-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David, thanks for your reply. I've posted the message below, including your full reply to help clarify things. I'm certainly encouraged to hear that you've eliminated key escrow from your product. The single most important change you could make. I hope you understand that we'll continue to be critical of ZixMail and other technologies which claim to be security solutions, but do so in a proprietary manner. While I appreciate your efforts to make email encryption more accessible and easy to use, there are a number of significant drawbacks to consider. First, this creates factions in the user base. Email encryption is much like email itself. It is really only useful if both people's systems can "talk" to each other. Maybe you remember when online services were popular. If you were on AOL, you could email others on AOL, but not those on Compuserve. Eventually, the value of connecting the two is realized, and you have to integrate the lowest common denominator between systems. This is a sad process that ultimately will hurt the cause of email security. The existing standards (S/MIME & PGP) leave a lot to be desired in functionality, the current implementations lack in usability. However, I would encourage you to consider building on these standards. Allow me to use PGP to secure my email to ZixMail users. The cryptography community has learned a great deal about the value of open source. Sharing algorithms and protocols for peer review has made them strong and predictable. This has been proven time and again as proprietary implementations are broken, often publicly. In all likelihood, you're benefiting from this approach, and have chosen RSA or DH/DSS for your public key ciphers. This may give you quantifiable confidence in your work, but you're asking your users to trust you and your implementation of these ciphers. Our view is that what is publicly known can be trusted, that you should pass the code on to your customers, so they can see for themselves how secure it is, as the cryptographers you're relying on have done for you. Thanks for listening, I think you'll find there is a large community of security professionals who are willing to embrace a service such as ZixMail for it's added value. At the same time, we're leery of people exploiting security technologies for profit which don't contribute to the common good. Paul Holman My posting to [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] and <http://www.shmoo.com> follows: Yesterday, we reported that ZixMail <http://www.zixmail.com> incorporated key escrow. Today I got an email message from the CEO of ZixIt Corporation <http://www.zixit.com>, David Cook claiming that is no longer the case: >I wanted to address the "key escrow" issue that you have raised regarding >ZixMail. > >The quote that you reference was from last July - when the escrow was >required for "hard" encryption. That requirement was eliminated in December >- and we do not keep an escrow of any kind. > >I would like to invite you to come to Dallas and visit our data center. I >will personally walk you through the system design, etc... > >Let me know if you are interested in coming to Dallas. > >Thanks > >David Cook (CEO) >ZixIt Corporation My efforts to contact ZixMail about this yesterday failed, and I apologize for the outdated information. Hopefully they're working on replies to our other advice: - Open source their (crypto) code - Embrace at least one of the existing standards for encrypted email (PGP &/or S/MIME). - -- Paul Holman Special Agent The Shmoo Group <http://www.shmoo.com/> [EMAIL PROTECTED] <http://www.shmoo.com/~pablos/> PGP fingerprint: CFBF CC8D 7BC8 FDE3 74BD 9DB0 88E6 B201 3F5A B569 -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.2 Comment: The magic words are squeamish ossifrage. iQA/AwUBONwDIYjmsgE/WrVpEQLlbACgqJoCNZ9WS9GbfDc8gw8EwUbo8+IAnjeB XFG2t0HwS5pT+QROnYUQQ8WJ =XK6U -----END PGP SIGNATURE-----
