undefined | Better HN

0 pointsbreput4y ago0 comments

PGP's biggest weakness was that it was too early. There was no normal user accessible software available. No regular person was going to establish the web of trust or use command line utilities.

So now we have easy, strong encryption and the keys are controlled by...someone. Definitely not the user, though.

Funny story - even Phil Zimmerman can't use PGP: https://twitter.com/josephbonneau/status/638772283713060864 So maybe it is just a hard problem.

0 comments

6 comments · 1 top-level

jandrese4y ago· 5 in thread

No, PGP's weakness is that the Web of Trust is an unworkable solution for the general population for key exchange. It works fine for a you and your circle of crypto nerds, but as a general solution it's impossible.

IMHO this is a case where perfect was the enemy of good. Many possible solutions were rejected because there was a possibility that someone could MITM your first contact, even though in the real world this is unlikely. The key registries were almost a solution but none of them ever gained enough traction to be a default solution and mail clients were strangely hesitant to incorporate them even when they did implement PGP.

PGP was always half of the solution. Sadly they never figured out the other half. Microsoft almost got it working with Exchange, but even then you usually it only works on a single domain at a time. You can't use encrypt an email to someone at a different company even if they are using Exchange.

XorNot4y ago

Web of Trust is a perfectly fine system but UI-wise a total disaster. There's also the reality that what most people need most of the time is a web of trust that includes government agencies, banks and other major institutions.

For the vast majority of useful communications for users, your web of trust ideally goes You -> Government ID Agency <- Recipient. And that's fine - that's what people actually need. People get scammed or deceived by faking those credentials.

jandrese4y ago

Having to physically meet people to exchange long hex strings was never going to scale.

2 more replies

UncleMeat4y ago

Web of Trust mixes two kinds of trust.

If my mom gives me her public key, I trust that it is her public key. If my mom signs some other person's public key - I really don't know how much I trust that. Trusting that somebody is who they say they are is not the same as trusting them to properly vouch for another person.

2 more replies

easton4y ago

Notably, in recent hosted versions of Exchange that has been resolved since they can use Azure AD to authenticate across tenants, and if you don’t have Office 365 you can make a temp account in their tenant when you click on the link to see the email. It works fine (unless you’re still on-prem for email).

dijit4y ago

I fundamentally disagree with you that web of trust is hard.

There are much harder problems solved in easy to use ways, there’s just very little financial gain for this problem.

j / k navigate · click thread line to collapse

0 comments