Encouraging email security.

Daniel Carrera dcarrera@math.umd.edu
Sun May 18 21:00:02 2003


--J/dobhs11T7y2rNN
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Graham wrote:

> > There is such a client, in the form of Mozilla Mail with Enigmail,
> > which has been set up to make it easy for those unused to GPG to use
> > it, but you can alter the defaults to make email handling more
> > powerful. However, it does require GPG to be installed on your system
> > and it is NOT a GUI front end for key management.

I'll take a closer look at Enigmail.
I can try to encourage my friends to use it.

It seems that there are some ways in which Enigmail could be improved:

  - It could have a front-end for key creation.
  - It could come with GPG, like Malte Gell suggested.
  - It could provide a mechanism to import/export keys.
    For instance, when it gets a signed email it could prompt the user
    to download the public key from a keyserver.

How does this sound?


Malte Gell wrote:

> The last sentence is absolutely true. But Daniel's approach has=20
> something promising I think. Imagine, most popular email clients would=20
> come up with a notice "Dear, XXX you have not yet created a private key=
=20
> for secure email communication. It is strongly recommended..." if=20
> started first !
> Maybe this could be a way to encourage email encryption.

Exactly.  If the mail client:
  - Encourages the user to create a key.
  - Automatically signs messages.
  - Automatically downloads a key when it gets a signed message.

There will be a natural push towards email encryption.

> A normal Windows user never gets in contact or cares about encryption, I=
=20
> think some education is needed.

Agreed.

On this note, what can we do about hotmail users?
AFAIK hotmail doesn't offer POP3 or IMAP.  Suppose, for the sake of=20
argument, that a hotmail user becomes interested in using GPG.  Is there=20
any way for the he or she to start using GPG with their hotmail address?

I guess that they could send GPG attachments, but that's a highly=20
non-optimal solution.

In general.  Is there a way for a user with web-based email to start using=
=20
GPG?

It just happens that I know a medium-sized group of people who have a=20
non-trivial motivation to use encrypted communication.  For some of them I=
=20
can suggest Enigmail.  But many of them use web-based email systems.  What=
=20
can I do about them?

Cheers,
--=20
Daniel Carrera         | OpenPGP fingerprint:
Graduate TA, Math Dept | 9B32 660B 0557 7D7D 5892 0036 D591 4D05 2938 1B7E
UMD  (301) 405-5137    | http://www.math.umd.edu/~dcarrera/pgp.html

--J/dobhs11T7y2rNN
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (SunOS)

iD8DBQE+x9hk1/ZKhTQTHLARAp0XAKDSVRaXa59QcjxvWcndIpZ22IT3IwCeJAqw
bO+mqioFiXnK7w304idlMB8=
=v0RP
-----END PGP SIGNATURE-----

--J/dobhs11T7y2rNN--