PGP is a pain in the ass, and yet it’s the best option we currently have for encrypting email. A bunch of people are working on replacing both email and PGP, but in the meantime we should make PGP much easier to use. (I’ve tried before, and failed miserably, so I’ve got a bone to pick with this problem.)
There are two reasons PGP-for-common-folk is evasive:
- Transferring private keys between devices is difficult.
- Deciding which keys to trust is difficult (the system is actually useless without this step).
Any solution would need to decisively address those two problems. A good solution should also be purely client-side; introducing new server components to the equation in any way changes the attack surface area too significantly. For the same reason, a good solution would not depend on any extra cryptography outside of a solid pre-existing PGP implementation. A good solution would also allow the user to make adjustments based on their level of paranoia (for lack of a better word). Here’s how it could be done:
- Instead of requiring users to transfer keys when they want to start using a new device, we (optionally) generate a new key. The new key is then encrypted using the previous key, and sent to device(s) where that key was previously used. If the user accepts the new device (and thus the new key) from one of the previous devices, the new key is signed with the previous key and the previous key is revoked. (At this point, the previous key could be encrypted with the new key and sent to the new device; this would allow the new device to decrypt old messages.)
- Instead of requiring users to sign each other’s keys, we (optionally) sign automatically after a certain number of exchanges. (The number would be configurable, but should have a fixed floor to avoid automatically signing emails from spammers/etc.)
- While users could still import their peers’ public keys manually, keys are also automatically fetched from–and (optionally) published to–public key servers. They are considered “verified” when they’ve been signed by either the user or one of their peers. Users are warned when (a) no verified keys exist or (b) multiple verified keys exist, but otherwise we can just assume that the user wants to use the verified key that’s publicly available.