-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sunday, November 3, 2002, at 09:53 AM, Len Sassaman wrote: > What's naive is trying to ram such products down the public's > collective > throat. Cryptographic solutions are not of "all or nothing" strength. I > don't know why UI hasn't been the foremost priority of crypto vendors > all > along... > I think it has been, and that this has slowed development and confused things. About 8-10 years ago the focus was on integrating PGP with elm, tin, Eudora, etc. I argued then, and I still argue now, for a "non-integration" policy: - -- treat text as text, to be sent via whichever mail program one uses, or whichever chatroom software (not that encrypted chat rooms are likely...but who knows?), or whichever news reader software - -- compose in whichever text editor or word processor, apply crypto to that text (or in clipboard), paste into which above program This keeps things clean, as the GUI of the WP, mail program, newsreader, etc. is not used at all. By "clean" I mean that "text is text," sort of WYSIWYG. Encrypted text is just another arrangement of ASCII (or Unicode, as the case may be) symbols. This means that any program capable of sending and receiving text can handle encrypted text. Automatic decryption would be like any other automatic processing of text. Not having the crypto engine tied so closely to Outlook, or Eurdora, or elm, or whatever, also cuts down on the gaps when PGP is not usable because a service pack or upgrade has knocked out the compatibility. As in the 2-year gap when OS X and its supplied Mail program did not work with any version of PGP, except in Classic mode...most casual users were not interesting in chasing down GPG and getting it to work with 10.0, then 10.1, then 10.2, etc. And _that_ is one reason "working at the click of a button" is actually a backward step for many users with many different packages and versions of software. I also like _seeing_ that a message is in encrypted form, with whichever headers and footers are attached by PGP. Some variants of PGP don't show the encrypted message, or the signature blocks, at all. The encryption and signatures are applied as the message is _sent_. Which is why I used to use the clipboard mode of PGP to encrypt and sign in any of my various text editors--or even my mail program-- and then paste in the finished text, just so I could verify it was all going out the right way. I think most users, even casual ones, would accept this advice: "Look, encrypted text is just a rearrangement of text. Compose your message in whatever editor or word processor you want, apply the encryption directly to that text, then paste in or otherwise send that new text out. Expecting encryption to be closely tied in to to ever-changing mailers, word processors, news readers, and multiple iterations of OSes, is just too big a chore for developers to keep up with." (P.S. I'm going to do something I don't often do: sign a post. Reasons for not signing posts are manyfold. Advantages are few. But this is to illustrate a point: that I have told the "integrated PGP" in OS X 10.2 Mail to sign. But I won't know if it accepted my command until I send this out and it pauses to ask me for my passphrase. If I did something wrong, or if adding this paragraph _here_ somehow glitches things, then it goes out unsigned. No big deal. But what if I were telling PGP to encrypt and it went out accidentally unencrypted? IMO, we've lost a lot of transparency by not having the user actually _see_ his message in a signed or encrypted form prior to sending. Perhaps there's a setting somewhere in PGP that allows this...checking now, I don't see it in any obvious place. Now, here goes with the send....) - --Tim May "That government is best which governs not at all." --Henry David Thoreau -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 (Build 288) Beta iQA/AwUBPcV3yvHMrDA90hdkEQKh+wCg+Rd+RuiaZxbqIFYhsghkR3t4sSUAn3OG 3ePIq3c2ow89/vV5pkxoSJHo =0Gl/ -----END PGP SIGNATURE-----
