Re: Sigh...
The question is, why has this not happened w/r/t PGP/GPG?
It has, any number of times. I have a GPG plugin for Thunderbird, and at least one GUI GPG wrapper (which I installed to see how usable it would be for non-technical users). There seem to be many others.
A better question would be why haven't they become popular? Because:
- Most email users want to minimize cognitive load and opportunity cost, which means using the MUA that minimizes what they have to learn and how much work they have to do. Webmail beats separate MUA applications by that metric.
- By the same token, most email users don't want to have to learn even the high-level security concepts associated with PGP/GPG (or PEM or S/MAIL or any of the other schemes that have been floated). They don't want to learn about asymmetric encryption and public and private keys and digital signatures. They really don't want to learn about the Web of Trust or other PKI architectures, all of which are usability disasters. Many aren't really clear on what "encryption" is in the first place, or how the newspaper Cryptogram differs from standard algorithms or from the mythical "military-grade encryption" they hear about on NCIS.
- Most email users are operating under a threat model where the benefits of email cryptography (privacy, integrity, some degree of authentication and non-repudiation) are very small. Hell, I wouldn't care if the vast majority of my email were published, and I'm an IT security professional.
Widespread adoption of email with digitally-signed envelopes would offer some benefit to most email users, as it would eliminate some spam and phishing channels, but the key there is widespread - and thus convincing users to adopt it now, so eventually it would scale up enough to help. And even then the implementation has to be very good.
Biting the hand that feeds IT
