At 09:15 PM 6/2/96 -0700, Lucky Green wrote:

That PGP is ubiquitous is subject to discussion. PGP is widely available, but that doesn't mean that it is widely used. What percentage of email is PGP encrypted? Less than half a percent?

Much, much less than that. I get about five hundred messages a day. On the average day, none of them are PGP-encrypted. On the average _week_, none of them are PGP-encrypted. And by virtue of having a PGP key signed and on the servers, I'm better prepared to send and receive such mail than at least 99.9% of the net.population.

PGP was a failure in the mass market, regardless how popular it may be with some subscribers of this list.

True, and important. In one sense it doesn't matter how good a security system is if a manageable set of people are the only ones using it. There are only a few thousand IDs in the key servers, and vast majority of those, I'd guess, are like me in not using PGP routinely. But even if we were, the institutions of the State have experience in the long-term surveillance of groups quite a bit larger than us. This is where I think some forms of cyber-elitism fail. So I've got access to darned good tools. The State has numbers and resources, and memes about how the masses do right when they acquiesce, on its side. We are not, I think, particularly secure in an environment where the very fact of using secure tools stands out from the herd. But what the herd needs are good tools with good simple front ends, and a) those who design the tools generally don't care about the herd and so do nothing to get outside the crypto ghetto and b) those in a position to design the front ends generally have more immediately rewarding things to do or don't know about the tools themselves. Five years ago I was quite optimistic about strong security as an important element in bringing about the post-statist society I desire. Now I'm pessimistic. I just don't see signs of the stuff spreading sufficiently. And while S/MIME has interesting features (based on what I've read so far), the default 40-bit setup is basically no protection at all. And I know just how hard it is to get people comfortable using non-default features. -- Bruce Baugh bruce@aracnet.com http://www.aracnet.com/~bruce