What could make GnuPG + Enigmail "easier"?

Jeffrey Stedfast fejj at gnome.org
Mon Apr 10 02:21:01 CEST 2017


On 4/9/2017 6:24 PM, Anthony Papillion wrote:
> There's been some discussion both on and off this list about the fact
> that people don't use GnuPG (even with Enigmail) because it's 'too
> hard'. I have friends that are reasonably intelligent who just can't
> figure it out and, for the life of me, I just don't see why.

You aren't seeing why because you aren't really listening. You are 
focusing on the button clicks required and thinking "but it's just a 
click of a button or a checkbox in my email configuration options!"

What you *aren't* hearing is:

1. *Why* should I care about signing my emails? Other people trying to 
impersonate me by falsifying emails from me is extremely low, other than 
perhaps the odd spam message here and there. And that's not *my* 
problem, that's *their* problem.

2. *Why* should I care about encrypting my emails? None of my emails are 
worth encrypting. Seriously, though, the risk of "hackers" or who-ever 
getting a hold of my emails is low and there's nothing really vital in 
them anyway.

3. Sure, clicking a button or checkbox might be easy, but what about the 
added hassle of managing my PGP keys? Now I have to upload them to a 
server so other people can get them? Ugh. I also have to copy them back 
and forth between the different computers that I use? More work. And I 
gotta keep my keys safe, as well? Jeez.

4. Just because I have a PGP key and sign my emails, it doesn't mean 
other people can automatically trust that they are from me. First they 
have to verify that the key id/fingerprint matches the key that I 
created. This means that for all practical purposes, unless I'm going to 
get involved in a *community* of PGP users that all sign each others 
keys, it's worthless.


For the average email user, signing their emails has little-to-no added 
value.

In general, they either know the person personally in which case they 
probably have a good idea whether or not an email is actually from said 
person or not simply based on pattern recognition of their writing style 
and/or topics being discussed. They can also verify emails by talking to 
the other person face-to-face or over the phone, skype, etc - for 
*important* emails, this often happens anyway.

In other words, the people you are trying to convince to use PGP with 
Enigmail are saying "it's too hard" because that is the result of their 
cost/benefit analysis. It's not that clicking buttons or a checkbox is 
"too hard", it's that they don't *want to* for the minimal gain it will 
get them.

Hope that helps,

Jeff



More information about the Gnupg-users mailing list