Encouraging email security.
Lucas Gonze
lgonze@panix.com
Sun May 18 07:45:02 2003
A good idea.
On Sat, 17 May 2003, Daniel Carrera wrote:
> I was thinking about how most people have no understanding or interest in
> email security. OpenPGP is hard enough to understand and use that getting
> the majority of the population to use it seems a formidable task.
>
> I thought of a compromise that might be a step forward. I was hoping that
> those who know more about this than I could offer an opinion.
>
> There could be a mail client with the following properties:
>
> 1) Automatically creates a pre-defined key setup (e.g. 4096 RSA,
> 1024 DSA, 2048 ElGamal).
> 2) Automatically signs, and encrypts emails (when the pub key is
> available).
> 3) Here is the big one:
> It stores the user's password in the hard disk, in the style of
> Mozilla, so that the user doesn't have to type it. It all happens
> automatically.
>
> This would be a significant down compared to the proper use of OpenPGP,
> but a significant up compared to what exists today. Now emails would go
> around signed and encrypted. In order to read a message an attacker would
> have to get the password from the recipient's hard drive. A determined
> attacker could certainly do that, but the casual one would not.
>
> Today's email system is about as secure as a postcard.
> This alternative would raise the bar somewhat bit above sending mail in a
> sealed envelope. It raises the effort needed to eavesdrop in a
> conversation or impersonate someone.
>
> Any thoughts?
>
> --
> Daniel Carrera | OpenPGP fingerprint:
> Graduate TA, Math Dept | 9B32 660B 0557 7D7D 5892 0036 D591 4D05 2938 1B7E
> UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html
>