what is killing PKI?

Mark H. Wood mwood at IUPUI.Edu
Wed Aug 29 16:18:14 CEST 2012

On Wed, Aug 29, 2012 at 12:00:22AM -0400, Landon Hurley wrote:
> The barrier is solely cultural, not technical. Enigmail, Thunderbird and
> gpg4win are trivial to set up. The first time I did it, it was on the
> phone, talking someone through it. So we either need to invent some sort
> of massive threat perception to unite everyone to adopt PKI, or just
> continue to push it as a grass roots movement. Or if some kind person
> would like to introduce a viable third option, I think a decent portion
> of humanity would owe him/her a debt. On the other hand, I'm advocating
> a rather heavy handed, Platonian, do it for people's own good even if
> they don't like it/decide they need it, so I'm sure at least some, or
> even most, will disagree as well. I will add my confession to the pile
> of selfish reasons to want to have PKI become widespread.

I'm not sure that the average person's current mode of living really
exposes him to a threat big enough to take seriously.  Rather than a
threat of actual loss, I feel that we face an opportunity cost: there
are things we could do differently, arguably better, if we could do
them securely via electronic media.

We simply wouldn't think of discussing possibly embarassing personal
matters with our doctors by email, even if the doctors would agree to,
so we don't ask.  We still carry around hand-scrawled prescriptions,
or cross our fingers and hope that the doctor's FAX calls to the
pharmacy are really secure, when we could (given the infrastructure)
get a (long!) number that can be verified as coming from the doctor,
verified to still say what he said, and unlocked only with our
personal smart card and PIN.  (Also it would have to be typewritten,
so it wouldn't be so hard to interpret. :-) We could do e-commerce
without worrying about our trading partners' losing a truckload of
backup tapes or being massively compromised from afar, because we
would never give them any secrets worth stealing.  We could manage a
handful of certificate passwords instead of a thousand website
passwords.  We could probably do a lot of other stuff that I haven't
thought of because, in our present nearly-naked condition, it's

Individuals wouldn't be the only beneficiaries.  The first bank in
town to offer free or discounted certificates *and* more-secure
e-banking would have a competitive advantage.  The first e-tailer to
offer security the others can't touch should win the business of
consumers who are worried by all the "'hackers' capture 200,000
passwords" stories in the papers.  The doctor or lawyer who adopts a
pervasive records security plan (of which customer communications
would be but a part) should be able to negotiate lower insurance
premiums.  It seems to me that people are leaving money on the table
all over.

Mark H. Wood, Lead System Programmer   mwood at IUPUI.Edu
Asking whether markets are efficient is like asking whether people are smart.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: </pipermail/attachments/20120829/bbe969da/attachment.pgp>

More information about the Gnupg-users mailing list