(Before I begin I should say I agree with Mark -- this is commentary,
not disagreement.)
This bug seems to cry out for an add-on. Then people who (think they)
know what they are doing can have the additional convenience, and the
rest can do whatever it is they do now. I would guess there is
resistance to putting this into the base product on the theory that
99.9% of users will just hit "yes", meaning "get rid of this
unintelligible dialog and let me read the message", which is arguably
a Bad Thing.
A detail oft-overlooked is that the question isn't whether the
*sender* is part of the 0.1%; the question is whether the *recipient*
is part of the 0.1%. If I use a self-signed S/MIME cert, will my
recipient be savvy enough to understand the risks and take appropriate
steps?
I think 0.1% is a reasonable approximation: of all Thunderbird users,
maybe one in a thousand has the skill necessary to safely and
responsibly use a self-signed S/MIME cert, or to safely and
responsibly check someone else's usage of a self-signed S/MIME cert.
So one in a thousand senders, multiplied by one in a thousand
recipients...
What I'm getting at here is that this isn't just a case of "99.9% of
users will just hit 'yes', which is arguably a Bad Thing." It's also
a case of the user base for this being so small as to be
indistinguishable from statistical noise.
CAs the same thing that the user *should* have done with those
commercial root cert.s: evaluate and install them individually. (Of
course hardly any of us have done this.)
Well, 'should' is a pretty strong word. So long as someone
understands the risks involved in letting Mozilla define your list of
trusted CAs rather than taking individual responsibility yourself,
that's really all we can ask for. I do agree, though, that the
default list of trusted CAs is eye-poppingly large.
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
