#> When smime.p7s files start getting stripped, there goes yet another #> potentially critical piece of security technology. # #All email client vendors had to do to give smime a chance in life was to #make it easy to generate and use a cert. Automatically. Add an #account, generate a cert. The rest can follow in due course...
Well, its obviously not quite that easy yet, but users can currently get a free client cert by visiting a web page and filling out a form, and then clicking on a link. That part is relatively easy (and arguably easier than installing GPG and Enigmail (for example), and generating PGP keys and getting them signed, and submitting them to a keyserver, etc.) Where things get ugly is after the user has gotten their client cert, and then needs to manually incorporating the client cert into their web browser or MUA or hardware token or smart card or whatever. I show the process for configuring Thunderbird on the Mac (by way of example) on a one sheet/two sider: http://pages.uoregon.edu/joe/smime/using-smime-with-thunderbird.pdf I've tested that document with a random selection of folks, and all were able to do it, FWIW. So yes, there is a bit of nastiness up front, but it's one time only, and nothing that can't be overcome if the user is willing to give it a shot. #Dunno why, but the architecture seems to be an exercise in won't work. #Is it possible that nobody really wanted smime to work? Well, consider the large free web email providers. If their business model is "we're going to sell contextual ads to pay for the service," about the only "context" you get for S/MIME-encrypted mail is the content of the message's subject plus the header info. That's often fairly meagre gruel. It is thus perhaps not surprising that Gmail isn't pushing S/MIME encryption routinely as part of their product. On the other hand, I don't see them interfering with Penango, a nice third party S/MIME plugin for Gmail. That said, their non-interference might be the ultimate commentary that current levels of adoption of S/MIME for encryption represents absolutely no threat to their core contextual ad business model, unfortunately. :-( Regards, Joe Disclaimer: all opinions strictly my own _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
