NPR : E-Mail Encryption Rare in Everyday Use

Victor Duchovni Victor.Duchovni at MorganStanley.com
Fri Mar 10 09:45:33 EST 2006 

On Fri, Mar 10, 2006 at 08:09:56AM +1000, James A. Donald wrote:

> These days you see
> little spam on most Usenet groups, and one of the primary uses of
> Usenet is ad hoc communication between strangers.

The federation mechanism in Usenet is explicit host peering. While the
posters may be strangers to the readers, they are not able to unicast
their content to arbitrary strangers. Joe Consumer does not use Usenet,
they use email and perhaps Yahoo groups. Moderators of groups and
server administrators can block or cancel spam posts. There is no useful
analogy here.

The federation mechanism for email is DNS MX records. Email is ubiquitous,
you don't need to peer with UUnet. When Jabber is ubiquitous (i.e. every
domain with Jabber users has a Jabber SRV record and peering is direct)
it will have more spam.

> SSL works fine, PKI has serious problems. Usenet for the most part
> works fine, Jabber works fine, email has serious problems

The problem with email is that it is more useful and more ubiquitous, and
therefore a more attractive target. Security protocols, authentication,
and so forth, should help to identify wanted email and perhaps make
tracing abuse easier, but the fundamental problem is that among the
billions of people from whom you potentially want to be able to receive
email, there are a few hundred sociopaths.

It is IMHO naive to claim that email would not have a serious spam problem
if only it were designed now rather than in a kinder, gentler past. It is
in the nature of an always on, universally addressable service that it is
open for abuse. The problem is compounded by the presence of millions of
unsecured broadband consumer-operated machines.

It is not just that deploying a more modern email infrastructure is
complex. I have not seen any designs for email (deployable or not)
that realistically curtail abuse.

> The federated structure of jabber, where random people connect to any
> one of a very large number of privileged servers is similar to the
> Usenet structure - and the Usenet structure works because for your
> server to retain your privileges, you need to control spam.

And correspondingly the utility and ubiquity of the service are limited.
Are you proposing a fendced-in network of privileged email servers?

> > I am willing to speculate that people will continue to unfairly
> > tarnish the competence of the email RFC writers, without regard to
> > the intrinsic properties of the medium.
> 
> It is not so much that they were incompetent, but that they were
> writing for a more trusting and trustworthy world.  Today, we have to
> do things differently.

Well, this is a popular viewpoint, but I suggest that it misses the
*intrinsic* difficulty of the problem.

-- 

 /"\ ASCII RIBBON                  NOTICE: If received in error,
 \ / CAMPAIGN     Victor Duchovni  please destroy and notify
  X AGAINST       IT Security,     sender. Sender does not waive
 / \ HTML MAIL    Morgan Stanley   confidentiality or privilege,
                                   and use is prohibited.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list