On 08/11/15 13:41, Joseph Gentle wrote:
On Sun, Nov 8, 2015 at 7:45 PM, oshwm <oshwm@openmailbox.org> wrote:
On 08/11/15 08:40, Peter Gutmann wrote:
oshwm <oshwm@openmailbox.org> writes:
Can GPG be easier to use, I think so, is it too difficult to use by ordinary people - no, they're just too fucking lazy and lack motivation.
... and this is pretty much the poster child for why we have so much unusable crypto today.
Or, why we have such a fucking retarded human race with the attention span of a knat who expect everything to be given to them on a plate. People have to stop being lazy and start taking an interest and responsibility for what goes on in the world around them - your point of view re-inforces the dumbing down of the population and the increase in power of the Government and big Corps.
Even if thats all true, its still also true that nobody is using PGP. Its easier to make a slick UI than convince people to do work. Is it so much to ask that people who make software try to make life easy for their users?
Slick UI would be cool, just a shame that's being used as an excuse by ppl who can't be arsed to do a bit of work. What's the excuse once it has a nice UI? As for nobody is using PGP, I think that may be a little overstated - what you mean is nobody who doesn't give a fuck about privacy is using it.
For all your talk of doing hard work oshwm, it looks like you only created that PGP key yesterday: $ gpg --list-packets signature.asc hashed subpkt 2 len 4 (sig created 2015-11-08) [...]
except the key has been around for quite some time, I did re-sync with the sks servers yesterday.
And as far as I can tell it hasn't been signed by anyone. At least I think so - after 15 minutes fighting with gpg I still can't find your actual key and I ran out of care.
No, it hasn't been signed by anyone as I don't have any friends in real life who give two shits about security as I mix with non-techies offline. This is not a difficulty issue, I can't even begin to talk about encryption with them without them changing the issue to great subjects such as what was on telly last night.
... Which leads me into my second point, which is that here in 2015 PGP is a terrible technical solution. It doesn't encrypt metadata (which is a non-starter these days - who you communicate with is some of the *most* valuable personal data for the NSA). It also leaks information about who signed your key. That means either:
Oh yeh, some bright spark came up with STARTTLS for encrypting comms with mail servers but made it optional, not a GPG issue. However, the metadata issue a big problem for everyone who connects to a server that isn't owned by them and I suspect really requires a new mail protocol to resolve.
- Your key gets signed by your friends, so now your friend network public or - Emails with PGP are provably from you, in a way that can be traced back to physically witnessed government ID.
1) friend network - can't be avoided if you want a system for vouching for email sender authenticity. 2) That's part of what PGP is about - sender authenticity. My PGP is not attached to a Gov Issued ID.
... Or both! Personally I would rather the possibility of forgery than either of those outcomes.
-J