PGP/MIME use (was Re: META)

Robert J. Hansen rjh at sixdemonbag.org
Tue Jan 31 19:46:05 CET 2012 

On 01/31/2012 11:23 AM, Steve wrote:
> Sometimes if the right parties decide to no longer support an old 
> standard the software that does not support the new (better)
> standard will die or get improved...

This works if and only if the "right parties" are a large enough market
to push implementations around like that.  Enigmail isn't.  Assume we
have 50,000 installations.  (This sounds like a lot, but it's a pale
shadow compared to GnuPG installations.)  Of those, maybe 5,000 are
serious users and the rest are casual ones, people who saw it on Mozdev
and got intrigued and installed it and never really did anything with
it.  Those 5,000 users don't represent a single bloc, though: they're
spread out through a whole lot of different communities, where they
represent extremely small minorities within those communities.

As a for-instance, on my old high school class's mailing list I'm pretty
sure I'm the only person who's even heard of Enigmail.  If I were to
tell the list maintainers, "you need to upgrade your version of Mailman,
it's breaking my PGP/MIME signatures," the response I'd get would
probably be, "what's PGP/MIME, and why is it important, and why do all
your messages have those weird attachment things on them, anyway?"

> You at least know that the person with that key is the author. That
> is some information.

No, you don't.

A few years ago on PGP-Basics one user threw a screaming fit over how
many users were not signing our posts to the list.  He insisted that
signatures were meaningful, that they proved the person with that
certificate is the author, and so on.

John Clizbe, John Moore and I conducted a little experiment.  We created
a single certificate.  All three of us used the exact same certificate
to sign our posts to PGP-Basics.  The person who was most up in arms
about our lack of signing was placated, and thanked us for seeing the light.

It was another few months before anyone realized we were all using the
same certificate.

Honestly, up until that point I thought that maybe there was some
utility to mailing list signatures.  Maybe.  That experiment changed my
mind: I now see no utility to them for the vast majority of uses.

More information about the Gnupg-users mailing list