De facto is a Latin expression that means 'concerning fact'. In
law, it is meant to mean 'in practice but not necessarily ordained by law' or 'in practice or actuality, but without being officially established'.
Basically, it's stuff which happens because people want it to happen like that, and they vote by doing. It is often said that RSA SecurID is the 'de facto' standard for two-factor authentication, and I would concur that there is really very little competition. Cisco is the de facto standard for switches and routers, Microsoft for Operating Systems, Google for search engines and so on.
I've worked with encryption for a loooong time now (yep, 4 'o's worth), and whereas RSA BSafe is de facto for browsers, there hasn't really been anything you would call widely accepted as 'the way forwards in encryption'. I should know, I've worked for most of them at one time or another, and none of them has been able to gain the market share or trust they want.
But, without me noticing, and that's often the way, there was always someone there in the shadows, waiting quietly, lurking in my emails, and on bulletin boards, in forums and in applications. Using exactly the same principles of key exchange as SSL - the only other real 'standard' in encryption (ok, "key exchange", you pedant) techniques - PGP have actually been there for years.
So much so that the UK government have just announced that they are using PGP for their whole disk encryption, and email. That's a pretty big deal when pretty much every government department has been told to encrypt everything from now on, or else. More on this later... for now I have more reading to do on PGP. As the bandwagon rolls into town, I'm jumping on to see if I can't ride it through.
Surely THIS TIME encryption's going to be the next big thing??