[Enigmail] Proposed policy

[Robert J. Hansen]

Jan Steffen wrote:
> Ownertrust has its special meaning in the WoT. It only means that you
> think the Owner of this key will sign others keys after careful
> ID-checking. It does not mean the owner is a "good guy".

I believe I said this in my email--that there were at least three kinds
of trust used in OpenPGP, and none of them were identical (keytrust,
ownertrust, and general trust that the other person has integrity).  If
not, I definitely should have.

> I don't like that wizard idea too much. It will make many people sign
> each and every key they see, because it is the easiest way to get the
> annoying warning away. They should bother to understand the WoT-system
> and really validate their keys by fingerprint checking.

While you're at it, taxes should be lower, beer should be stronger, and
I should have a pony.

Generally speaking, people will not bother to learn the WoT and will not
validate keys by fingerprint checking.

In electronic voting, Rice University recently had some deeply
depressing research come out of their psychology department.  It turns
out that even given a voter-verifiable paper trail, fewer than one
person in five will actually check the paper record to ensure the
accuracy of the cast ballot.

If only 20% of people care enough about their democratic vote to read a
piece of paper, how many people can we expect to learn the many
subtleties and complexities of the Web of Trust?  5%?  1%?

OpenPGP is a magnificent protocol from a mathematical perspective.  It
is a miserable and pathetic failure from a human factors perspective.
This is where I see Enigmail as being able to make a difference--if we
can only solve some of the human factor problems.