Fog Creek Software
Discussion Board




Email Encryption / Digital Signing

Quick Poll: Does anyone actually use these?

I am doing some basic research into email encryption (in particular), and most of the info I am finding is years out of date or companies trying to sell certificates.

The way that Outlook supports these features seems awfully cumbersome to me, and I don't know anyone personally who uses them.

Anyone have experiences to share?  Articles to link to?

Thanks,

Phibian
Thursday, January 22, 2004

Myself and some coworkers at a former workplace were heavy users of PGP -- Mostly to keep a overly busy (and underworked) administrator out of our business. It worked brilliantly.

Microsoft's encryption solution, like so many of their solutions, is geared to their corporate partners (which is why virtually no one uses it)

Anonymizer
Thursday, January 22, 2004

gpg on occasion for me, using various webmail clients.

dir at badblue dot com
Thursday, January 22, 2004

I digitally sign all my email.  The problem comes from the fact that many folks can't read signed messages (most notably when using webmail). 

Ankur
Thursday, January 22, 2004

Signed messages are not (necessarily) encrypted. Why can't they read them? The signature adds plain text around the message with the signature information. The body is left readable, even by someone who doesn't have the appropriate software to verify your signature.

Did you mean to say you encrypted everything?

Brad Wilson (dotnetguy.techieswithcats.com)
Thursday, January 22, 2004

Just a heads up there are a lot of fairly stealthy keystroke loggers out there, you'll need to account for such creatures to get anywhere with gpg on windows.

Li-fan Chen
Thursday, January 22, 2004

Well, the default setting in Outlook is that a digitally signed message is packaged as an attachment (with an extension of .p7k I think).  You have to tell Outlook to send a clear text copy along with the signed copy.

Ankur
Friday, January 23, 2004

exactly. not even Outlook Web Access can read signed messages for some reason. you download the attachment and read it in notepad.

mb
Friday, January 23, 2004

I use Thunderbird and encrypt mail all the time, its pretty painless.

Andrew Murray
Friday, January 23, 2004

I have looked into these things.
The "excecutive summary": as it stands signed email is usable only within closed user groups (in practice inside the company). It will take a few years before the genaral PKI infrastructure is "good enough" to allow more common usage.
Clients are getting better at dealing with signed messages (e.g. do I check >everything< nescessary to OK the signing certificate, how do I handle unavailability of a CRL,...). Technical standards are very well adhered too, but as it stands, and as has been wel documented, the use cases do not gell very well with user practise/psychology. Furthermore, the maintenance of the nescessary PKI infrastructure is still too much overhead for most general cases.

Just me (Sir to you)
Friday, January 23, 2004

"exactly. not even Outlook Web Access can read signed messages for some reason. you download the attachment and read it in notepad."

This is a failure of Outlook, not a failure of digital signature technology. Every OTHER mail program on the planet is not so broken.

Brad Wilson (dotnetguy.techieswithcats.com)
Friday, January 23, 2004

that's the point: it's not that techinically it's infeasable. it's that it's unusable today, so no one will use it.

mb
Friday, January 23, 2004

I guess if you presume 100% of people use Outlook, then it follows 0% of people would use it.

You could use something besides Outlook. *shrug*

Brad Wilson (dotnetguy.techieswithcats.com)
Friday, January 23, 2004

*  Recent Topics

*  Fog Creek Home