> For signing there’s more margin; it’s okay if half the people never verify your signatures.
The problem that people may not verify signatures is one, but what's far worse is that bad email clients won't show the email content for emails signed with S/MIME certificates that have later expired. I was in an organization where S/MIME certificates were always issued with a validity of one year, and I used to sign all my mails. After a year, a colleague told me (and showed me) that my previous mails in Outlook couldn't be read any longer. Turns out that Outlook has a convoluted process to say "Yes, I know that the certificate used to sign this mail has now expired, but it was valid at the time of signing and I just want you to let me use it for older emails or just show me the email content with some warning". I had to go through a series of steps to make sure Outlook trusted those certificates for all mails.
Email clients need to improve a lot more on usability if people are to use signatures and also manage multiple (expired) certificates.
The problem that people may not verify signatures is one, but what's far worse is that bad email clients won't show the email content for emails signed with S/MIME certificates that have later expired. I was in an organization where S/MIME certificates were always issued with a validity of one year, and I used to sign all my mails. After a year, a colleague told me (and showed me) that my previous mails in Outlook couldn't be read any longer. Turns out that Outlook has a convoluted process to say "Yes, I know that the certificate used to sign this mail has now expired, but it was valid at the time of signing and I just want you to let me use it for older emails or just show me the email content with some warning". I had to go through a series of steps to make sure Outlook trusted those certificates for all mails.
Email clients need to improve a lot more on usability if people are to use signatures and also manage multiple (expired) certificates.