Thursday, December 15, 2005

Re: about secure email technologies

--- Dino Esposito wrote:

> Mr. Gerck
> I skimmed through your "comparison of secure email
> techs..." and it
> seems to me that some of the desirable features and
> problems are outside
> the scope of the proposed technics (PKI, PGP, IBE).
> I mean, they are
> requirements about the mail protocols (e.g. return
> receipt) or SSL
> (Server spoofing).

The secure email technology may be able to directly
include a feature, in which case there's a check mark.
If the feature can't be included, an additional protocol
may be used to provide it. For example, server spoofing
could be prevented in IBE, directly, when the user
connects to the PKG to get the key (prventing credential
compromise for the real PKG).

> My field is PKI, and I think PKI
> (perhaps PGP too)
> can supply some basic technologies in order to build
> a "Secure email
> system", but it's unable to supply the full
> solution.

which must, most importantly, be usable. That's why
the paper can be useful to both improve PKI (what's
missing?) and to provide a view to new technologies
that can overcome current limitations.

> In Italy we have set up a quite complex legal and
> technical framework in
> order to have a "registered email" with all the
> features of the
> traditional registered mail and some plus (not only
> the sending is
> certified, but also the content and the integrity of
> the messages). This
> framework rules the single message AND the mail
> service providers, that
> have to be accreditated as the most trusted
> Certification Service Provider.
> These rules do not address confidentiality (SSL is
> mandatory, but the
> accreditated mail servers are nevertheless able to
> read any message),
> but this is probably the simplest issue since
> encrypting the body of a
> message is quite easy

But decryption is not, as the private-key must
be protected. That's where it's more difficult.

> I'm going to summarize these rules in English for
> other purposes; if you
> are interested I can send you as soon as available.

Yes, please do!

> Finally, I think that "F17 Verified Timestamp" is a
> feature supplied by
> PKI: the timestamp token as defined by the RFC3161

Yes, it is. It's now added in the table.

Ed Gerck

No comments: