Encouraging email security.

Lucas Gonze lgonze@panix.com
Sun May 18 07:45:02 2003

A good idea.

On Sat, 17 May 2003, Daniel Carrera wrote:

> I was thinking about how most people have no understanding or interest in
> email security.  OpenPGP is hard enough to understand and use that getting
> the majority of the population to use it seems a formidable task.
> I thought of a compromise that might be a step forward.  I was hoping that
> those who know more about this than I could offer an opinion.
> There could be a mail client with the following properties:
> 1) Automatically creates a pre-defined key setup (e.g. 4096 RSA,
>    1024 DSA, 2048 ElGamal).
> 2) Automatically signs, and encrypts emails (when the pub key is
>    available).
> 3) Here is the big one:
>    It stores the user's password in the hard disk, in the style of
>    Mozilla, so that the user doesn't have to type it.  It all happens
>    automatically.
> This would be a significant down compared to the proper use of OpenPGP,
> but a significant up compared to what exists today.  Now emails would go
> around signed and encrypted.  In order to read a message an attacker would
> have to get the password from the recipient's hard drive.  A determined
> attacker could certainly do that, but the casual one would not.
> Today's email system is about as secure as a postcard.
> This alternative would raise the bar somewhat bit above sending mail in a
> sealed envelope.  It raises the effort needed to eavesdrop in a
> conversation or impersonate someone.
> Any thoughts?
> --
> Daniel Carrera         | OpenPGP fingerprint:
> Graduate TA, Math Dept | 9B32 660B 0557 7D7D 5892 0036 D591 4D05 2938 1B7E
> UMD  (301) 405-5137    | http://www.math.umd.edu/~dcarrera/pgp.html