NPR : E-Mail Encryption Rare in Everyday Use

Paul Hoffman paul.hoffman at vpnc.org
Sun Feb 26 14:12:35 EST 2006 

At 5:59 PM -0500 2/24/06, John Kelsey wrote:
>What we ultimately need is encryption and
>authentication that are:
>
>a.  Automatic and transparent.
>
>b.  Add some value or are bundled with something that does.
>
>c.  Don't try to tie into the whole horrible set of PKI standards in
>terms of uniquely identifying each human and bit in the universe, and
>getting them to sign legally binding messages whose full
>interpretation requires reading and understanding a 30-page CPS.

We have the preamble and (a) already; the problem is that the 
preamble is insufficient. What we ultimately need is encryption and 
authentication *and validation of the authentication* that match at 
least (a).

Currently, it is the validation of the authentication that makes most 
users uninterested. When you get a message from Bob that comes with a 
warning that says "I cannot tell whether or not Bob really sent 
this", but you are sure that Bob actually sent that (due to some 
out-of-band knowledge), you lose faith in the system. When Bob has 
the same problem with your messages, you give up.

For signed personal mail, (b) and (c) may be mutually exclusive. Why 
sign your messages if you don't want to be held liable for their 
contents? How can you get the reward of integrity without the cost of 
responsibility?

Given those two hurdles, my hopes for authenticated mail near zero. I 
have some hopes for authenticated syndicated messages through Atom or 
RSS, but not this year. The hardest part there will be (c), but there 
are many environments where signing one-way mail is quite 
appropriate, particularly in replacing paper messages.

The demand for encryption of personal email is perpetually low. 
Without a legal requirement, it will probably always be a small niche 
market.

--Paul Hoffman, Director
--VPN Consortium

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list