[messaging] OpenPGP Trust is broken Was: On Signed-Only Mails

[Vincent Breitmoser]

> 1) Assertions that impersonation makes the signatures worthless

This got a little mixed up with trust model discussions.  My original
point was quite specifically that for general day-to-day communication,
signatures aren't useful, at least in their present form.  I would at
this point phrase it less strongly, and say that the tradeoff they offer
in what they do, versus the complexity they introduce, isn't worth it.
I still stand by that point.

> A bank that is hacked and customer bank details are disclosed is in trouble
> but a bank that is hacked and has money stolen is in worse trouble and a
> bank who loses its account data and cannot recover it from backups is a
> ex-bank.
> 
> All documents should be signed but only confidential documents need to be
> or should be encrypted.

>From the perspective of enterprise users, this makes a lot of sense. But
I'm not building enterprise software, and I don't know about the
requirements they have: I'm working on a consumer-oriented
implementation, for secure e-mail.  I would really like to send
confidential mail to my tax advisor.  And from that point of view,
signed-only mail add an order of magnitude in UI and ecosystem
complexity, quite possibly a sufficient amount that my tax advisor (or
their other customers, affecting me indirectly) doesn't want to bother
with pgp at all.

Compliance oriented enterprise applications are a valid use case. Secure
communication to counter mass surveillance are a valid use case. Trying
to fulfill the requirements of those in the same software and on equal
footing sounds like a bad idea.

 - V