Encouraging email security.
David Picon Alvarez
Sun May 18 06:13:03 2003
-----BEGIN PGP SIGNED MESSAGE-----
Quoting from an e-mail I got from a real user(tm):
"but what is there to be encrypted? fine if we were doing something
This is the most often encountered reaction to digital signatures I get from
my friends, some of which are quite computer-literate yet not willing to go
through the trouble of encrypting and signing e-mail. Simply, I think it's
time to admit people in general don't care whether an obscure sysadmin
somewhere can read their mail. Most people sign acceptable use policies that
give sysadmins powers to monitor all of their traffic, and yet it is also
true that most often sysadmins seemt to be either honest or careful. The
OpenPGP threat model is not appropriate for most people, and expecting to
make people fit into it is not very productive. I used to think along the
same lines, but now I just think it's useless to try to convince people to
use crypto. Today's interfaces (gpgrelay for example) are incredibly easy to
use, and their is PGP which AFAIK has a polished UI. I don't think it's a
question of UI any more, I think it's a question of needs and threat models.
If you don't need something and it carries a cost you're not likely to use
it. Perhaps the only way to get people to use encryption is to have a
so-called "zero-UI solution" but even so, unless it would come incorporated
in the MUA, I don't see people bothering to install it.
-----BEGIN PGP SIGNATURE-----
Comment: This message is digitally signed and can be verified for authenticity.
-----END PGP SIGNATURE-----