
Why we don't offer PGP - trop
https://blog.fastmail.com/2016/12/10/why-we-dont-offer-pgp/
======
lowpro
> "Data is as secure as the weakest link in the chain."

This can't be emphasized enough. Their main point is they have no good way to
fully implement a secure PGP implementation, and the threat models PGP
protects against only works if it's implemented correctly.

It's a tough problem, and unfortunately PGP itself is not in a state to
address it. It's too complicated, and not user friendly. At my job this past
summer I tried to implement PGP within our red team in an easy, scalable way
so when we proved we could do it, we could roll it out to blue team and
eventually to non-IT people to make our organization more secure. The project
failed, because there was no easy to use, scalable client that met our needs
at the time.

When the Thunderbird of PGP comes out, then I'll look into it again, in the
mean time I'll hobble along using keybase and signal for secure
communications, imperfectly protecting myself from the actors it's meant to
protect against.

------
merb
> But key management is hard, and explaining how it works is > hard, and
> there's a very small set of users in the gap > between those who don't care
> about PGP at all, and those > who care enough to do it themselves.

thats so true... It's ridicoulus to explain people email encryption in general
that most of the time they don't do it after you explained the basics. It's
complicated and it's hard not even S/MIME with Outlook (builtin support) works
flawelessy and sometimes it's akward to troubleshoot why a certain email was
not encrypted or why it was empty after sending or why it added \r\n lines to
a csv, or whatever.

