On 13.10.2019 22:27, Jeff Allen via Gnupg-users wrote: > On 10/13/19 2:21 AM, Patrick Brunschwig wrote: >> The vast majority of users of Enigmail (somewhere around 98%) don't use >> external built keys. > > How do you know this? >
I don't know either, but perhaps it is in the debug logs the Enigmail team analyzes? >> The vast majority of users also don't use GnuPG for >> anything else than email. These users don't care where their key is >> stored, nor which software under the hood is used for the crypto. All >> they care is that encryption works smoothly. > > And this? > I am also not sure about this. As far as it concerns Windows, the first part of the statement may be true. There is plenty of software to encrypt single files or directories for Windows, including the software which is part of the O/S. People probably tend to go the easiest way, even if another solution would be safer and technically superior. I don't know the situation under Linux well enough to comment. I disagree with the second part of the statement, though. Most of the people who think about privacy and email encryption / authentication at all are educated, non-average users who want to be sure that there are no backdoors in their software and that they use it as safely as possible (meaning that they care about software, algorithms and ciphers), and who want to backup their keys (meaning that they care where the keys are stored). And yes, I want to decide on my own if my key is ED25519, RSA1024 or RSA4096 :-) >> The most important aspects from our side are the following: The chosen >> solution must run smoothly for the ~20M users of Thunderbird without >> causing a large amount of support/setup issues. > > Presumably those ~20,000,000 will have to opt-in to use Thunderbird > encryption. Most won't for the same reason they don't install and use > Enigmail now. They don't particularly care about privacy, and the few > who do care correspond with people who don't. > I am not sure where this will lead to. It sounds as if you were suggesting to give up on privacy, encryption and authentication for that reason. While I agree with you that this problem exists and is quite difficult to solve (eventually it needs another decade), I am absolutely sure that bad and difficult software will make it worse, but good and usable software will help in solving it. The fact that the problem exists does not mean that nobody should try to solve it by providing easier-to-use, fully integrated software with reasonable default settings. >> We want to have >> something that satisfies as many users of Enigmail as possible. We >> certainly don't want to have people run away from Thunderbird because of >> OpenPGP. > > [Snip] > > Is there any reason to think that folks who object to easy-to-use > proprietary encrypted email solutions from ProtonMail and Tutanota will > embrace a proprietary encrypted email solution from Thunderbird? > There are many reasons to think so (the following applies to ProtonMail as well as Tutanota): 1) To actually use those services in a reasonable manner, you have to opt-in for a paid contract. For most of us, this is a matter of principle. Why should we pay for a thing that used to be free all the time? (Note: I don't want to judge that attitude - I am just stating how it is). 2) None of that services supports IMAP or POP3. I would be totally crazy if I would make myself totally dependent on companies or services which won't let me download my messages and integrate them into my email client. What happens if those companies suddenly stop their service and you haven't downloaded your messages yet (which anyway seems to be impossible)? Or if you decide that you want to use another service? How long will you be able to access your messages after you have stopped paying your old service? Will they delete your messages until the quota for free usage is reached again? I insist on having all important data, including email messages, in-house and under my complete control, and I strongly advise each of my customers to do the same. So far, all of them are following that advice. Therefore, such services never will have any chance to do business with my customers. 3) I have several email addresses. I am definitely not ready to use a different website or different software for each of them. That is, there is absolutely no chance that I ever will use a service which does not provide POP3 or IMAP (or, for the protocol, their successors). I want *one* MUA (like Thunderbird) to be able to manage *all* of my email messages in *one* place (For example, ever needed to search for a message for which you can't remember the account it was received on? - The global search in TB is very handy here. Further reasons: junk filtering, action filters (automatically moving certain messages in subfolders) and so on, all managed at one place, public folders, shared folders and so on). 4) I doubt that these services can be legally used by businesses in Germany. We are having some weird rules here, one of them saying that we have to keep *each* (electronic) message we are receiving and sending in a separate archive where users don't have access to. That is, users of course may do anything they want in their normal email account, but all messages which are ever sent or received must first be copied somewhere where they cannot be manipulated or deleted. I can't imagine how this could be achieved when using those services. These are only a few of the many reasons against using a purely cloud-based email system. Regards, Binarus _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
