On Fri, Jul 22, 2005 at 01:20:38PM +0900, Curt Sampson wrote:
> In this case, can one reasonably use PGP without understanding the
> difference between the signing and encryption keys, indeed, without
> understanding that they are two separate keys? Can one reasonably use
> PGP without understanding the difference between a key and an identity,
> indeed, without understanding that they are two separate things?

Partly, IMHO, yes.

There are basic things you need to understand: the difference between public
and private keys, and "signing" and "encrypting" - but both are pretty
obvious. You do not realy have to understand that (or why) the system
uses different keys for encryption or signing.

It is pretty obvious for the user what an identity is. Attached to this
identity there are multiple eMail addresses and keys. The user trusts the
system to pick the right key for him, given the eMail adress(es) and the
operation performed.

Then there are rare management events or operations, like expiry of a key,
revocation, creating a new key, importing a key, establishing trust chains
etc. All these operations happen so rarely that a non-cryptographic-geek
user needs strong guidance, good defaults, and verbose error messages.


Martin