Beautiful Code [155]
Because the web-of-trust approach doesn't attempt to outsource key authentication the way PKI approaches do, users must play a central role in building their webs of trust and ascertaining the authenticity of public keys. This puts usability considerations front and center in the design of OpenPGP-based secure messaging systems.
Figure 11-1. How keys are validated through the web of trust
Secure Communication: The Technology Of Freedom > Usability Is the Key
11.3. Usability Is the Key
Email privacy software often requires users to jump through too many hoops, so very few bother to use it. Usability is critical to the success of any security solution, because if the system isn't usable, it will end up being bypassed or used in an insecure manner, in either case defeating its whole purpose.
A case study of the usability of PGP conducted at Carnegie Mellon University in 1998 pointed out the specialized challenges of creating an effective and usable interface for email encryption and found that of 12 study participants, all of whom were experienced at using email, "only one-third of them were able to use PGP to correctly sign and encrypt an email message when given 90 minutes in which to do so."[]
[] "Usability of Security: A Case Study." Alma Whitten and J. D. Tygar, Carnegie Mellon University. http://reports-archive.adm.cs.cmu.edu/anon/1998/CMU-CS-98-155.pdf.
I saw Cryptonite as an interesting project in terms of designing a secure, reliable, and efficient email system while achieving a very high level of usability. I set out to create a web-mail system that would embed OpenPGP security into the very structure of the email experience, and help even casual users to effectively utilize OpenPGP to achieve communications privacy. The webmail format was chosen specifically because it could bring powerful communications privacy technology to anyone with access to an Internet café, or a cellphone with a web browser, not just to the few able to run desktop email encryption software on powerful computers.
Cryptonite was designed to make encryption a normal part of everyday email, not by masking the complexities of the public-key cryptosystems that it relies on, but rather by making the elements of these systems clearer and more accessible to the user. Usability considerations were thus central to Cryptonite's design and development, as was manifested in a number of ways:
Development of UI functionality from user feedback and usability studies
The CMU user study provided many good ideas for the initial design, and many features evolved out of usability testing with Cryptonite itself by casual email users. The interface was kept clean, minimalist, and consistent, with all important actions being at most one or two clicks away at all times.
Significant insights gleaned from usability testing included the need to integrate key management into the email client, the need to offer persistence for decrypted messages, and the desirability of exposing message structure information in the message list view.
The final three-pane layout, similar to that found on desktop email programs, was decided on after testing a simple single-pane HTML interface as well as an AJAX inter-face. The three-pane interface optimized the user's experience by not forcing a page reload every time one returned to the message list, as a single-pane design does, and a simple three-pane HTML interface was both more portable and cleaner to implement than an AJAX one, while not being much more bandwidth-intensive.
Rich and meaningful exposure of OpenPGP objects to the user in an intuitive way
All key operations are available to the user, including generating, importing and exporting keys; checking key signatures and fingerprints; certifying keys and revoking key certifications; and publishing keys to and retrieving them from a key server. This puts the user in full control of her own web of trust. The validity and trust levels of keys are visible explicitly in text, as well as by