PGP/MIME considered harmful for mobile
dshaw at jabberwocky.com
Mon Feb 28 05:13:05 CET 2011
On Feb 27, 2011, at 8:35 PM, Robert J. Hansen wrote:
> On Feb 27, 2011, at 5:17 PM, David Shaw wrote:
>> Can I see the HCI study that MIME attachments confuse people? ;)
> I would love to see such a study. However, I never made that claim. :)
> Someone else made the claim PGP/MIME is superior because inline OpenPGP signatures confuse people. Okay, I'll stipulate the latter: but to argue that inline OpenPGP signatures confuse people but PGP/MIME signatures don't (or that they confuse people much less) seems to me to be kind of a stretch.
I suspect that given a client that properly implements MIME (meaning in this case that it would show the regular text, whether or not they were capable of verifying the signature), inline would be more confusing, for reason of numbers. For users of those mail clients, they see a signed message as much the same thing they'd have seen if the mail hadn't been signed at all. For example, Apple's various mail programs do this (I suspect some common code there).
For those clients, inline (where you see something) is bound to be more confusing than MIME (where you see nothing) for the simple reason that something is more visible than nothing. Like you, I have no study to point to, but it seems reasonable.
Of course, your phone notwithstanding, how large the set of clients that properly implement MIME is an open question...
Personally, when I need to make a signature, I usually just consider the audience. For a list like this, I'd probably PGP/MIME it. For other audiences, perhaps not.
More information about the Gnupg-users