> That implies that we have some work to do on the problem of identity. As it is, there is not even a way for a known email sender to securely introduce an unknown email sender.
There is: gpg/pgp signature, but many people find it complicated, primarily because they are reluctant to read the documentation. And it’s popular to criticize it, especially here on HN, in favor of various half-baked alternatives.
I think everyone can agree that any technology that "isn't complicated if you read the documentation" is by definition complicated. I don't need to read the documentation for Gmail to use Gmail successfully.
Could I, as a trained programmer, use PGP and GPG? I'm sure I could if I spent some time reading about it. Could my 90 year old grandmother, who is otherwise quite comfortable with email and whatsapp? No, not to any meaningful extent.
There are times you need complexity enough to be worth training costs. There is one universal word "nanana", and maybe babies cry (it seems many babies have unique cries for different needs: I suspect that is training between babies and their parents - anyone done research on this?). All other language is because you spend years in training. If you can read this or write a response that implies training.
The important point from the above is it was worth the effort to learn. The only person I know who is a strong advocate of PGP was a missionary to Romania before the iron curtain fell - he had strong reason to hide what he was saying from government level actors and even today still is willing for extra effort to protect himself. For most of us though our threat profile isn't (or doesn't seem to be) that high and so learning how to use the tool isn't worth it.
I absolutely agree that PGP/GPG have important use-cases for which they are the state of the art and well worth learning. This doesn't mean that they are not complicated technologies though.
I highly disagree with this.
I just left a couple of comments regarding the use of "strtok". Its use is straightforward, just RTFM. Those were the golden days when people were less reluctant to read documentation. You could not even install Linux back then without an installation guide of some sort. You still need it for Gentoo, perhaps even Arch or Void. Are they wrong? No, just different target audience. If you do not want to become a "power user", that is fine.
My grandma can barely handle the TV controller. So what? I am really against dumbing things down, called "ease-of-access" or whatever they call it these days.
I agree on that, however, that GPG / PGP signatures should be more visible and whatnot, just add some visual feedback (verified? legit?, etc.), and some e-mail service providers actually do this.
> Are they wrong? No, just different target audience. If you do not want to become a "power user", that is fine.
Complicated doesn't mean bad. I'm not claiming that PGP or GPG are bad technologies because they are complicated to use.
> My grandma can barely handle the TV controller. So what? I am really against dumbing things down, called "ease-of-access" or whatever they call it these days.
The "so what" is simple: PGP is not the right anti-spam solution for your grandma, or mine, or any users like them. This is the context of this conversation: is PGP a good-enough answer for how to establish identity for email in the interest of anti-spam and anti-scam efforts? And the answer is a clear and resounding no, not for the vast majority of users of email.
This, again, doesn't mean that PGP/GPG are bad technologies - they are very good for certain use cases and certain users.
So what is a good-enough answer for my grandma? :P
There's no great answer, unfortunately. Gmail and other off-the-shelf email providers handle much of the spam and some of the scam prevention for you, but you still need to exercise caution on your own.
> many people find it complicated
That's what kills a lot of these "perfect" implementations.
HN members tend to be nerds, and we don't really have an issue with setting stuff up (many HN IDs, for instance, have Keybase auths).
Most non-HN types have no patience for that stuff. Security needs to be made accessible and easy-to-use, before the vast majority of folks will implement it. That's the single biggest conundrum, IMNSHO.