The future of security

Ed Gerck egerck at nma.com
Thu May 27 20:06:39 EDT 2004



Ian Grigg wrote:

>...  fundamentally, as Steve suggests,
> we expect email from anyone, and it's free.
> 
> We have to change one of those basic features
> to stop spam.  Either make it "non-free," or
> make it "non-authorised."  Hashcash doesn't
> achieve either of those, although a similar
> system such as a payment based system might
> achieve it.
> 
> Mind you, I would claim that if we change either
> of the two fundamental characteristics of email,
> then it is no longer email.  For this reason,
> I predict that email will die out (ever so
> slowly and painfully) to be replaced by better
> and more appropriate forms of chat/IM.

Indeed, email is not so good anymore. When lack of message
security in email becomes clearer to the users, as clear as
spam is today, the value of email will approach zero.

Practically anyone can read the email you send and receive,
your ISP included. What's the fuss with google's gmail? Gmail's
differential is that they do not hide they will search through
your mailbox. Users are realizing that an email is like a postcard,
open for anyone to read and write on it. But encryption and
authentication are a hassle today, with less than 2% of all email
encrypted (sorry, can't cite the source I know).

The problem with current schemes has been that they only work
when both sender AND recipient already use the feature, which
probability is zero in the beginning of adoption. It's a chicken-
and-egg proposition. It is also a change to email. Even though the
existing ideas are sound in principle (e.g., PGP/MIME, S/MIME,
email gateways, etc.) they are all a replacement product with
many barriers for adoption.

Instead of a replacement, I believe that what we need is a
complement to solve the lack of message security in email
(including sender spoofing). Email is just the transport.  The
solution should be able to start from a single end user, should
require no change to records/software that end users do not
control, and should require no cooperation from email providers
and ISPs.

Comments?

Cheers--/Ed Gerck

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list