New blog post: Yes, We Want Cryptographic Protection for Email https://sequoia-pgp.org/blog/2021/06/29/202106-yes-we-want-cryptographic-protection-for-email/

The TL;DR is: email is not going away, and it is being used for some important things. So it would be negligent to give up on protecting email, just because we have Signal.

Despite the Johnny studies, which focus on ordinary users, there is a evidence that people who need protection are able to successfully use OpenPGP. For instance, hundreds of people involved in the Panama Papers correctly and consistently used PGP over the course of a year. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/mcgregor

Our email accounts are our primary online trust anchor. If you forget your password, you can use an account recovery tool to get an email that will let you back in. So can an attacker. Securing email would move the trust anchor to the encryption key.

Phishing results in huge financial loses. If businesses consistently used digital signatures, users would largely be protected without have to think.

Businesses need to communicate with everyone. Email is the common denominator. And even if they did want to use a secure messenger, they probably can't due to compliance requirements like archival. These emails deserve cryptographic protection.

@nwalfield I agree with your thesis & most of what you're saying, but I can't relate to email being the common denominator. Since #MS & #Google have broken email by restricting inbound msgs on the basis of IP, I can no longer email most people and businesses.

@nwalfield i can receive email, but I can't send it.. unless I dance for them and conform to relaying my mail through a 3rd party & needlessly expose metadata, and also give up the ability to see if the receiving servers accepts the msg.

@nwalfield when small companies DNSBL firewall their inbound mail, it's an overreaction to spam. When big corps do it, it's to monopolize under the veil of anti-spam. Either way, two-way email is dead to me.

@resist1984 @nwalfield I disagree. For about a decade my personal e-mail account has been (and continues to be) hosted with the Warsaw Hackerspace, who self-host their e-mail system. Never had any major problems with mail delivery to third-parties, including GMail and MS infrastructure.

A few months ago I also set-up my own self-hosted e-mail system using @yunohost, which makes it easy to have DMARC and SPF. It works well. No delivery problems so far either.

@resist1984 @nwalfield @yunohost and even *with* DNSBL and spam issues, e-mail is STILL more open and self-hostable than WhatsApp and Signal, and the like.

Yes, it's a bit of a chore (although it got easier with Yunohost), and no I would not expect a non-techie to host.

But even a fantastic techie would not be able to "self-host" Signal or WhatsApp to stay in touch with their users. The very thought is absurd, because these are walled-gardens.

@resist1984 @nwalfield @yunohost and that's kind of the point, isn't it.

There are plenty of problems with e-mail, and some can be fixed. And yes, it's hosting is very centralized. It still remains a more self-hostable solution, and one that gives the users more agency, than walled gardens.

@rysiek @yunohost @nwalfield in Europe you can't self host unless you pay more. In the US, you can self host but most recipients (dominant tech giants in particular) will reject. That's not "the point", it's missing the point. EFF wrote a good article on the collateral damage.

@resist1984 @yunohost @nwalfield and with Signal and WhatsApp you *cant self-host, full stop*!

I honestly do not understand what you are arguing for here?

@rysiek @nwalfield @yunohost i oppose both Signal and WhatsApp. they are even more exclusive than email. But email is also exclusive. A premise that email is a "common denominator" is a broken premise

@resist1984 @nwalfield @yunohost okay, it's just much closer to being a common denominator, than Signal and WhatsApp could ever be. Does that sound better?

@rysiek @yunohost @nwalfield i've not suggested walled gardens. #Jami is a decent option that is not a walled garden. It's more inclusive than email, signal, and whatsapp.

@resist1984 @yunohost @nwalfield sure, but the question the blogpost answers is not: "what better system can we try to get people on?"

...but: "should we perhaps consider actually making e-mail encryption work?"

And the answer to that question is a strong "we absolutely should".

Simply because not doing that is leaving millions people vulnerable.

@resist1984 @yunohost @nwalfield and I think what really annoys me (not necessarily with your position, but definitely with EFF's) is that they make a huge thing about how "exclusive" e-mail is, and then proceed to tell people to move to Signal.

🤦‍♀️

I've seen this pattern with the EFF for years - one can see a similar thing with their criticism of social media monopolists but still shunning of fedi. I even spoke to them about it. They don't see a problem there.

@rysiek @nwalfield @yunohost EFF's article which correctly criticizes collaterally damaging email practices long predates Signal. It was written when email was the only game in town

@yunohost @nwalfield @rysiek but certainly the #EFF's endorsement of #Signal today is despicable

@resist1984 @nwalfield I could understand it if it was a piece of a bigger puzzle: "for these specific kinds of things, Signal is your best bet; otherwise you might want to look at Jami, Briar, or OpenPGP e-mail even".

I know first-hand how important OpenPGP e-mail is for journalists in the field. And I also remember how utterly fscked I was when during E-Fail debacle, the only info EFF was sending out is "stop using e-mail", and I had nothing to work with regarding ~150 PGP-using journalists.

@rysiek @nwalfield Jami should be your first port of call because it's the most inclusive and also more secure than PGP mail (due to all the plaintext metadata). Sure failing that, PGP email may suit some circumstances but that's always a subset of what Jami can accomodate.