Re: Open letter
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 "Ihnen, David" wrote: > Maybe an extra-low-effort system would consist of a simply speaking a > keyword into a microphone I would find this more troublesome than typing my passphrase. - -- David Nicol 816.235.1187 [EMAIL PROTECTED] Originator of the world's first combination bassinet and table saw -BEGIN PGP SIGNATURE- Version: perl -pe '$_=unpack("u*",$_);' Comment: 92G5S="!!;F]T:&5R(%!E
RE: Open letter
Would you consider PGP more than a low-effort? It would be zero effort if we weren't concerned about the privacy of our own secret keys, thus keeping them encrypted behind passwords. Maybe an extra-low-effort system would consist of a simply speaking a keyword into a microphone, and using voiceprint authentication to decrypt the secret keys. Fortunately almost all computers have the ability to read in decent quality audio. Sending to particular people is no effort - the public key aquisition can be automated. Its interesting to think of the change in load on list servers. Would you encrypt to the list server, who then decrypts and re-encrypts for each client, or would there be a collaborative key for the list that everybody had the secret to and could decrypt? More probably we would just cleartext-sign the messages for source authentication, for backwards compatibility, I suspect. Either way, it can be zero-effort for the people generating the e-mail, outside of authenticating your personal secret key, though accepting the e-mail has the same effort problems. I would be signing my messages pgp, if I could, but I haven't gotten ahold of PGP 7 yet... and the earlier versions don't work on 2000. David -Original Message- From: Michael T. Babcock [mailto:[EMAIL PROTECTED]] Sent: Monday, July 31, 2000 9:06 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Open letter And unfortunately, zero-effort security is, with current technology, an oxymoron. Swipe-card key systems that do the authentication would be low-effort. Retina scanning cameras built into your monitor to do authentication would be low effort as well. Until then, people have to decide if its worth their effort or not. [EMAIL PROTECTED] wrote: > Key management is a non-zero effort, installation is a non-zero effort, > cost is a non-zero effort and actual usage is a non-zero effort. > > Total transparency is what I define as "easy to use" in the context > of the average email user (who probably has an email address at AOL). > I'm afraid anything less won't get there.
Re: Open letter
And unfortunately, zero-effort security is, with current technology, an oxymoron. Swipe-card key systems that do the authentication would be low-effort. Retina scanning cameras built into your monitor to do authentication would be low effort as well. Until then, people have to decide if its worth their effort or not. [EMAIL PROTECTED] wrote: > Key management is a non-zero effort, installation is a non-zero effort, > cost is a non-zero effort and actual usage is a non-zero effort. > > Total transparency is what I define as "easy to use" in the context > of the average email user (who probably has an email address at AOL). > I'm afraid anything less won't get there.
Re: Open letter
Blackey <[EMAIL PROTECTED]> wrote: >" > The Bill means the UK government - specifically the Home Office and > Home Secretary Jack Straw - can demand encryption keys to any and all > data communications, with a prison sentence of two years for those who > do not comply with the order. > >(source "http://uk.news.yahoo.com/000728/101/aedvu.html")" Yow. Well, you could always move to a free country. Luckily, one's already been set up for you. :-) >Most email transmitted now doesn't require PGP protection, (or warrant it). I >know that with the amount of email I get in a day, I wouldn't want the >extra overhead of having to decrypt it all. Ah, but if you only encrypt the stuff that needs to be encrypted, you're waving a red flag and saying "Hey, look! I've got something to hide!" Better to encrypt everything you can and keep the spooks guessing. The overhead should be acceptable with modern hardware--and well worth it to preserve your privacy. -Dave
Re: Open letter
Agreed: PGP (et. al.) is definately the answer, not server-to-server encryption. However, properly authenticated DNS (or an evolution thereof) and resulting authenticated (S/Q)MTP sessions would be a leap forward as well. [EMAIL PROTECTED] wrote: > The problem with your solution is that server to server encryption > does not stop government and big corporations from looking at your > mail on the mail server after it has arrived. Ask any system admin > how hard it is to scan /var/mail or a users home directory. Answer, > it's trivial.
