On Fri, 2008-05-30 at 11:46 -0430, Patrick O'Callaghan wrote: > It's a basic fact of life that crypto software is complicated for > users, and there appear to be fairly fundamental reasons why this is > so (see "Why Johnny Can't Encrypt", an interesting paper by a group of > Stanford researchers from a few years ago). I've had to set up PGP/GPG for someone, yonks ago, because comprehending any of it was going to be completely beyond them. But we had to be able to exchange some information confidentially, so there was no avoiding using it. Eventually I managed by setting it all up for them, and were able get to the point where I only had to give telephone help for the steps to encrypt or decrypt mail (enter passphrase, which passphrase it was they had to use, which options they had to pick to encrypt, etc.), but I don't think it was ever going to get to the stage of them being able to use it all by themselves. It would have helped if Evolution, for instance, allowed you to set an option in the address book to always encrypt for this person, rather than requiring the user to do an encrypt action choice for every email. I've had that option in other clients. That'd help against accidentally sending things in the clear, at the very least. One thing that struck as being particularly painful, since it was email that we were talking about, was the inability to give someone your public key in some way through your mail program. Yes, I know that's not a brilliantly safe way to set things up. But with two PCs next to each other on a LAN, that would have been safe and an easy to do it. You had to use the gpg program, separately, to publish your key, or create it as a file. The "mail and encryption are separate things" issue is difficult for many to comprehend, and that's just another thing that will discourage many from using it. Various gpg programs are geared towards using public keyservers as about the only way to exchange keys (or the only obvious way to do it), but that may not be desireable for some. It certainly isn't for me, as I've found using them to be a guaranteed method for receiving spam. Even more so than having your e-mail address on your website, completely unmunged. As I mentioned earlier, someone's obviously monitoring some keyservers, and harvesting addresses from them. Adding another address to the public key instantly results in that address being included in the next volley of spam. Peculiarly, removing some addresses from the key had a similar effect (no more spam being received at those addresses). I didn't expect that to happen. The keyserver I used was: hkp://subkeys.pgp.net Though I'm inclined to suspect the harvesting is not that server, in itself. -- Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
