[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cryptography] Avoiding PGP

On Wed, Mar 14, 2018 at 6:08 PM, Alexander Klimov via cryptography <cryptography AT metzdowd.com> wrote:
On Wed, 14 Mar 2018, Carlos Alas via cryptography wrote:
> My question is: Is there any substitute or equivalent? And I am
> aware that many people advice to use Signal, however I am wondering
> about an e-mail specific alternative.

As far as the use-case is to send messages to offline users you know,
PGP is simply perfect. Practically, as far as family and close friends
go, you can set it up for your kids or grandma and it simply works.

The problem only starts then none of the users is tech-savvy or only
one is and he cannot support the other. I think this is quite rare
use-case and it is very unlikely that someone without knowledge or
support will be able to use any cryptographic system securely, so we
should not blame GnuPG here.


​Perfect? Good grief... only if you haven't used any application developed since 1995 or so.

If you think it is perfect you understand nothing about usability. When people blame the users rather than the developers, they are always wrong because the users have no ability to change anything, only the developers do. 

I was utterly dumfounded ​when I used the GPG plug in and received my first encrypted email and had to tell the app to decrypt it. No, that is not acceptable.

WoT sounds great until you realize that most people just use the keys on the MIT key server and make no effort to validate them whatsoever. So really good trust has been downgraded to none.

There is no infrastructure to manage private keys for users so they can receive mail on multiple devices. PGP/MIME isn't really standardized, etc. etc.

S/MIME has problems as well. And the biggest problem of all is the format war between the two is still going on. 

Neither is fit for purpose today. If not for the standards war, I would say lets fix one or the other but that isn't possible when one has mindshare and the other has deployment. We never really got past the VHS/Betamax standards war either, that was ultimately decided when Sony started work on DVD.

​What I am trying to do with the Mesh is two step:

1) Make it as easy as possible to use PGP and S/MIME ​today by performing all the private key operations for users, automating all the make work maintenance tasks etc.

2) Introduce a new secure messaging infrastructure that provides functionality neither PGP nor S/MIME offer, that is group messaging and document level encryption. The infrastructure that lets you securely share your Word and Powerpoint documents online can also be used for intra-enterprise mail and messaging and is secure and can also be used externally because it is an open standard.

Users win because they get secure messaging apps that are exactly as easy to use as their current insecure apps.

Enterprises win because this is security people will use.

Vendors win because they can sell new stuff even if it isn't strictly necessary. 

The cryptography mailing list
cryptography AT metzdowd.com