>Perhaps this will all change because before Snowden we were blissfully unaware
Every time I see this in regards to email, I'm puzzled. Carnivore was known about in the 90s. Then there was the AT&T Room 641A in the 200s. So I don't know how people were unaware that state level actors could tap connections and record email.
Second, for this threat model, just forcing and validating TLS on SMTP gets you pretty far, does it not? You're then mostly trusting your email provider. And without trusting them, we get into user-unfriendly stuff like not being able to forget your password. (Barring some sort of breakthrough ideas.)
Seriously, has there been any good proposals that provide strong privacy (say, no one but the user can read the message) but aren't complicated or require users to do things they aren't gonna do: validate keys? PGPFone and ZRTP are great because you already have an "out-of-band" key auth mechanism in place, and it's fairly straightforward to check.
My mom didn't know about Carnivore. I did because I worked at an ISP. My mom knows about Snowden. Thus the general public was blissfully unaware, now they are not.
Re: "You're then mostly trusting your email provider. And without trusting them, we get into user-unfriendly stuff like not being able to forget your password."
Nobody should trust their email provider if they are concerned about the privacy of their email. The Job To Be Done, by an email provider such as gmail/yahoo/hotmail is to act as a mail store, and mta. A user should be able to rely on a local MUA for confidentiality. Admittedly, that shifts the level of trust from the Email Provider to the provider of the MUA software and the Local Hardware, which is why things like OpenBSD/Linux and (hopefully not firmware-tweaked) commodity hardware is so important.
What your proposing is currently limited to people that are more-or-less OK putting up with PGP. For everyone and their mom to use encryption, features like "I forgot my password and now lost all my email" aren't acceptable. Nor are things like "I've got to make a separate, verified, out-of-band contact to verify that I've got the right key".
I'm hoping someone comes up with a breakthrough idea here, something fantastic that enables real privacy with no inconvenience. But in 20 years, there's been essentially zero progress on that front. All proposals either violate Most Users' required features, or boil down to offloading trust to the email provider.
I don't see any way to protect users against forgetting their encryption passphrase, or losing their private key, without offloading trust somewhere. Except for backups, anyway.
It can be very hard to know whether you have the right public key, especially for people that you know only from online activity. And it's not uncommon to find multiple unrevoked keys, with the same email address.
But check out https://keybase.io/mirimir. You can easily get a GnuPG key that signed proofs in my profile here, on GitHub, and on reddit. Also, the email address in my key is linked to a Gravatar that StackExchange and other sites use. So whoever I am, you can be confident that I control that GnuPG key.
> I don't see any way to protect users against forgetting their encryption passphrase, or losing their private key, without offloading trust somewhere.
Private keys are obviously an issue, but I don't really get why passwords are considered so important.
I like to use GPG when I can for communicating with people, but most of the things I put on it are less private than what you would get if you got my computer.
I don't think passwords protect you if the attacker can install a keylogger (correct me if I'm wrong), so anyone with hardware access or malware isn't going to be stopped. You are only protecting against people that can read files from your computer but not install hardware/software.
I think for the average user the password provides little extra security while having a high UI cost.
Every time I see this in regards to email, I'm puzzled. Carnivore was known about in the 90s. Then there was the AT&T Room 641A in the 200s. So I don't know how people were unaware that state level actors could tap connections and record email.
Second, for this threat model, just forcing and validating TLS on SMTP gets you pretty far, does it not? You're then mostly trusting your email provider. And without trusting them, we get into user-unfriendly stuff like not being able to forget your password. (Barring some sort of breakthrough ideas.)
Seriously, has there been any good proposals that provide strong privacy (say, no one but the user can read the message) but aren't complicated or require users to do things they aren't gonna do: validate keys? PGPFone and ZRTP are great because you already have an "out-of-band" key auth mechanism in place, and it's fairly straightforward to check.