This is an open letter to the developers of the main SMTP servers
that are used all over the Internet. In recent years, we have all
seen in the news the many instances where our privacy has been
compromised by big corporations or governments. Some recent
examples include the recent survey results that showed over 50%
of corporations in the USA check their employees Internet usage
and e-mails, the Carnivore system from the FBI, aimed at checking
e-mails for potential criminal activity, and the UK law that
would force the ISPs to send all e-mails from everyone to the
government. This is without even talking about the many crackers
who use sniffer to peak in on e-mails while they are in transit.
The traditional response from the geek community has been to
promote e-mail encryption such as PGP.

Unfortunatly, this has not worked well because for normal end
users, encryption is not an easy task. The encryption software
has to be installed, and each correspondant needs his or her own
key published. This is where my suggestion comes in. Every SMTP
server should build in their own public-key encryption algorithm,
to encrypt all transmissions between mail servers. This would cut
down on 50% of all security problems, and on the common fact that
e-mail is like sending a post card over the Internet. The way to
implement this is not with third party software or optional SSL
add-ons. This needs to be a feature which by default is turned
on. Each SMTP server could compute a random set of keys when it
is installed, and a simple new command could be added to retrieve
the public key. When any connection is made between the servers,
a public key would be fetched. If the remote server has not been
upgraded and does not support PKI, then the transmission would
continue in a normal way. If both servers support it, then
encryption could be established, automatically, using PKI.

Of course this is only a suggestion and cannot work unless the
popular SMTP servers software implement it. It is an easy thing
to implement Internet wise on the server to server side, since
only a few server software programs exist. It could also be
implemented on the server to client side if the client software
makers would collaborate. Simply implement the same mechanism for
connections to the client side and allow the client to see if the
server software supports PKI. With the same public encryption
standard used by every server, the client makers would implement
support for it in no time.

Thanks for your time, and I hope this open letter will be of
benefit to save our freedom and privacy in the Internet world.

Patrick Lambert
IT Consultant
Internet Society Member


Patrick Lambert - Computer Scientist
IT Consultant and Technical Writer
Phone: (819) 696-2204
FAX: (425) 740-0422

FREE Personalized Email at
Sign up at

Reply via email to