[Dshield] Outlook & PGP signed e-mail. Was: ID theft ring hits 50 banks, firm says

Stephane Grobety security at admin.fulgan.com
Wed Aug 10 07:55:43 GMT 2005


The problem is not the technology, it's the infrastructure: getting a
X509 certificate is not exactly expensive, but it's something most
people will not do. The CAs do not help by asking a yearly fee for a
few bytes of data while having security verifications that are both
annoying to the users (in particular if you don't happen to live in
the US) and insecure (bad tradeoff). So X509 usage is usually limited
to a company or even a specific application (where it works very well
indeed).

As for PGP, it suffers from a similar problem: getting a key pair is
easy and free, but getting it safely to your recipient is not: I could
easily get a signature in the name of, say, John W. Bush and have 20
or 30 people sign it. Heck, I could CREATE 20 or 30 identities, have
them all sign my J.W.B. certificate and send them all off to a public
key server. So we use other techniques to distribute keys like putting
them in web sites, or putting them in all our emails in the hope that
when it will be necessary, the end user will be able to verify it.
trouble is: repudiating such a key is pretty hard and it's also
vulnerable to poisoning attack if planned beforehand.

So, when faced with a technology that is complex, potentially
expensive and doesn't work very well on fully public networks, you
can't really blame people not to use it.

Good luck,
Stephane

JBU> [...] It is sad,
JBU> but only a tiny fraction of e-mail users uses signed/encrypted email,
JBU> even though almost every non-web based client supports some kind of
JBU> encryption/signing.




More information about the list mailing list