To be fair.. maybe it helps to examine the software environment extant at the time pgp was developed.. ie macos was the gui($$$$), AUX had just been abandoned by apple. of the day... and dos 3.0 , unix releases were SCO Microport and Interactive/ all based on Att 5.3.2 sources except for microport which was SVR4, Linux did NOT exist nor did crypto libraries bsd/386 was an unforfilled promise and almost no private individual could afford a sun pizza box to run bsd and xenix was $$$$.. same for qnx(and non standard to boot). . Almost EVERYTHING was command line dos windows 3.0 was just starting to become available pgp 1.0 cli structure was loosely based on CryptMaster(an earlier paid product). ie pgp 1.0 was posted/published from a tandon 60 laptop(i386) running a dos command line version of uucp. and additionally fido and sdn clients on the morning of june 5, 1991 from Santa Cruz,Ca.(this after weeks of prediscussion on the WELL...) then additional copys were posted from random upload points all over silicon valley for the next 96 hours.(yes the van/payphone part of the tale is true also, although the payhones wiring was generally directly accessed using a testset to allow connection of a trailblazer modem(preferred for 19.2kb uploads via uucp to usenet.) pgp 2.0 continues on from there and currently gnupg is the cli choice of script and integration...(albeit with several flaws security and cryptowise.) pgp/gpg never was designed for ANYthing but CLI/script/filter/inline usage in the freeware opensource versions and typically people are incompetent at using CLI by far and large(even so called CS students)... On 1/15/14 4:52 PM, coderman wrote:> ---------- Forwarded message ----------

From: Steve Weis <steveweis@gmail.com> Date: Wed, Jan 15, 2014 at 10:37 AM

As one anecdote, when I TAed the MIT Network and Computer security course, we assigned "Why Johnny Can't Encrypt" as the first reading. We asked the students to send us a PGP encrypted & signed message and tell us how long it took.

If I recall correctly, it took an average of 30 minutes for non-existing users to figure out how to use PGP. Think about that. These were graduate & upperclass undergraduate computer science students enrolled in a network security course. Everyone had accounts on the same university system and were mostly using standalone email clients.

Best of all, someone decided it would be funny to generate a fake key for me and post it to pgp.mit.edu. Several students fell for the trick, didn't verify the key, and encrypted their homework with the wrong key. It was a great way to drive home the lesson, but we asked the jokers to kindly revoke their key, which they did.

Long story short, PGP was still hard to figure out for an experienced cohort of users, who didn't have the issues of webmail and proliferation of mobile platforms we have today. I don't think anything has improved to make it viable for a wider audience.

On Wed, Jan 15, 2014 at 2:23 AM, Anders Thoresson <anders@thoresson.net> wrote:

...

Hi all!

When doing research on email encryption and why it's still not widely used, I've read Alma Whittens "Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0" [1] from '99. I wonder if anyone knows of similar but more recent usability studies on encryption software?

Comparing the findings made by Whittens and compare them to the software available today, not much seems to have happened. But does the conclusion still holds, that a lack of mass-adoption of email encryption is due to problematic UX – or are there other reasons that today are seen as more important?

[1] – https://www.usenix.org/legacy/events/sec99/full_papers/whitten/whitten.ps ...