"Please select what kind of key you want" ~~ suggestion to developers
Robert J. Hansen
rjh at sixdemonbag.org
Mon Feb 23 21:56:56 CET 2009
> Robert, yes, literacy is important, too. Your counter proposition
> also has validity.
You missed the point. Refer to my last three sentences. The world
doesn't need another "easy to use GnuPG interface." You're
essentially saying, "what the world needs is a really good book!"
What I'm saying is, "the world first needs to learn to read."
With respect to claims of experience, I don't put any stock in them,
really. Or, as Rodney Whitaker wrote, "do not fall into the error of
the artisan who boasts of twenty years experience in his craft while
in fact he has only one year of experience -- twenty times."
As near as I can see, the principal problems are:
1. Gross ignorance
2. Fear of social disapproval
With respect to #1... one of the most prestigious crypto conferences
out there is called Financial Cryptography. A few years ago some
enterprising grad students asked each FC attendee to fill out a very
short questionnaire as part of their sign-in process. The results
were astonishing: 60% of FC attendees did not know if their email
client supported crypto, period -- even fewer knew if it supported
OpenPGP or S/MIME. Only 50% were interested in switching to email
clients with better crypto support.
If only 40% of FC attendees know if their email client supports
crypto, and only 50% care enough about crypto to consider changing
their email clients, do you really think the general public will jump
on board OpenPGP just if we create a snazzy interface with a lot of
chrome? That's delusional.
With respect to #2... Ed Felten has a really good sociological paper
out on the intersection of computer security and the workplace. He
and some of his grad students interviewed people at a politically-
active nongovernmental organization (NGO) with an awful lot of
enemies. Many (most) of the employees had been trained with PGP and
found it reasonably easy to use. Despite that, they still didn't use
it for email. Felten and his grad students wanted to find out why.
It turns out that social disapproval played a very heavy role. There
were a couple of people in the NGO who were privacy enthusiasts and
active PGP users, and they were considered "paranoids" by the other
workers in the office. Employees said things to the effect of "yeah,
I know email is dangerous, but I don't want to turn into, you know,
one of _those_ guys."
... the general public does not know what email crypto is, does not
want to know what email crypto is, does not want to care about email
crypto. They just want to send email. Making GnuPG "easier to use"
is a fine goal and worth pursuing in its own right, but it's not going
to substantially improve GnuPG's adoption in the world.
Saying "the world needs a good book, that's why book sales are down!"
may be a true statement, and may be worth pursuing in its own right.
However, the real problem is "first we need to learn to read."
"GnuPG needs a good interface, that'll improve its usage numbers!" may
be a true statement, and may be worth pursuing in its own right. (In
fact, I think it is.) But the real problem is that people don't know,
don't want to know, and to the extent they do know they really don't
More information about the Gnupg-users