On 2017-07-03 08:56 AM, Russell via talk wrote:
Its open to everyone to generate or use a keysigning authority.
Unfortunately, that's a technical solution for a social problem: keys and authorities need to be something a user (almost) never needs to worry about. Mail clients need to come with relevant keys to verify most other users' identity, or the uptake of secure e-mail will be too low to reach critical mass. I've worked with X.509-based signing in two very different domains, and in each there have been deep problems that limit the value of the process incredibly: * in the construction industry, X.509-signed secure PDFs are used to move final drawings and contractual communications (‘transmittals’) around. Unfortunately, many of these are only verifiable within the issuer's company or between members of the same trade associations, as companies and associations act as signing authorities. Many users aren't aware that scans of electronically signed documents are no longer electronically signed. * in amateur radio, the US hobbyist/lobby group ARRL maintains a full X.509 infrastructure for secure collection and verification of radio contest logs. The maintainers of this system (‘Logbook of the World’) have done a lot to make the process simple, but there are still roadblocks such as keys expiring every few years. It doesn't help that the majority of radio hams who do radio contests are very technologically conservative, and received wisdom has it that Logbook of the World is hard to use and unreliable. So while everyone could get secure keys, too few people do it to make the process worthwhile. cheers, Stewart