Encouraging email security.

Daniel Carrera dcarrera@math.umd.edu
Sun May 18 01:41:02 2003

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

I was thinking about how most people have no understanding or interest in=
email security.  OpenPGP is hard enough to understand and use that getting=
the majority of the population to use it seems a formidable task.

I thought of a compromise that might be a step forward.  I was hoping that=
those who know more about this than I could offer an opinion.

There could be a mail client with the following properties:

1) Automatically creates a pre-defined key setup (e.g. 4096 RSA,
   1024 DSA, 2048 ElGamal).
2) Automatically signs, and encrypts emails (when the pub key is=20
3) Here is the big one:
   It stores the user's password in the hard disk, in the style of
   Mozilla, so that the user doesn't have to type it.  It all happens

This would be a significant down compared to the proper use of OpenPGP,=20
but a significant up compared to what exists today.  Now emails would go=20
around signed and encrypted.  In order to read a message an attacker would=
have to get the password from the recipient's hard drive.  A determined=20
attacker could certainly do that, but the casual one would not.

Today's email system is about as secure as a postcard.
This alternative would raise the bar somewhat bit above sending mail in a=
sealed envelope.  It raises the effort needed to eavesdrop in a=20
conversation or impersonate someone.

Any thoughts?

Daniel Carrera         | OpenPGP fingerprint:
Graduate TA, Math Dept | 9B32 660B 0557 7D7D 5892 0036 D591 4D05 2938 1B7E
UMD  (301) 405-5137    | http://www.math.umd.edu/~dcarrera/pgp.html

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.2 (SunOS)