E-Mail Encryption: Why Isn't Everyone Doing It?

Peter Schuller peter.schuller@infidyne.com
Thu Oct 24 17:46:03 2002


> >In order to achieve secure communication, there are certain steps that
> >MUST be taken. It cannot happen automatically, because if it does it is
> >by definition not secure.
> 
> There are relative levels of security. The tools need to allow full
> automation of the process, or else it won't happen

True. SSL with no pre-existing knowledge of certificate is better than
nothing. SSL with a CA signed certificate is better than SSL without it.
SSL with pre-defined certificates is bettar than CA signed certificates,
etc.

Correspondingly, PGP encrypted/signed communication where the passphrase
is stored in memory and/or on some network drive is a lot safer than not
using PGP at all - AS LONG AS one is not mislead into a false sense of
security above what is actually in place.


> You are confusing authentication with encryption.

No, but perhaps I was not clear enough.
 
> Authentication is complex, but encryption is relatively simple. If I want
> to send you an encrypted message, I don't need to worry about whether your
> electronic identity <peter.schuller@infidyne.com> is connected to the real
> world person "Peter Schuller". I just need to get a key that can be used
> by <peter.schuller@infidyne.com> to decrypt the message. Compared to
> authenticating a connection between an identity and a person, getting that
> key is easy.

Encryption is much less meaningless without authentication. And you are
right, I don't care about the actualy PHYSICAL identity of a person in
many cases, but I might care about the person's position. The public key
of the CEO might be published on a company's website for example.

And true, the analogy falls somewhat when you consider this. With
encryption one is usually interested in knowing that only a certain
person X has access to the E-Mail - or that that person wrote it. One
does not always have to know who X really is. A relative assurance that
the same person is at the other end is often enough when the inital
trust is based upon E-Mail communication to begin with.

-- 
/ Peter Schuller, InfiDyne Technologies HB

PGP userID: 0xE9758B7D or 'Peter Schuller <peter.schuller@infidyne.com>'
Key retrival: Send an E-Mail to getpgpkey@scode.org
E-Mail: peter.schuller@infidyne.com Web: http://www.scode.org