...
I personally would prefer to sign every email I send. I'd also
prefer to encrypt all non-public messages. I am fully competent
in the use of the current technology, but it turns out to be not
practical to use.
Greg
Welcome to Email-Security. This is a technical development forum dedicated to a fresh exploration of the Internet email security issues of today, with website at http://email-security.net. Comments and paper contributions on the theme of email security are welcome. Papers will be peer-reviewed before publication. Product and service listings are also welcome, see website.
Monday, February 27, 2006
Re: NPR : E-Mail Encryption Rare in Everyday Use
Paul Hoffman wrote:
Actually, when I wrote "it does not actually work" I meant all three things:
1. It can't be done as a user would like to do it; note also that even experts
do it incorrectly (it's just too many detail devils).
2. When a user does it, the user does not really know if it was done right.
3. It is too difficult for users to use and (worse) most users who use it
do it incorrectly.
We have some choices. We can continue to say that it works and just wait
for users to get educated someday. Or, we can say that there is no x (x = market,
need, risk, point) -- and that's why no user bothers with it. Or, we can try
to understand what's it that users reject and work around it. My opinion I
already say upfront: users reject the whole model; it's not "natural" to
ask me for my envelope before you can send me a letter.
(btw, name and mail address are not the envelope -- they are routing
information. My public-key is the envelope analogue when comparing postal mail
with secure email.)
Cheers,
Ed Gerck
This is my original disagreement with Ed's message. It can be done, and when you do it it works, but it is too difficult for most people to bother with. I think we all agree on those three facts, just not on what to label the last one.
Actually, when I wrote "it does not actually work" I meant all three things:
1. It can't be done as a user would like to do it; note also that even experts
do it incorrectly (it's just too many detail devils).
2. When a user does it, the user does not really know if it was done right.
3. It is too difficult for users to use and (worse) most users who use it
do it incorrectly.
We have some choices. We can continue to say that it works and just wait
for users to get educated someday. Or, we can say that there is no x (x = market,
need, risk, point) -- and that's why no user bothers with it. Or, we can try
to understand what's it that users reject and work around it. My opinion I
already say upfront: users reject the whole model; it's not "natural" to
ask me for my envelope before you can send me a letter.
(btw, name and mail address are not the envelope -- they are routing
information. My public-key is the envelope analogue when comparing postal mail
with secure email.)
Cheers,
Ed Gerck
Re: NPR : E-Mail Encryption Rare in Everyday Use
Phil Z doesn´t know how to do it himself, at least with PGP.
He told me that he doesn´t sign people´s keys who ask for it,
simply because it would pollute his keyring on his computer,
and he couldn´t work with a keyring with thousands of people
on it anymore.
So PGP obviously has a usability and scalability problem.
So he only signs the keys of his friends because of that.
I wonder now, why he didn´t tried to solve that
usability/scalability problem himself yet, but gave up instead.
Best regards,
Philipp Gühring
Re: NPR : E-Mail Encryption Rare in Everyday Use
Paul,
Usability should by now be recognized as the key issue for security -
namely, if users can't use it, it doesn't actually work.
And what I heard in the story is that even savvy users such as Phil Z
(who'd have no problem with key management) don't use it often.
BTW, just to show that usability is king, could you please send me an
encrypted email -- I even let you choose any secure method that you want.
Cheers,
Ed Gerck
Usability should by now be recognized as the key issue for security -
namely, if users can't use it, it doesn't actually work.
And what I heard in the story is that even savvy users such as Phil Z
(who'd have no problem with key management) don't use it often.
BTW, just to show that usability is king, could you please send me an
encrypted email -- I even let you choose any secure method that you want.
Cheers,
Ed Gerck
Re: NPR : E-Mail Encryption Rare in Everyday Use
Ed Gerck wrote:
--Paul Hoffman, Director
--VPN Consortium
This story (in addition to the daily headlines) seems to make the case thatThat's an incorrect assessment of the short piece. The story says that it does actually work but no one uses it. They briefly say why: key management. Not being easy enough to use is quite different than "NOT actually working".
the available techniques for secure email (hushmail, outlook/pki and pgp) do
NOT actually work.
--Paul Hoffman, Director
--VPN Consortium
NPR : E-Mail Encryption Rare in Everyday Use
This story (in addition to the daily headlines) seems to make the case that
the available techniques for secure email (hushmail, outlook/pki and pgp) do
NOT actually work.
http://www.npr.org/templates/story/story.php?storyId=5227744
Cheers,
Ed Gerck
the available techniques for secure email (hushmail, outlook/pki and pgp) do
NOT actually work.
http://www.npr.org/templates/story/story.php?storyId=5227744
Cheers,
Ed Gerck
Subscribe to:
Posts (Atom)