NPR : E-Mail Encryption Rare in Everyday Use

Peter Saint-Andre stpeter at jabber.org
Wed Mar 8 14:53:16 EST 2006


Victor Duchovni wrote:
> On Wed, Mar 01, 2006 at 06:15:36PM +0100, Ian G wrote:
> 
>>>> Email is hard to get encrypted, but it didn't stop Skype from doing
>>>> encryped IMs "easily."
>>>
>>> Likewise I have secured email communications with my wife via a single
>>> key exchange, so what? Skype has not "easily" created an interoperable
>>> federated system that secures all IM communications end-to-end, and
>>> many of the issues in doing that are non-technical.
>>
>> Right.  Nor did email create a single federated
>> system that crosses across to mobile phones.  There
>> is always a boundary where a system stops.
> 
> Federated accross millions of account issuing organizations, not
> technologies, and email did do that, and IM did not. IM is like email from
> a choice MCI, Sprint or AT&T, sure they can control the medium better,
> but this is a temporary state of affairs...

Monolithic consumer IM services (AIM, MSN, Yahoo, etc. are like that.
Existing federated IM standards (e.g., Jabber/XMPP) are not.

>> The point is that the non-technical issues we
>> are looking at here are *better* handled at the
>> level of competitive systems, because they have
>> incentives to solve them, whereas technical
>> committees writing RFCs do not.
> 
> These are closed systems that compete with each other, once
> they become federated, they can no longer compete on end-to-end
> security, because that is a property of the interoperability
> framework, not the individual product. Also with millions
> of account issuers, the abuse and identity problems become
> just as bad as for email. The problem is intrinsic, is not
> the result of lazy RFC writers.

Well, in the Jabber/XMPP world we require authentication, servers must
stamp the from addresses, and we use (at a minimum) reverse DNS lookups
to verify server identities (or use certs with TLS + SASL-EXTERNAL if
you want true server-to-server authentication). So I'd say the abuse and
identity problems are not as bad in IM (at least the IM technology I'm
familiar with) as in email. But you'd hope that we've learned a thing or
two since email was invented. ;-)

Peter

--
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3641 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20060308/7e2dd665/attachment.bin>


More information about the cryptography mailing list