OpenPGP and usability

[Werner Koch]

On Tue,  7 Aug 2007 21:17, rjh at sixdemonbag.org said:

> Anyway.  The problem, as he said: "forty computer security professionals
> can't use GnuPG among them because the [cognitive] overhead is too much."

So today the question is "Why Diffie can't encrypt" ;-)

> Problem 1: key signatures.  He says he couldn't figure out what he
> needed to do with the keys.  Did he need to sign them?  Trust them?

Just "lsign" all keys or let someone sign all keys and assign him
ultimate trust.  That is the easiest ad-hoc way.

> What's validity and otrust again?  Who should be set up as a trusted
> introducer?  Why wasn't the cursed thing working?!  As he said, "I know,

That is really hard stuff as it is about setting up a complete PKI.  We
can't exepct that an average user (even a security expert) can to this
without a lot of experience.

> Problem 2: PGP/MIME.  Correspondents who were using PGP/MIME for
> attachments found massive interoperability problems.  Apparently,
> Enigmail has an idiosyncratic way of doing PGP/MIME which causes
> heartache and woe for non-Enigmail users.  (I haven't confirmed this;
> this is just according to him.)

It is really a shame that the one Free Software project which is known
by more than the computer geeks - namely Mozilla - is refusing to
support an established standard like PGP/MIME.  We have had several
implementations of it over the years for the new mail componnent (now
known as Thunderbird) but all of them have been refused without giving
good reasons.

In this regard Thunderbird is no better than Outlook!

BTW: We would be able to solve the Outlook PGP/MIME sending problem if
we could informally agree on a variant of the Content-Type header which
gets checked by PGP/MIME aware MUAs before they use the real
Content-Type.  Yes, it would be an ugly hack but very helpful.



Salam-Shalom,

   Werner