Why encrypted emails don't work
Today, I got an encrypted email. Which is fine, as I use PGP and all - but it was sent to my work address using my private key. (Yes, they are separate - they have to be separate.)
After much hassling and back-and-forthing of the email messages and keys, I managed to open the original mail. In which, it said:
"If you can't open this email, it's because I've used your PGP key from the jspwiki.org -site. Do you have a corporate one?"
Sending encrypted mail means that the mail cannot be read unless you have the proper key. And it does not help much to ask for the key in the encrypted mail itself - because if I could read it, you wouldn't need to ask, now would you? My public PGP key very clearly also does not include my work address, so one would think I don't want work-related email using it...
Even if simple usability issues such as key management seem to be difficult to fathom, then how on earth are people supposed to understand basic concepts of security - signing, encryption, choosing wise passwords, keeping your PGP secret keys really secret, key revokation, etc.
It's not gonna work. Unless someone figures out a far, far more comprehensible manner of explaining security than currently is used. Security is too abstract. People can't comprehend it. We need a way to make security more concrete, much like having an actual physical lock.
Update: *laugh* The person in question apparently reads this blog. Oops. :-D
Back to weblog
|"Main_blogentry_140604_2" last changed on 14-Jun-2004 20:28:12 EEST by JanneJalkanen.|