Michael Str�der wrote:
>
> > Are you (and Ben) seriously suggesting that an encrypted message sent to
> > a self-signed key belonging to even a naive user is *no more secure*
> > than a plaintext email?
>
> I think the point that Ronald and Ben addressed was that if the user
> gets flooded by self-signed certificates it will not be possible to
> make him validate a certificate properly later at all. It's just a
> matter of humans getting used to bad habits. One has to consider
> this when designing a UI.
So all users should be stuck with plaintext mail until someone can teach
them Basic Cryptography? It still seems to me that if the choice is
between users with encrypted mail but bad security habits, and users
without encrypted mail at all, I'll take the first option.
Most users don't know how to pick good passwords either, but that
doesn't mean that ISPs should use password-free email accounts until the
users can be educated.
Stuart.
