If you see BEGIN PGP SIGNED then your email program is broken

2013-03-04 00:00:00 +0000

XKCD has posted a nice cartoon that demonstrates a fundamental flaw in how security experts treat those who they should protect — the end users.

What’s wrong with this picture? If you see this PGP SIGNED header then your email client does not support PGP. The whole point is that the signature should be verified without requiring the user to even touch any additional programs. It could have been be like that back in 1994, when I translated PGP manual into Polish in my MS-DOS editor. Now the user should just be seeing the final result — verification succeeded or failed. You should be able to drill down for details, but the distinction between success or fail needs to be obvious and visible on the first look.

This is how PGP works in Hushmail or Enigmail, and how S/MIME works in most email programs (Outlook, Thunderbird). Requiring the user to see any internal transport headers and run external programs to determine message’s authenticity is nonsense.

There was similar a similar, broken concept in Polish e-invoicing law. Law required that e-invoices are sent in one (unsigned) PDF file accompanied by a separate XML file that contained Qualified Signature. The latter required a separate, proprietary program to verify. Obviously, actual number of people who actually did run that separate program was close to zero. And it was these people who was right, not the designers, because it made no sense. Most embarassing was that in 2005, when this law was enacted, the main argument for such solution was that this will result in “increased security and confidence from consumers”.