Re: The
I just love the way people appear to be trying to argue that not having encrypted email is in some way a good thing.
> The problem is that you're being quite simplistic, throwing the blame onto one company who did the same thing as many other companies
First, "many other companies"? Where it mattered, MS held (holds) the lion's share. Plus I also blamed Apple. Who else did you have in mind?
> Let me guess, if PGP had turned out to have a systemic flaw and Microsoft had adopted it, it would be their fault that we were using the flawed system too?
I've just been pointing out the history as I saw it unfold - you are determined to pick at imaginary holes to defend the status quo! But if we were all using the standard, de jure or de facto, and it was flawed, well, how about looking at a real example, MD5. You wish o point out that I raged against MS for foisting that upon us? No, of course not.
> You can point to a couple [of mail clients] that did and assume that everyone should have supported what they did, even though that wasn't part of the standard.
There you go; you mean the couple that were mentioned as direct response to the previous message? There were more - do you really need me to look them all up for you? - and you neatly ignored the bit about wrappers (and third party addons) that allowed extensions. Does that cover your "many companies" (want to bring in Lotus? Not long for this world by then. Anyone else you have in mind?)
Oh, and BTW the encryption being done by (purely for example) PGP occurs *outside* of all of the email standards: it occurs on the body text, which means it can be - has been - implemented purely in the text editor and be nothing whatsoever to do with the mail client. You know, for all the decent mail clients that let you set your favourite editor?
Better if it can be part of the email standard, of course - then it can even protect some of the extra data that is flowing put via all those newer headers.
> akin to complaining that a browser, written to work over HTTP, doesn't support the Tor protocol
Daft comparison. As just pointed out, the encryption even as currently available just has to touch the body text. Better comparison, when Internet Explorer refused to admit that PNG images exist: you could use a better (for your purposes) browser or you could right-click, save as and run your utility over the file. Irritating but if you value the result, worth doing.
> Like it or not, PGP was somewhat rare in 1997 as it is today...
Gleefully skipping over the original "something like PGP" - any encryption, so long as it was as good as that would have done. Yes, I've stuck with PGP/GPG on the simple basis that it actually existed and was therefore a candidate. Please supply your better candidate, let us all learn together.
> With PGP, both then and now, the key management was a manual process which made sense only to those who knew what they were doing and why. Neither was true of the average user
True, for the worked example of PGP. Oh, hang on a moment, except that is only true if you want the highest level of security (like, say, military, just to drag this back the original article). The Web Of Trust allows you to pass around keys with less trust (secure, but less trustworthy - as those aren't the same thing) to all your minions.
> who was not thinking too much about security when they sent messages around
Which is the whole problem, and MS (and everyone else flogging to the masses) made this worst by totally ignoring it.
> It's not true of them today either
And why do you accept that? Why aren't you railing against the worst case scenario we have now?
Or do you simply believe we must shrug our shoulders and all be happy? Even if *you* don't want to bother, are you really saying that the bulk of users shouldn't even have the option, shouldn't even be made aware by their email clients that there is a better way (amd this client can't be arsed to give it to you)?
> shall we have a blame session for Google because GMail doesn't have PGP support, or should we forget it as pointless because GMail is an online client anyway
We should blame *all* of the peddlers of unencrypted and unencryptable emails, ESPECIALLY as they don't even admit to their users that there is the possibility of encryption (and that they have decided not to support it).
> isn't as simple as you want it to be, either.
Bollocks. Get an encryption standard in place. Use the Web Of Trust at a minimum (or a simpler scheme) it really isn't *that* hard (keys have been exchanged on cardboard business cards, for bleeps sake and the trust trickles down into organisations, who are the ones who ought to want this). Put in a button on the UI and flags for signature status.
> the causes and responsibility for why that hasn't improved as quickly as we'd like
Yes, I largely blame MS because they have the lions share of organisational use and it is organisations and business who ought to be concerned about encryption and secure signatures. You spotted I also noted Apple wasn't blameless, yes.
If MS wanted to provide encryption, they could have done it. Whatever they did, would become a de facto standard. What other company had that power, back then? They have demonstrated that ability so much we even created a phrase for it ("Embrace, Extend, Extinguish"[2]).
To repeat, I have reported purely what I have witnessed: if you witnessed other problems standing in our way[1] how about you report on them, rather than simply naysaying.
Unless you really *are* totally happy that we are in the ridiculous situation where unencrypted mail has been the norm in the military, where we've not been demonstrably signing contracts over email etc.
[1] and no, I don't accept technical difficulties as the reason: it sadly won't ever be trivial but it isn't *that* hard either - especially where it is, or should be, important to be secure there are far harder tasks going on than arranging keyswaps!)
[2] yes, others do that, but we know who it was coined for - and that if MS could have had us stuck on MSN and away from all this nasty Internet and SMTP etc, they would have gone for the Extinguish as well. As would any of its rivals, nobody comes out of this mess clean. Name 'em and I'll blame 'em equally.