Encouraging email security.

Mark H. Wood mwood@IUPUI.Edu
Wed May 21 14:30:02 2003

On Sun, 18 May 2003, Per Tunedal wrote:
> -----pgpenvelope processed message
> At 05:06 2003-05-18 +0100, you wrote:
>  >
>  >Quoting from an e-mail I got from a real user(tm):
>  >"but what is there to be encrypted? fine if we were doing something
>  >critical"
>  >
> ---
>  >Today's interfaces (gpgrelay for example) are incredibly easy to
>  >use, and their is PGP which AFAIK has a polished UI. I don't think it's a
>  >question of UI any more, I think it's a question of needs and threat models.
>  >If you don't need something and it carries a cost you're not likely to use
>  >it.
>  >
>  >- --David.
>  >
> This is an interesting approach! It's about marketing ... A lot of people
> might have a need for "our" product encryption, in our eyes. But they don't
> have the same feeling.
> Maybe we would have to focus some more urgent need of our prospect customers?
> Any marketing Guru's around?

Well, over here in .us people are beginning to get upset about identity
theft.  Unsecured email certainly sounds like an easy target for identity
thieves, to me.  Anybody see how to link the two and get some press

> BTW Identification and digital signatures with competing certificate
> techniques are "sold" in Sweden by e.g. the tax authorities: You need a
> certificate to be able to communicate with the tax agencies etc I suppose
> it will eventually be widespread, because it's more easy than filling forms
> by hand.
> The certificates are offered by the banks (easy because internet banking is
> widespread) and the Post (the snail mails doesn't produce any revenue).
> Most certificates are soft (file) certificates, but you can by an
> "electronic ID-card" at one bank (Nordea) or at a postoffice.

That sounds a lot like what I'd like to see here.  I'd also like to see
the medical industry take up encrypted electronic comm.s.  I could email
notes to be dropped into my medical record for the doctor to review
*before* my next visit.  I could receive test results more conveniently
*and* more securely.  We could move away from this insecure and
error-prone system of ordering drugs via hand-scrawled notes on little
scraps of paper.

Want more?  How about setting your community's school up with secure,
authenticated access and transmission of grade reports, disciplinary
summaries, events, etc.  Lots of people get really worked up about the
privacy of educational records and notices, yet we hand these over to
children to carry home in their bookbags.  In our community we can email
our kids' teachers informally, but we could go a lot further with secure

Lately our utilities all want me to switch over to electronic monthly
statements.  I don't want to give up paper copy, though, until they will
provide me with *signed* statements that I can take to small-claims court
as proof of what they said, if need be.

I'd like to quash "slamming" by asking my phone company to accept change
orders for my service *only* on signed media.  Maybe they'd even sell
lists of accounts that *cannot* be accessed by telemarketers, so the
latter would know better than to waste their time by wasting mine.  It
could save the telco some money too, by avoiding the investigation and
reversal of unwanted changes.

There's no end to the things we could do more conveniently and more
reliably if we had a really pervasive PKI.

Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
MS Windows *is* user-friendly, but only for certain values of "user".