How do you help someone to encrypted email (Re: How do you let your M.D. ...)

Andrew Gallagher andrewg at andrewg.com
Fri Dec 2 18:21:12 CET 2016


On 02/12/16 14:57, Duane Whitty wrote:
> 
> I believe that outside of the lack of awareness that their privacy is
> being ignored, the problem is mostly private key management and the
> unfortunate fact that most of the email clients that most people use
> on the most popular platforms don't support encrypting and decrypting
> mail.

Yes. Secret key generation, backups, and portability. Also, the fact
that so many people now use webmail rather than a local client.

> Sure you can use a smart card reader to
> solve the availability issues but then you have to deal with all the
> software issues.  Most people have no knowledge about any of this let
> alone the existence of tools like smart card readers.

Yep. I've been using a smart card reader for a while, and although I'm
comfortable with it now, initially it was daunting. I ended up writing
a tool to automate the key generation and backup process
(https://andrewg.com/frith.html). There is a similar project under
development in Debian
(https://danielpocock.com/outreachy-gsoc-2017-pki-clean-room). I
wouldn't ask my mother to use either of them.

Enabling the smart card for use across multiple machines was a long,
trial and error process. Once it is working the convenience is great.
But I wouldn't expect anyone else to do it.

> I realize there is an argument to be made that people need to exercise
> personal responsibility when it comes to their security.  But I
> believe adoption will be limited to the technically adept until we can
> make using encryption and decryption an understandable and short
> process for people who only use their computers to run "canned"
> applications and send mail.

Yes.

Arguing "personal responsibility" is too often a means of passing the
buck. If it is too difficult or time consuming to be a responsible
citizen, people won't. This applies across all walks of life, not just
computer security.

The best systems make Good Things easy, and Bad Things more trouble
than they're worth. Poor systems make Bad easier than Good and then
spend all their energy chasing up people who took the lazy way out -
which in extreme cases can mean literally everyone.

> (Thinking out loud)
> I wonder if a solution akin to what the password managers do is
> possible?  Maybe storing a private key in a password manager would
> work for a lot of users. 

GPG's secret keyring is a password protected database, just like a
password manager. The main thing it does not do that many password
managers provide is automatically store the encrypted secret in the
cloud for easy synchronisation. This is a questionable practice
however. Much better to store your secret key material on a smart card.

Of course that buggers up mobile.

> Still doesn't solve the problem of having gnupg available and
> integrated on all the different platforms.

Exactly.

A

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161202/dd53bfbf/attachment-0001.sig>


More information about the Gnupg-users mailing list