The problem of messaging security right now is very similar to the problem we had early on with stopping spam. Whenever someone proposed a solution to problem X, they would be drowned out by a chorus of people saying that the REAL problem is Y and then someone would insist it is Z and then someone would demand that the solution work in zero gravity.
There are many problems to be solved with messaging security and I think they are all solvable *in time*. There are problems that can be solved right now and there are problems that we can't address for a couple of years when some critical Intellectual Property is no longer encumbered. And there are problems that can't be solved without completely re-doing the messaging infrastructure.
So here is the problem I have been working on recently. At the start of this thread Fred complained that he has a list of people's PGP keys and email addresses but can't send them encrypted mail. I have a PGP key on one of the key servers but I tell people not to use it because I don't have the private key. I installed a plug in, started the program and it uploaded the key to a server without asking me and didn't tell me how to delete it either. And it turns out that isn't possible.
We can't get everyone using encrypted mail if we design products for outselves, like Fred pointed out. But another part of the problem is that these days we all have multiple devices and neither OpenPGP nor S/MIME has any mechanism that is suitable for managing that situation.
No copying my private key file about is not a solution. A private key that is installed on more than one machine should be rolled over regularly. By which I mean once a month. So using fingerprints of public application keys isn't going to be an answer either.
My point here is that the email security apps are not currently usable and there is no way to make them usable without standards support to automate the administrative tasks that are dumped onto the user.
Which is what I have been building the Mathematical Mesh (MMM) to address.
I have released the code:
Next week I will be working on some demonstrations. The bottom line is that any time that the user is given a set of instructions to follow, that set of instructions should be given to the computer instead as code.
The prototype runs on windows and will configure unmodified Windows Live Mail to use S/MIME without the user needing to do anything other than say which applications they want to secure.
The same approach can be applied to OpenPGP. But rather more interestingly, it can be applied to SSH as well and the same tool that simplified management of cryptographic configuration can be used to simplify network configuration as well.
PHB