Re: GUI: PGP vs novices
Thomas Grant Edwards Writes:
PGP has made me more crypto aware, but at this point neither I nor most of the crypto aware people I personally know feel there is a need to either encrypt or sign messages on a regular basis.
It is my own personal opinion that in order for crypto to truly become mainframe, the software manufacturers of internet connectivity packages must integrate crypto into the applications. Look at the past threads here on Cypherpunks..."How do I write a script to put PGP into ELM?" "PGP DLL modularity" etc. In order to bring crypto to the masses, we have got to convince people that it is necessary. We also must make it "second nature". It sure is nice to have a menu option or a toolbar button that will encrypt plaintext automatically. Key management and some of the "high tech" (I know, for us it's nothing, but for my dad who just bought a computer and doesn't understand the difference between click, double click, and drag, crypto is a really high tech thing just in itself.) things of crypto should not be directly handled by the user. (Optional of course. On a privacy level, the user should have full control. But give the user a break...if the software is secure..as such...so is the user's privacy.) You will notice that this message is not signed. That's because in order to sign it, I would need to save my message, hop out to a DOS box, PGP encrypt it, hop back to my mail program and insert the encrypted mail as a text file. That's enough to discourage the average user. This is pretty much what Tim May was talking about when he discussed why he doesn't sign his messages. It's not that he couldn't... it's just not practical for him. It's not really practical for me either, but I do it when I feel it's necessary. The only way to make crypto practical is to basicalloy hide the technical side from the user and make it easy. That's my two cents.
>>>>>>>>>>>>>>>INTERNETWORKING THE DESKTOP<<<<<<<<<<<<<<<<<<<<<<< Brad Shantz bshantz@spry.com Senior Software Engineer SPRY Inc. Direct #: (206)-442-8251 316 Occidental Ave. S. Main #: (206)-447-0300 Suite 316 Fax #: (206)-447-9008 Seattle, WA 98104 WWW URL: http://WWW.SPRY.COM
PGP Public Key at: http://www-swiss.ai.mit.edu/~bal/pks-toplev.html Or email: pgp-public-keys@pgp.ai.mit.edu Subj: GET bshantz
>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
On Wed, 21 Dec 1994 bshantz@spry.com wrote:
It is my own personal opinion that in order for crypto to truly become mainframe, the software manufacturers of internet connectivity packages must integrate crypto into the applications. Look at the past threads here on Cypherpunks..."How do I write a script to put PGP into ELM?" "PGP DLL modularity" etc.
That's true to some extent. I'd love to be able to have every message I want signed and encrypted from PINE automagically. I could implement this by requiring keystrokes at the editor level. But that isn't the entire issue... On the issue of signing, there is another question. Do I really want to sign every message? I don't like signing my written name anywhere I don't have to. And whenever I do, I am careful to look at all the potential consequences. Signatures imply I am agreeing to some kind of contract. Perhaps I prefer my email unsigned, to give me a level of disputability. If my email was a business contract, then I'd be enthusiastic about signing it. But for a post to a political newsgroup, for instance, perhaps I don't want to make sure everybody can cryptographically assure themselves it comes from me. This leaves me open to potential forgery, but email forgery is well known and understood. Finally is physical security of keys. If I am going to sign anything, I want that key to be under control of only me. It is difficult for someone like me who uses workstations to keep a key only on floppy, especially as I find myself on different workstations, many diskless, all the time. -Thomas
participants (2)
-
bshantz@spry.com -
Thomas Grant Edwards