Slashdot Mirror
PGP Is 15 Years Old
An anonymous reader writes "PGP Corporation salutes the 15th anniversary of PGP encryption technology. Developed and released in 1991 by Phil Zimmermann, Pretty Good Privacy 1.0 set the standard for safe, accessible technology to protect and share online information."
I checked, via pgp.mit.edu. In my university, with 16000+ people, I am the only one with a PGP key signed by someone outside of my university, and I think that no more than 20 people have a PGP key uploaded to pgp.mit.edu. And there is simply NO WAY I can convince staff (or pretty much anyone) to accept my PGP-signed emails as something especially valuable (and as a replacement for a paper signature), or to send me confidential information via encrypted email instead of having me go pick up paper folders somewhere. On the other hand, everybody seems to accept as "signed" the pdf letters I produce, which include a photographed copy of my signature. I have given up.
And it has not killed the PGP market or even gotten major traction. What percentage of your legitimate incoming email is S/MIME signed? Even from your bank?
Also, bear in mind that CA-based PKI is a strict subset of web of trust.
The lesson is that crypto goes nowhere in the market unless it's as transparent as TLS.
>can not or do not want to maintain a web of trust
PKI shouldn't be difficult, but from what I've seen it does seem to be beyond human comprehension.
Once upon a time I generated a key, and discovered there was no one around to swap keys with. My best guess is that it has never been common enough or easy enough to get started. It needs to be as easy as hitting send on an email, automatically sign it, and if the recipient is known to have a key then encrypt it to them. I could be bothered to go through some hassle to get this going, but I think most people don't care enough and probably most of their email doesn't matter enough to bother with encrypting or signing. I still wish it was more common though.
Start Running Better Polls