Encouraging email security.
Sun May 18 23:56:02 2003
Content-Description: signed data
On Sunday 18 May 2003 01:42, Daniel Carrera wrote:
> I was thinking about how most people have no understanding or
> interest in email security. OpenPGP is hard enough to understand and
> use that getting the majority of the population to use it seems a
> formidable task.
> I thought of a compromise that might be a step forward. I was hoping
> that those who know more about this than I could offer an opinion.
> There could be a mail client with the following properties:
> 1) Automatically creates a pre-defined key setup (e.g. 4096 RSA,
> 1024 DSA, 2048 ElGamal).
That's not really the task of a mail client. At least I would rather=20
make KMail call an external OpenPGP key manager then to add any code to=20
create keys to KMail.
> 2) Automatically signs, and encrypts emails (when the pub key is
KMail already does this.
> 3) Here is the big one:
> It stores the user's password in the hard disk, in the style of
> Mozilla, so that the user doesn't have to type it. It all happens
KMail will never do this (as long as I'm the maintainer). If you don't=20
want to type a passphrase then enter an empty passphrase. BTW, KMail=20
has the option to keep the passphrase in memory as long as it's running=20
and by using gpg-agent any application can cache the passphrase for a=20
specific amount of time. So it's not necessary that the user enters the=20
passphrase everytime it's needed.
Last but not least, I want to add that it's a nice idea to make email=20
clients encourage encryption. But as long as the most widely used (and=20
I might add the most insecure) mail client doesn't support OpenPGP=20
natively encryption will never be used by a significant number of=20
OTOH, according to c't (a German computer magazine), Microsoft just=20
demonstrated (on WinHEC 2003) the usage of Windows Rights Management=20
for email. They added a security policy to an email message which made=20
it impossible for the recipient to forward the message, to copy it to=20
the clipboard or to make a screenshot (!) of it. (Anyone remembers the=20
"for you eyes only" option in PGP?) Don't ask me how they want to=20
guarantee this but be prepared to receive email messages in the not so=20
far future which can't be read with anything else than Outlook on a=20
Palladium-secured Windows system.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----