On Fri, 10 Jan 2020, John Sechrest wrote:
I have the feeling that the PGP process is not more widely adopted because of the user experience. You have to go out of your way to get things up and going. And then you have to be attentive.It would be interesting to take this "idea toolchain" and come at it from a perspective of the user experience in the process. I would submit that if I need to be intentional about keys, privacy and trust in each transaction that the adoption rate will be very low (As I think we see with pgp) Are there ways to fold the "User Actions" into a process, so that the task of engaging in messaging is secure and yet does not take substantial intention to keep things going.
Longer ago than I care to admit, Simson Garfinkel and I exchanged some ideas on this theme. His idea, which I thought promising, was to treat secure e-mail exhanges like SSH logins.
The first time I log into a remote host using SSH, I'm asked to accept the key. It's certainly possible to request that key from a trusted third party (even DNS), but usually I just accept the key on first login. I only worry about it when it changes and SSH issues its impossible-to-ignore WARNING WARNING message.
His thought was that the first time you exchange an e-mail message with someone, you accept that user's key (automatically offered up by a process or protocol that doesn't yet exist). The remote user does likewise. Thereafter, all communications with that person are encrypted by that key. Should the key change, the mail client would turn red or otherwise indicate WARNING WARNING. It would be up the local user to decide if the key change is valid or not.
There are obvious potential problems with this idea: there's no obvious way to publish keys beforehand; it's unclear how to deal with people who use multiple mail clients (phone, tablet, home workstation, work workstation, web client) with the same e-mail address; too many people will ignore WARNING WARNING and thoughtlessly accept the change; and many others.
Still, I thought it was on the right track toward just building point-to-point crypto into the scheme of things.
-- Paul Heinlein heinl...@madboa.com 45°38' N, 122°6' W
_______________________________________________ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
