what is killing PKI?

Landon Hurley ljrhurley at gmail.com
Wed Aug 29 06:00:22 CEST 2012

Hash: SHA512

On 08/28/2012 08:01 PM, MFPA wrote:
> Hi
> On Saturday 25 August 2012 at 2:59:57 AM, in
> <mid:5038319D.7000003 at gmail.com>, Faramir wrote:
>>    IMHO, the main trouble probably is people don't feel
>> the need to protect their privacy.
> So why do they use envelopes rather than postcards, and keep secret
> the PIN for their cashpoint cards?
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

In that case, perception of threat and more importantly loss of tangible
goods keeps PIN secure. Obviously that works for envelopes as well, but
honestly I think economics probably holds even more strongly. It's
cheaper to buy a ton of envelopes than an equal number of postcards.

A minor point of erratum as well, but I don't think "killing PKI" is the
correct terminology for what we're really talking about. Something
generally has to be alive before you can kill it, and PKI really hasn't
been widely enough adopted that I would call it "alive" per say. It
could be my perception of it, but going mainstream, ( and I mean normal
people using it by choice, or better, by default) and then something
causing it to recede would be more in line with killing.

While we're kicking around pet theories though, I still think web mail
has to be a significant barrier. The ratio of people who use a browser
rather than a local mua at my uni are something like 4:1. If you get
people culturally used to using PKI though, they will, which in this
context would mean get them used to it in college. Just like the
Microsoft student pricing, the idea should be indoctrinate at a
relatively young age, so that they come to expect it later.

Alice logs in to webmail, which makes her feel secure, and as far as she
can tell Bob logs into his, and nobody can open it up otherwise. There's
no perception of threat, probably because very few lay people understand
1. How easy it is to intercept email and 2. How insecurely email is
stored. <soapbox>In the day and age when not having a Facebook account
gets you strange looks and mutters behind your back, unless you force
this upon people, it's not going to stick<jumps off>. Short of a massive
government surveillance controversy with jackbooted thugs roving the
country, nothing (for loose definitions of nothing) is going to convince
people to voluntarily seek PKI, because they don't see a threat. Even in
that situation, a good ~30% of the population can be counted on to come
back to the 'should have nothing to hide' argument.

The barrier is solely cultural, not technical. Enigmail, Thunderbird and
gpg4win are trivial to set up. The first time I did it, it was on the
phone, talking someone through it. So we either need to invent some sort
of massive threat perception to unite everyone to adopt PKI, or just
continue to push it as a grass roots movement. Or if some kind person
would like to introduce a viable third option, I think a decent portion
of humanity would owe him/her a debt. On the other hand, I'm advocating
a rather heavy handed, Platonian, do it for people's own good even if
they don't like it/decide they need it, so I'm sure at least some, or
even most, will disagree as well. I will add my confession to the pile
of selfish reasons to want to have PKI become widespread.

- -- 
Violence is the last refuge of the incompetent.
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/


More information about the Gnupg-users mailing list