Monday, February 27, 2006

Re: NPR : E-Mail Encryption Rare in Everyday Use

...

I personally would prefer to sign every email I send. I'd also
prefer to encrypt all non-public messages. I am fully competent
in the use of the current technology, but it turns out to be not
practical to use.

Greg

Re: NPR : E-Mail Encryption Rare in Everyday Use

Paul Hoffman wrote:
This is my original disagreement with Ed's message. It can be done, and when you do it it works, but it is too difficult for most people to bother with. I think we all agree on those three facts, just not on what to label the last one.

Actually, when I wrote "it does not actually work" I meant all three things:

1. It can't be done as a user would like to do it; note also that even experts
do it incorrectly (it's just too many detail devils).

2. When a user does it, the user does not really know if it was done right.

3. It is too difficult for users to use and (worse) most users who use it
do it incorrectly.

We have some choices. We can continue to say that it works and just wait
for users to get educated someday. Or, we can say that there is no x (x = market,
need, risk, point) -- and that's why no user bothers with it. Or, we can try
to understand what's it that users reject and work around it. My opinion I
already say upfront: users reject the whole model; it's not "natural" to
ask me for my envelope before you can send me a letter.

(btw, name and mail address are not the envelope -- they are routing
information. My public-key is the envelope analogue when comparing postal mail
with secure email.)

Cheers,
Ed Gerck

Re: NPR : E-Mail Encryption Rare in Everyday Use

Phil Z doesn´t know how to do it himself, at least with PGP.
He told me that he doesn´t sign people´s keys who ask for it,
simply because it would pollute his keyring on his computer,
and he couldn´t work with a keyring with thousands of people
on it anymore.

So PGP obviously has a usability and scalability problem.
So he only signs the keys of his friends because of that.
I wonder now, why he didn´t tried to solve that
usability/scalability problem himself yet, but gave up instead.

Best regards,
Philipp Gühring


Re: NPR : E-Mail Encryption Rare in Everyday Use

Paul,

Usability should by now be recognized as the key issue for security -
namely, if users can't use it, it doesn't actually work.

And what I heard in the story is that even savvy users such as Phil Z
(who'd have no problem with key management) don't use it often.

BTW, just to show that usability is king, could you please send me an
encrypted email -- I even let you choose any secure method that you want.

Cheers,
Ed Gerck

Re: NPR : E-Mail Encryption Rare in Everyday Use

Ed Gerck wrote:
This story (in addition to the daily headlines) seems to make the case that
the available techniques for secure email (hushmail, outlook/pki and pgp) do
NOT actually work.
That's an incorrect assessment of the short piece. The story says that it does actually work but no one uses it. They briefly say why: key management. Not being easy enough to use is quite different than "NOT actually working".

--Paul Hoffman, Director
--VPN Consortium

NPR : E-Mail Encryption Rare in Everyday Use

This story (in addition to the daily headlines) seems to make the case that
the available techniques for secure email (hushmail, outlook/pki and pgp) do
NOT actually work.

http://www.npr.org/templates/story/story.php?storyId=5227744

Cheers,
Ed Gerck