On Sep 9, 2013, at 9:58 AM, Ted Lemon wrote: > Seriously, this perfectly illustrates the reason why PGP hasn't seen > widespread deployment: it doesn't address a use case that anybody understands > or cares about, and it appears to address a use case that people actually > would like to avoid. > > Here is the current use model for PGP: > > (1) I generate a key and sign all my email with it > (2) People reading my email see an obscure indicator somewhere in my email > that indicates that it was signed by either an unknown key (nearly always) or > a known key (I don't even know what that looks like) > (3) ??? > (4) WIN! > > First of all, this does nothing to preserve privacy, so I don't know why > we're even talking about it. PGP in principle could be used to encrypt > communication, but because we don't really have an agreed-upon trust model, > this is a use case that only occurs when people are _highly motivated_ to > protect their privacy, and that's not most people, and not most of the time. > > This stuff matters. Thinking about the use model for the tools we build is > _the most important aspect_ of protecting peoples' privacy. If we don't > think about these things, we're just producing cool toys that will never see > general use.
+1! The use model is critical. I have tried numerous times over the past many years to get PGP used for email (either signing or encrypting) within various groups but outside of small groups of more paranoid security-types it has never really taken off because it has been way too difficult for the average user to get configured and use regularly. Even in the groups where PGP was (and is) being used, usage is inconsistent in part because people are now accessing their email using different devices and not all of them have easy access to PGP/GPG. If you receive an encrypted message... but can only read it on your laptop/desktop and not your mobile device, and you are not near your laptop/desktop, how useful is the encryption if you need to read the message? You have to either wait to get back to your system or ask the person to re-send unencrypted. For PGP to really get any real usage for email, it has to "just work" for the average user. My 2 cents, Dan -- Dan York dy...@lodestar2.com http://www.danyork.me/ skype:danyork Phone: +1-802-735-1624 Twitter - http://twitter.com/danyork
