New blog post: Yes, We Want Cryptographic Protection for Email https://sequoia-pgp.org/blog/2021/06/29/202106-yes-we-want-cryptographic-protection-for-email/

The TL;DR is: email is not going away, and it is being used for some important things. So it would be negligent to give up on protecting email, just because we have Signal.

Despite the Johnny studies, which focus on ordinary users, there is a evidence that people who need protection are able to successfully use OpenPGP. For instance, hundreds of people involved in the Panama Papers correctly and consistently used PGP over the course of a year. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/mcgregor

Our email accounts are our primary online trust anchor. If you forget your password, you can use an account recovery tool to get an email that will let you back in. So can an attacker. Securing email would move the trust anchor to the encryption key.

Phishing results in huge financial loses. If businesses consistently used digital signatures, users would largely be protected without have to think.

Businesses need to communicate with everyone. Email is the common denominator. And even if they did want to use a secure messenger, they probably can't due to compliance requirements like archival. These emails deserve cryptographic protection.

@nwalfield I agree with your thesis & most of what you're saying, but I can't relate to email being the common denominator. Since #MS & #Google have broken email by restricting inbound msgs on the basis of IP, I can no longer email most people and businesses.

@nwalfield i can receive email, but I can't send it.. unless I dance for them and conform to relaying my mail through a 3rd party & needlessly expose metadata, and also give up the ability to see if the receiving servers accepts the msg.

@nwalfield when small companies DNSBL firewall their inbound mail, it's an overreaction to spam. When big corps do it, it's to monopolize under the veil of anti-spam. Either way, two-way email is dead to me.

@resist1984 @nwalfield I disagree. For about a decade my personal e-mail account has been (and continues to be) hosted with the Warsaw Hackerspace, who self-host their e-mail system. Never had any major problems with mail delivery to third-parties, including GMail and MS infrastructure.

A few months ago I also set-up my own self-hosted e-mail system using @yunohost, which makes it easy to have DMARC and SPF. It works well. No delivery problems so far either.

@resist1984 @nwalfield @yunohost and even *with* DNSBL and spam issues, e-mail is STILL more open and self-hostable than WhatsApp and Signal, and the like.

Yes, it's a bit of a chore (although it got easier with Yunohost), and no I would not expect a non-techie to host.

But even a fantastic techie would not be able to "self-host" Signal or WhatsApp to stay in touch with their users. The very thought is absurd, because these are walled-gardens.

@resist1984 @nwalfield @yunohost and that's kind of the point, isn't it.

There are plenty of problems with e-mail, and some can be fixed. And yes, it's hosting is very centralized. It still remains a more self-hostable solution, and one that gives the users more agency, than walled gardens.