Typical PGP user mistakes

[Major Variola (ret.)]

I recall reading at least one study of learning PGP and its UI.
I have had the chance to observe half a dozen (albeit, smarter
than normal) others' (mostly engineers) learning curves.
All are using PGP 7.03 and Eudora 3.05.
We are not using public key servers.

Mistakes include:
* neglecting to encrypt to an intended recipient's key
* encrypting to self (only)
* not encrypting to self, requiring a recipient to send it back to you
* accidentally multiply encrypting a message (ie, you encrypt the
encrypted ASCII)

Problems also include not being able to rename the email address
associated
with a key, leading to some recipients being recognized and encrypted
to,
others not.  Also errors if there are spaces added to the PGP ASCII
block.

Yes, there are checkbox-features and PGP Groups and sufficient GUI
feedback
such that these mistakes are "not the tool's fault".  And I/we
appreciate these
features and overall excellent design.

Yet there are also people who enjoy
studying UI design, cognition, learning, etc.  and perhaps these
anecdotal observations
would be useful.  After all, Enigma was broken by exploiting the
man-machine
interface.

No one new to any tool should be using it for life-critical
apps before competent.  The above mistakes more self-inflicted denial of
service
problems than tool weaknesses.  In fact, one group member accidentally
sent email to
a random user in the sender's ISP (because of the sender's Eudora-alias
not matching the alias he typed in the To: field).  This didn't matter
because the content was encrypted.

You often put locks on things (cars, homes, throwaway email accounts) to
protect against benign, accidental intrusions, even if the lock is
easily defeated/circumvented.  We just happened to be
using a strong lock, endorsed by the Red Brigade :-)

-------
Pierre Curie didn't die from radiation
poisoning, he was hit by a horse drawn cart