[linux-elitists] Phil Zimmermann on key exchange

Karsten M. Self kmself@ix.netcom.com
Mon Dec 10 23:43:55 PST 2001

on Mon, Dec 10, 2001 at 06:24:46PM -0800, Don Marti (dmarti@zgp.org) wrote:
> begin Seth David Schoen quotation of Fri, Dec 07, 2001 at 11:42:26PM -0800:
> > Reviving a thread from last month:
> (More on encrypted email infrastructure from Seth:
> http://vitanuova.loyalty.org/2001-12-07.html)
> > The Board of Directors of EFF met today in San Francisco, and I made a
> > presentation about this, in the presence of Brad Templeton and others.
> > One of the conclusions was that EFF's role in implementing something
> > like this is still not defined clearly enough, and we don't know what
> > we could most usefully do.
> In order to seriously deploy encrypted email you need to kick the
> email client support problem and the key management problem at the
> same time.
> One possible role for EFF would be as a founding member of an
> encrypted email industry consortium analogous to W3C.  Such an
> organization would have to be positioned as a way to fight
> cyberterrorism and protect infrastructure.
> It would be nice to get Ximian, the KDE project  and Qualcomm to
> join, and use the words "Secure Email" or "Email Security" in the
> organization's name somewhere.  You probably aren't going to get
> any mail client vendor that depends on many Secret Police customers
> to join.

My own experience is that _authentication_ is as much a significant and
important use as encryption.  For this niche, there's a value add to any
individual or organization which wants to create the opportunity for
secure, authentic, communications between business units, with
constituents, or with customers.

Examples IRL that I've run across, and possible partners:

  - Customer service for financial institutions.  My broker (Schwab) has
    email support, but responded to my requests that email solicitations
    to my account be stopped with a particularly ironic "however,  your
    email has been sent via an unsecure channel".  I pointed out that
    the issue wasn't security, but authentication, and that my prior
    (and current) message was in fact signed with a well-known and
    fairly widely signed PGP key....[1]

    Later, Schwab offered a service to provide account summary
    information via email.  Initiated with a sample of such a service.
    This got a livid response from me, along with a pointer to their
    previous message.

    The company mEconomy is apparently targeting financial institutions
    which can offer secure networking services to customers as a
    value-add (whether this flies or not is another question).  Seems
    there is a market for both authenticated (this _is_ a message from
    Schwab) and encrypted (these are your account details) emails.

    While many companies are flocking to the web (and various
    exclusionary site designs) to facilitate customer interactions,
    email has been largely unutilized.  This flies in the face of the
    fact that _paper_ mail communications have been used for ages.
    Facilitating secure, authenticated, email communications should be a
    compelling business case.

    The problem, of course, is that you can try selling things to
    customers when they come to your website, call your help desk, or
    walk into the store.  Doing same by way of email is a trickier
    proposition, and makes the option less immediately attractive for
    companies whose business plan reads "sucker bait".

  - Congress has, shall we say, discovered issues with toting tons of
    paper of diverse origins into its deepest inner chambers in recent
    months.  It's also shown a less than stellar record of dealing with
    email correspondence.  Methods of authenticating _known_
    constituents' mail (or at least known campaign contributers') might
    prove useful.

  - Various sorts of information would be well served to have an
    authenticating signature attached (naturally this requires the
    recipient know enough to validate the signature and interpret
    results properly).  Corporate press releases, emergency government
    bulletins, various official versions of forms and such.

Just a few ideas off the top of my head (or bottom of the barrel).



1.  And that "unsecure" isn't a word, it's "insecure".  But I digress.

Karsten M. Self <kmself@ix.netcom.com>       http://kmself.home.netcom.com/
 What part of "Gestalt" don't you understand?             Home of the brave
  http://gestalt-system.sourceforge.net/                   Land of the free
   Free Dmitry! Boycott Adobe! Repeal the DMCA! http://www.freesklyarov.org
Geek for Hire                     http://kmself.home.netcom.com/resume.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20011210/6e6d3c08/attachment.pgp 

More information about the linux-elitists mailing list