E-Mail Encryption: Why Isn't Everyone Doing It?
Erick Thompson
ethompson@nbr.org
Thu Oct 24 00:04:02 2002
> I really see no difference in ease of use between this and e-mailing
people,
> other than the fact that you downplay key verification and provide no
> coverage for web of trust while likely insecurely passing passphrases
> between processes and providing no support for cross-platform
communication.
I'm no expert in encryption (far from it), but it seems to be that a lot of
problems come about by trying to make a platform completely secure, and
saying that everything that doesn't achieve that is insecure, and therefore
as bad as no security. I understand that if a system is vulnerable to an
attack it can be comprimised, but sometimes half a cake is better then none
:)
In the case of passing passphrases between processes being a bad thing, yes
it is, but if your system is running a trojan or process that can grab info
passed between processes, you're SOL already. An earlier poster talked about
not having passphrases at all, which I think is a great idea, as long as
encryption and authentication are separated! I would like to see my users
using encryption, but the level of hassle needed to do it right now is too
high.
Erick