Comment Re: Encryption = same as an envelope for real mai (Score 1) 35
Replying to you mostly for myself, to write down what I try to explain to people when it comes to what PGP actually is and if anyone gets edumacated by what I wrote, that's fine.
The problem is sending keys - and most users would just blindly well, email them around.
This is why we have public key encryption, e.g., PGP, in the first place.
You're supposed to post/email/etc the public key to your various contacts to encrypt. It doesn't matter what the channel is that you use to transport the public key - email, web page, broadcasting as a numbers station, shouting, etc. The public key can be intercepted all the time by TLAs and other nefarious mob-related organizations. It doesn't matter.
Alice: "Hey Bob, I'm trying to figure out this encrypted mail thing. Send me some encrypted mail. Here's my public key."
public key gets sent through normal email
Bob: "OK, got it." Bob then encrypts his message professing his undying love with the public key and sends it to Alice. He also sends his public key to Alice with it.
Alice decrypts with her private half (which she never gives out) of the public/private key pair and reads the email.
Alice says "I didn't know you loved me." to Bob.
Then there's key management because you have to import those keys into your contacts.
Modern MUAs handle these easily. It's up to the user to save the keys. There is just so much hand-holding that can be done.
>Other than PGP, such as anything using AES is problematic
>GPG
Both PGP and GPG are compatible with each other.
It's not just that MUAs aren't all configurable to use other encryption algorithms, it's that anything that uses symmetric keys, like AES, requires a key exchange out-of-band for it to be any practical use. And that is problematic in itself.
--
BMO