by the user, it is of little value to the novice. There is nothing that the user interface skin can cover it with, that can, IMHO, change that fact. Struggling with the physiology consisting of large number of arcane rules, with no understanding of the full anatomy of the underlying system is a path to endless frustration and a source of frequent critical usage errors. There are two kinds of circumstances where new users are motivated to use the tool: communication with parties that the user has had prior familiarity with, and those where the first and only contact is via GPG generated cypher-text. New users that belong to the first kind above should be given an option of completely ditching the whole WoT superstructure in favour of the independent procurement of the key fingerprint, and should be explained how to go about the key verification using the trusted fingerprint, and provided with the UI devices that make this as simple as possible. No WoT functionality whatsoever should be exposed to the user. I strongly believe that a wast majority of present and prospective GPG users with the "real world" threat model would be well served by this approach. delgado _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
