[schoen]

One of the biggest difficulties for "easy and secure" key exchange is that so many people want to be able to access private communications on many different devices.

How do you authorize a new device in an "easy and secure" way without simply outsourcing the problem to an intermediary who is then in a position to attack you by authorizing its own devices?

This issue has quite concrete implications for the security and convenience of lots of existing security tools, from GPG to iMessage to Skype to Firefox. They've chosen different approaches but the underlying problem and associated tradeoffs apply to all of them.

On the bright side, there are now a lot of people exploring the space of possibilities for dealing with these tradeoffs.

[bsder]

"The perfect is the enemy of the good."

Just authorize. If you have perfect-forward secrecy, as long as you aren't being man-in-the-middled right now, you're safe.

It's better to have all people doing everything encrypted by default than not.

The goal isn't for one individual to be safe against a targeted NSA attack. That's insane--if the NSA wants you, specifically you are screwed; it simply has far too many resources to bring to bear.

The goal is to make it expensive for the big agencies to do pervasive surveillance. If everybody is encrypting all the time, random peon at Three Letter Agency has to get up from his chair and actually authorize a wiretap, get a warrant, etc. At that point, it's not going to happen unless you've actually done something very wrong.

[neurobro]

Fully agreed up until your last sentence: It's not going to happen unless they have reason to believe it will lead to evidence of someone doing something wrong, and that it will be wrong enough to justify the effort.