New blog post: Yes, We Want Cryptographic Protection for Email https://sequoia-pgp.org/blog/2021/06/29/202106-yes-we-want-cryptographic-protection-for-email/

The TL;DR is: email is not going away, and it is being used for some important things. So it would be negligent to give up on protecting email, just because we have Signal.

Despite the Johnny studies, which focus on ordinary users, there is a evidence that people who need protection are able to successfully use OpenPGP. For instance, hundreds of people involved in the Panama Papers correctly and consistently used PGP over the course of a year. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/mcgregor

Our email accounts are our primary online trust anchor. If you forget your password, you can use an account recovery tool to get an email that will let you back in. So can an attacker. Securing email would move the trust anchor to the encryption key.

Phishing results in huge financial loses. If businesses consistently used digital signatures, users would largely be protected without have to think.

Businesses need to communicate with everyone. Email is the common denominator. And even if they did want to use a secure messenger, they probably can't due to compliance requirements like archival. These emails deserve cryptographic protection.

@nwalfield I agree with your thesis & most of what you're saying, but I can't relate to email being the common denominator. Since #MS & #Google have broken email by restricting inbound msgs on the basis of IP, I can no longer email most people and businesses.

@nwalfield i can receive email, but I can't send it.. unless I dance for them and conform to relaying my mail through a 3rd party & needlessly expose metadata, and also give up the ability to see if the receiving servers accepts the msg.

@nwalfield when small companies DNSBL firewall their inbound mail, it's an overreaction to spam. When big corps do it, it's to monopolize under the veil of anti-spam. Either way, two-way email is dead to me.

@resist1984 @nwalfield I disagree. For about a decade my personal e-mail account has been (and continues to be) hosted with the Warsaw Hackerspace, who self-host their e-mail system. Never had any major problems with mail delivery to third-parties, including GMail and MS infrastructure.

A few months ago I also set-up my own self-hosted e-mail system using @yunohost, which makes it easy to have DMARC and SPF. It works well. No delivery problems so far either.

@resist1984 @nwalfield @yunohost and even *with* DNSBL and spam issues, e-mail is STILL more open and self-hostable than WhatsApp and Signal, and the like.

Yes, it's a bit of a chore (although it got easier with Yunohost), and no I would not expect a non-techie to host.

But even a fantastic techie would not be able to "self-host" Signal or WhatsApp to stay in touch with their users. The very thought is absurd, because these are walled-gardens.

@resist1984 @nwalfield @yunohost and that's kind of the point, isn't it.

There are plenty of problems with e-mail, and some can be fixed. And yes, it's hosting is very centralized. It still remains a more self-hostable solution, and one that gives the users more agency, than walled gardens.

@rysiek @yunohost @nwalfield in Europe you can't self host unless you pay more. In the US, you can self host but most recipients (dominant tech giants in particular) will reject. That's not "the point", it's missing the point. EFF wrote a good article on the collateral damage.

@resist1984 @yunohost @nwalfield and with Signal and WhatsApp you *cant self-host, full stop*!

I honestly do not understand what you are arguing for here?

@rysiek @nwalfield @yunohost i oppose both Signal and WhatsApp. they are even more exclusive than email. But email is also exclusive. A premise that email is a "common denominator" is a broken premise

@resist1984 @nwalfield @yunohost okay, it's just much closer to being a common denominator, than Signal and WhatsApp could ever be. Does that sound better?

@rysiek @yunohost @nwalfield i've not suggested walled gardens. #Jami is a decent option that is not a walled garden. It's more inclusive than email, signal, and whatsapp.

@resist1984 @rysiek @yunohost @nwalfield sadly I have to disagree on #jami (same apply to #briar) : it’s not a decent replacement for email because both user shall be online to communicate, by design there is no server to deliver or receive the message in case the devise is shut down. It is impractical to use a message system with this behavior equivalent to posting letters.

@parisni @rysiek @nwalfield @yunohost for asynchronous msgs, #Wire is better. It's centralized, but it's more inclusive and less exposing than email. It relies on email for registration, but you only need to be able to receive email so it avoids all the pitfalls of sending email.