Its easier to make a slick UI than convince people to do work. Is it so much to ask that people who make software try to make life easy for their users?
Apple understands and successfully applies that. They put their UX and code camps together. It's something open source coders should solicit more into their fold... open source UX'ers. Assuming for example that Apple's phone crypto really is as good as their word, then the only real weakness is whatever cheesy screenpass it takes to login, yet so long as you *can* enter a strong 128 bit, insert a cryptokey, whatever... then it services everyone well enough.
You can drive a car mostly successfully without too much information but if it stops at the side of the road and the limited info from your dials doesn't tell you what's wrong then a bit more knowledge might just get you home. If anything, this matches the Enigmail model more than the invisible crypto model.
Sure, level based access to more details and knobs is fine. Dummy Mode, Medium Mucking, and Advanced Footshooting
- Your key gets signed by your friends, so now your friend network public - Emails with PGP are provably from you, in a way that can be traced back to physically witnessed government ID.
Then don't have your key signed, and or be a nym and sign those of nyms you trust based on context, not on govts. Use of WOT is an option there if you want it, not every use case of PGP needs it.
PGP as a *product* it was a complete failure. I mean, it doesn't even protect metadata.
No, PGP is excellent, at what it does. Like any other tool, it fails when people foolishly try to make it do what it can't in situations it shouldn't. There is no blame on the tool there, only upon the people stubbornly bashing their head trying to make it fit. Continuing to talk about traditional SMTP transport services as fixable by bolting on whatever... is futile, ignorant, and old. All the people circlejerking on Metzdowd about designing crypto fixes into existing SMTP models, and all the newfangled encrypted webmail providers fall into that category.
the metadata issue a big problem for everyone who connects to a server that isn't owned by them and I suspect really requires a new mail protocol to resolve.
Owning both ends hides the non-body elements, but you're not hiding dns lookups, sizes, the fact that you hit send, etc. It's not a new mail protocol that's needed, it's a whole new messaging network.
the only option is to make GPG transparent by getting the email providers to automatically create key pairs and automatically handle signing and encryption by integrating their mail services with GPG behind the scenes.
No, this is a non option. - Free providers are out for their own, like govts, they have no real interest in their users going dark. - Paid providers are a bit more loyal, but building that and making statements about it entails risk of suit for failure such that they're not really inclined. Most of them can't even put postfix, dovecot and openldap together reliably and scalably, let alone functional spam control and peering. - You're still trusting your keys to the provider, and that the provider won't be forced to jack you through your browser or whatever cool software they give you. In today's world, that is an abject failure. As before: Traditional centralized messaging services are a failure. There is NOTHING you can do to fix them but to replace them. That is where you have the chance to integrate crypto and defenses. And the only valid thing to replace them with now against the risk of centralization and all but godlike attack is a new anonymous encrypted P2P messaging transport system that scales [1]. You could create a new UI on all the platforms, and for faster adoption encapsulate existing message format within and extend existing clients to deal with the cryptographic addressbooking and keep it Unix and business needs pipeliney. You could include storage and nym registration. But at minimum you need to shuffle messages between cryptographic endpoints within the net. Anyways, you're wasting your time talking about PGPifying webmail, desnooping and delogging SMTP, and poor little Johnny. Forget about that tired old refit shit and build something new. Put a little bling and sound effects in it, call it an IM, it worked for ICQ and Candy Crush. The users will come, trust me. Do it soon so you can try to head off bans with your newfound embedded ubiquity. [1] We have a handful of researched and implemented systems now. But don't yet have enough knowledge, experience and wisdom to determine what really should go into one that will remain valid for the next 30 years of relatively stable internet API as we know it [2]. There's a good rate of people deploying new p2p, crypto, anti-metadata, attack resistant, network tech such that by 2020 we may have explored enough areas to begin to feel confident in assembling a handful of them into such a system... even into a number of systems... messaging, storage, info / data distribution, payments. But it will take all of us trying them out and contributing to do it. [2] Packet switched IPv6 routed global end to end connectivity. https://en.wikipedia.org/wiki/Internet https://en.wikipedia.org/wiki/History_of_the_Internet