Encouraging email security.

[Ingo Klöcker]

--Boundary-02=_BX/x+DFP4C+oBvz
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Sunday 18 May 2003 01:42, Daniel Carrera wrote:
> I was thinking about how most people have no understanding or
> interest in email security.  OpenPGP is hard enough to understand and
> use that getting the majority of the population to use it seems a
> formidable task.
>
> I thought of a compromise that might be a step forward.  I was hoping
> that those who know more about this than I could offer an opinion.
>
> There could be a mail client with the following properties:
>
> 1) Automatically creates a pre-defined key setup (e.g. 4096 RSA,
>    1024 DSA, 2048 ElGamal).

That's not really the task of a mail client. At least I would rather=20
make KMail call an external OpenPGP key manager then to add any code to=20
create keys to KMail.

> 2) Automatically signs, and encrypts emails (when the pub key is
>    available).

KMail already does this.

> 3) Here is the big one:
>    It stores the user's password in the hard disk, in the style of
>    Mozilla, so that the user doesn't have to type it.  It all happens
>    automatically.

KMail will never do this (as long as I'm the maintainer). If you don't=20
want to type a passphrase then enter an empty passphrase. BTW, KMail=20
has the option to keep the passphrase in memory as long as it's running=20
and by using gpg-agent any application can cache the passphrase for a=20
specific amount of time. So it's not necessary that the user enters the=20
passphrase everytime it's needed.

Last but not least, I want to add that it's a nice idea to make email=20
clients encourage encryption. But as long as the most widely used (and=20
I might add the most insecure) mail client doesn't support OpenPGP=20
natively encryption will never be used by a significant number of=20
people.

OTOH, according to c't (a German computer magazine), Microsoft just=20
demonstrated (on WinHEC 2003) the usage of Windows Rights Management=20
for email. They added a security policy to an email message which made=20
it impossible for the recipient to forward the message, to copy it to=20
the clipboard or to make a screenshot (!) of it. (Anyone remembers the=20
"for you eyes only" option in PGP?) Don't ask me how they want to=20
guarantee this but be prepared to receive email messages in the not so=20
far future which can't be read with anything else than Outlook on a=20
Palladium-secured Windows system.

Regards,
Ingo


--Boundary-02=_BX/x+DFP4C+oBvz
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA+x/XBGnR+RTDgudgRAnWbAJ9h5hNn/6hRJn0VNU/Kh6+SAtLWQgCffYBI
CuYavAwEaEBOKW5bOiRzsVo=
=f2d6
-----END PGP SIGNATURE-----

--Boundary-02=_BX/x+DFP4C+oBvz--