NPR : E-Mail Encryption Rare in Everyday Use

[Ben Laurie]

Victor Duchovni wrote:
> On Fri, Feb 24, 2006 at 01:44:14PM +0000, Ben Laurie wrote:
> 
>> Ed Gerck wrote:
>>> Paul,
>>>
>>> Usability should by now be recognized as the key issue for security -
>>> namely, if users can't use it, it doesn't actually work.
>>>
>>> And what I heard in the story is that even savvy users such as Phil Z
>>> (who'd have no problem with key management) don't use it often.
>>>
>>> BTW, just to show that usability is king, could you please send me an
>>> encrypted email -- I even let you choose any secure method that you want.
>> Sure I can, but if you want it to be encrypted to you, then you need to
>> publish a key.
> 
> More strongly, if we've never met, and you are not in the habit of
> routinely signing email, thereby tying a key to your e-persona, it
> makes no sense to speak of *secure* communication to *you*. Which "you"
> would that be, the one who sent me all those exciting zip files of W32
> executables, or the one I think is posting to this list?
> 
> The only identity you (who hypothetically do not garnish each message
> with a signature) have is your mailbox. I can bootstrap that (with
> questionable initial security) to a key via a "private" unencrypted
> email message, and over a time as the key is consistently used grow to
> associate the key with an on-line persona.

Don't forget that the ability to decrypt is just as good as a signature
to prove association of the key.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com