On Tue, Oct 2, 2012 at 8:41 PM, Maxim Kammerer <[email protected]> wrote: > On Wed, Oct 3, 2012 at 3:52 AM, Brian Conley <[email protected]> > wrote: > > I am immediately suspicious of any service advertising simple easy > encrypted > > email > > Why? The notion that easy encrypted email is hard is a myth, perhaps > resulting from people being trapped inside the concept of using PGP > and its non-scalable “web of trust”. Liberté Linux implements cables > communication [1], which provides just that — easy encrypted email. > The catch is that there is no interoperability with SMTP, and there > are no easy-to-remember usernames. >
I like the part where you say the problem is easy and then point to a solution with issues that make it anything but easy, tenable or workable. I don't mean to be too snarky. (Okay, I do.) But saying that it's not a hard problem makes the real challenges that remain less visible. Throwing layers of encryption on e-mail is easy. Verifying that it's being encrypted to the right person is *still* hard. TOFU is often a great way to solve the problem good enough 90% of the way, (honestly if it were up to me the ground level security guarantee we'd go after is not that the person is the person you think they are, but merely that the person you're talking to now is the same as the last time you talked to someone with a specific ID.) but then dealing with the reality of people using multiple device to use this stuff (and you can't just wish that away) is the last 10% that's the next 90% where the solution quickly becomes more murky. And that's not even getting into platform inter-op issues that drive so many people to want to do their crypto in a web interface or on some other person's server. Pretending it's an easy problem because technologies exist that aren't usable ignore the real technology issues we haven't solved yet. ~DJ
-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
