PGP/MIME use

Wed Feb 1 01:04:57 CET 2012

Warning: do not take *any* of the numbers here seriously.  They may be
completely divorced from reality.  These numbers are like Monopoly money
-- completely fake, but still useful to illuminate important lessons
about the real thing.

This email is also quite long, and I apologize for that.  I haven't the
time to make it shorter.

On 1/31/2012 2:25 PM, Hauke Laging wrote:
> Do you mean "hidden" installations (used unnoticedly by a
> distribution's update tool in the background) or actively planned
> instattations ("I need GnuPG.")?

Either/or.  Enigmail's users are a small fraction of GnuPG's no matter
how you slice it.

> It is hard for me to believe that a serious user of GnuPG does not
> use it for email.

This sounds like a No True Scotsman fallacy.  If someone uses GnuPG but
not for email, does that disqualify them from being a serious user?  Is
your definition of 'serious user' structured in a way as to implicitly
select for email users?

> I admit that I do not use Thunderbird but is it's share among GnuPG
> users so much smaller that among all users altogether?

Welcome to the world of Fermi problems, where your answers are as
accurate as your prejudices.  How many piano tuners are in Chicago?
Well, there are about five million people in Chicago, an average
household is somewhere between two and four people, maybe one in twenty
has a piano that gets tuned once a year, one piano tuner can do maybe
four in a day and doesn't like to work more than five days a week... uh,
well, there are maybe between 125 and 250 piano tuners.  More or less.
Sorta.  If our prejudices are accurate then our result will be.

You can estimate GnuPG and Enigmail users in the same way.  On average,
each and every Linux installation has GnuPG installed.  How many Linux
users are there worldwide?  Well, in the United States there are about
300,000,000 people, and probably 200,000,000 use computers on a regular
basis.  (Note that I'm not asking how many *computers* are in the United
States, but how many *users*.)  Linux might account for half a percent
of mindshare, so ... my prejudice is that there are about a million
GnuPG users in the United States.  They might not even know it, but
they're part of the userbase.

Enigmail's 50,000 users is just a slender few percent of GnuPG's user
base.  (And believe it or not, this is an apples-to-apples comparison:
all Enigmail users compared to all GnuPG users.)

The knowing-users comparison is different.  Essentially all of
Enigmail's users are knowing users.  You have to first download
Thunderbird, then download Enigmail.  (GnuPG is already on your system.)
 You've taken two deliberate steps to put Enigmail on your system: the
odds are very good that you know Enigmail is there and you want the
capability it provides.  So of our 50,000 users, probably close to all
of them know they're our users.  GnuPG is a little different: of a
million Linux users in the United States, how many of them actually
think about how many times GnuPG is being used behind the scenes to
validate their software downloads and sign packages and whatnot?
Somewhere between one in ten and one and three?  So against our 50,000
'knowing' users, GnuPG would still crush us with between 100,000 and
350,000 'knowing' users.

>> I now see no utility to them for the vast majority of uses.
> 
> But you admit that this depends on the current situation (described
> by: hardly anyone uses it)?

Of course not.

Even if *everyone* used email crypto, signatures would still be largely,
and maybe entirely, useless.

I don't know where this myth began that messages are somehow trustworthy
because they sport signatures.  That's not how the world works.

(Well, I suppose it *can* work, the same way you can choose to blindly
trust anyone who speaks Occitan with a lisp and has a strange
fascination with argyle.  However, just as you might think someone who
would trust completely based on such criteria to be foolish, I think
people who believe signatures create trust are just as foolish.)

Signatures extend trust's reach: they can't create it.  My friend Raven
used to live just up the highway from me.  We regularly got together for
tea.  When we were sitting face to face, I trusted the integrity of what
she was saying.  Now that she's far away, if/when we need to guarantee
the integrity of our message we use GnuPG to do so.  The trust we had in
a face-to-face communication has had its reach extended to cross
thousands of miles.  But if she and I hadn't met before, if we didn't
have a shared experience upon which to build trust, then signatures
would be meaningless.  The reach of trust has been extended, sure, but
that doesn't help much when there isn't trust.

Let's have another example here.  I woke up at about eight in the
morning on 9/11.  I was living in California and I was moving that day.
 All my belongings had already moved out: I had no television, no radio,
nothing, just myself, a sleeping bag and a laptop.  I woke up that
morning, made myself a cup of coffee, studied the maps for the day's
drive out East, and before I walked out to my car I figured I'd check my
email one last time.  I had one email from a friend of mine in the UK.
It read exactly:

	Your country's at war.  All of us are backing you.

The message was not signed.  I tried to hit CNN.com, but the site
wouldn't load.  Slashdot.org, same.  In fact, *all* websites were pretty
much down.  I shrugged and figured the ISP must've turned off my account
a little early.  I walked outside -- it was a beautiful day, the birds
were singing, clear skies.  Nobody was screaming or wailing: it was a
day just like any other.

I shrugged off Roger's message.  I figured someone was playing games
with me.  I dropped off my housekeys in my landlord's dropbox and began
driving.  It wasn't until I was leaving San Jose that I saw a bunch of
flags flying, and between that and Roger's email, well -- I stopped at
my favorite watering hole to check in with the morning crew and see if
they'd heard anything, and that's when I discovered what had happened.

Imagine what would've happened if Roger had sent me that as a *signed*
email.  I would've trusted it completely, right?  I wouldn't have
dropped off my housekeys, I would've called my landlord and asked for a
few days extension, and not had to deal with the challenges of a
cross-country move during 9/11 and the days immediately after.

Now that you know the history (an unsigned message I disregarded) and
you've imagined one alternate history (a signed message that I would've
heeded), imagine a second alternate history.  In this second alternate
history, MFPA sends me a signed message telling me "Your country's at
war, all of us are backing you."

Would I trust that?  Of course not.  I don't know MFPA.  He's never
bought me a beer.  We have no shared context of trust, so there's no way
for a signature to extend the reach of that nonexistent trust.  The
signature on the message means exactly nothing.

The best MFPA could hope for would be to say, "Your country's at war,
all of us are backing you, nytimes.com is still up and responsive, check
there for details" -- but even then I'm not trusting MFPA.  He's giving
me a way to independently verify his claim, which is pretty much the
polar opposite of asking me to take things on trust.

Finally, one last thought experiment:

During my time percolating through graduate school I used a coffeeshop
across the street from my building as my office.  (My official office
was literally a converted janitor's closet that now housed five TAs.)
One semester I had to bounce a large number of students on academic
honesty violations: some of them were extremely upset.  My nightmare
scenario then involved one of them visiting the coffeeshop at the same
time as me and posting incredibly offensive things on University forums
using my name.  It would be easy to do and *very* hard to fight: after
all, the IP address would track back to the same coffeeshop I
frequented, and the timestamps would correlate to the time I was in there.

For a while I considered signing everything, so I could then deny making
those posts.  "I didn't write that!  I sign everything!  That has a
bad/missing signature!"

And then I imagined my dean answering, "That proves nothing: after all,
if I was posting this stuff I wouldn't sign it, either."

... Anyway.

I apologize again for the length of this post.  Too long by half, I know.

The takeaway here is:

	* Signatures extend the reach of trust, they don't
	  create new trust
	* Unless there's a pre-existing trust relationship
	  signatures mean either nothing or so close to it
	  I can't tell the difference
	* Signatures on mailing lists are mostly (and maybe
	  entirely) useless because of how few members have
	  pre-existing trust relationships with others
	* Don't ask people to trust what you say: give them
	  a way to independently verify what you say and
	  you can skip the headache of trying to establish
	  trust

Hope these thoughts help.  Thanks for reading.