Re: Open letter
Patrick Lambert <[EMAIL PROTECTED]> wrote: >Each SMTP server could compute a random set of keys when it >is installed, and a simple new command could be added to retrieve >the public key. When any connection is made between the servers, >a public key would be fetched. If the remote server has not been >upgraded and does not support PKI, then the transmission would >continue in a normal way. If both servers support it, then >encryption could be established, automatically, using PKI. Congratulations, you've just reinvented RFC2487: http://www.ietf.org/rfc/rfc2487.txt qmail patch available from: http://www.esat.kuleuven.ac.be/~vermeule/qmail/tls.patch -Dave
Re: Open letter
On Sat, Jul 29, 2000 at 11:33:33AM -0700, [EMAIL PROTECTED] wrote: > > The problem with your solution is that server to server encryption > does not stop government and big corporations from looking at your > mail on the mail server after it has arrived. Ask any system admin > how hard it is to scan /var/mail or a users home directory. Answer, > it's trivial. It will make it more likely that governments will actually need to get warrents to look at the mail instead of just scanning stuff at will that goes through the major exchange points.
Re: Open letter
On Sat, Jul 29, 2000 at 04:39:42PM -0400, Adam McKenna wrote: > On Sat, Jul 29, 2000 at 11:33:33AM -0700, [EMAIL PROTECTED] wrote: > > What I do agree with is that doing this is currently way too > > hard for the average user and any efforts to make this easier > > are a good thing. But you need to direct your letter at the > > email client programmers rather then the email server > > programmers. > > I would have agreed with this 5 years ago, but the current version of WinPGP > for windows is so easy to use, that I don't believe this is the reason > anymore. I think the majority of people don't use PGP/PKI for the following > reaons: > > 1) They don't know it exists > 2) They don't want to spend the money on PGP (if they're not eligible to use > the freeware version > 3) They just don't consider their privacy to be important enough to warrant > the installation of a new software package. Key management is a non-zero effort, installation is a non-zero effort, cost is a non-zero effort and actual usage is a non-zero effort. Total transparency is what I define as "easy to use" in the context of the average email user (who probably has an email address at AOL). I'm afraid anything less won't get there. Regards.
Re: Open letter
On Sat, Jul 29, 2000 at 11:33:33AM -0700, [EMAIL PROTECTED] wrote: > What I do agree with is that doing this is currently way too > hard for the average user and any efforts to make this easier > are a good thing. But you need to direct your letter at the > email client programmers rather then the email server > programmers. I would have agreed with this 5 years ago, but the current version of WinPGP for windows is so easy to use, that I don't believe this is the reason anymore. I think the majority of people don't use PGP/PKI for the following reaons: 1) They don't know it exists 2) They don't want to spend the money on PGP (if they're not eligible to use the freeware version 3) They just don't consider their privacy to be important enough to warrant the installation of a new software package. --Adam
Re: Open letter
On Sat, 29 Jul 2000, Patrick Lambert wrote: > compromised by big corporations or governments. Some recent > examples include the recent survey results that showed over 50% > of corporations in the USA check their employees Internet usage > and e-mails, the Carnivore system from the FBI, aimed at checking > e-mails for potential criminal activity, and the UK law that > would force the ISPs to send all e-mails from everyone to the > government. This is without even talking about the many crackers AFAIK, (and I could be wrong about this), the UK law also has a section about PGP, making it a felony to NOT produce your PGP key on demand. " The Bill means the UK government - specifically the Home Office and Home Secretary Jack Straw - can demand encryption keys to any and all data communications, with a prison sentence of two years for those who do not comply with the order. (source "http://uk.news.yahoo.com/000728/101/aedvu.html")" Most email transmitted now doesn't require PGP protection, (or warrant it). I know that with the amount of email I get in a day, I wouldn't want the extra overhead of having to decrypt it all. just my $0.02
Re: Open letter
> This is an open letter to the developers of the main SMTP servers > that are used all over the Internet. In recent years, we have all > seen in the news the many instances where our privacy has been > compromised by big corporations or governments. Some recent > examples include the recent survey results that showed over 50% > of corporations in the USA check their employees Internet usage > and e-mails The problem with your solution is that server to server encryption does not stop government and big corporations from looking at your mail on the mail server after it has arrived. Ask any system admin how hard it is to scan /var/mail or a users home directory. Answer, it's trivial. Since most users do not run their own mail servers, but access one via POP/IMAP, your solution will not affect the vast majority of people. The *real* solution is to use some form of end-to-end encryption. In other words, encrypt your email before it leaves your email program (whether it be on a PC, a server or a handheld device) in such a way that only the recipient can decrypt it. PGP and their ilk already provide this capability. What I do agree with is that doing this is currently way too hard for the average user and any efforts to make this easier are a good thing. But you need to direct your letter at the email client programmers rather then the email server programmers. Regards.