Re: PGP alternatives ?

From: Ian (e2chameleon_at_btopenworld.com)
Date: 12/26/03 

Date: Fri, 26 Dec 2003 18:07:01 +0000 (UTC)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

One of the problems with point to point (user to user, as
CryptoLetter does) is that installation and configuration takes place
on every computer that is to be used. Whilst this is OK for a single
home computer or a small number of business PC's it gets a bit
difficult if you are trying to manage thousands PC's. With a system
that uses an open standard to encrypt data you can forget it once it
has left your organisation but, according to the limited information
on the Cryptoletter web site, the system uses proprietary technology
which means that a recipient of encrypted data must also have
Cryptoletter installed on their PC. Whilst this may be OK for
Intra-company communications or for a small group of friends it makes
communicating securely with 3rd parties difficult (impossible unless
they are willing to purchase and install the software too).

If a business is communicating securely with external organisations
it may be a policy requirement for all messages to be subject to
similar checks as cleartext email (such as virus, attachment checking
etc.). This can't be done if encryption/decryption happens at the
desktop. You also have the potential problem of users deciding not to
bother using the tools given to them or even misusing them. Putting
the encryption/decryption processing at the gateway reduces the
support overhead and allows email to be routed through content
scanners in clear text (both incoming and outgoing) whilst ensuring
secure communications between organisations, in line with corporate
policies. The Ciphertrust, Cryptoex, Network Associates and Utimaco
solutions I previously mentioned all work in this way. If you are
looking for encrypted internal only communications then a solution
like Cryptoletter may be OK for you.

With regards to trust, any product that a company or individual is
considering must fit in with their strategies and policies and should
reduce risk (as defined by the company or individual) to an
acceptable level and in compliance with regional legislation.
Evaluation should include, technology, product and vendor analysis.
For instance, has the underlying technology that drives a product
been implemented adequately? Is it a unique technology that no other
vendor uses and is untested in the market place? Does the vendor have
a pedigree for producing good quality products? etc. Does it use an
open standard or are you going to have to ask all your business
partners to buy the same product? (and have them refuse or demand
that you buy the product for them). Is the product to be used
internally only? Will data remain within your infrastructure, protect
by existing controls at all times?

There are organisations that test products and some are certified
under international schemes such as Common Criteria
(http://niap.nist.gov/cc-scheme/index.html) or ITSec
(http://www.cesg.gov.uk/site/iacs/index.cfm?menuSelected=1&displayPage
=1). The ICSA Labs at http://www.icsalabs.com/index.shtml tests and
certify security related products. Analysts such as Gartner
(http://www4.gartner.com/) and Forrester Research
(http://www.forrester.com) provide analysis of technologies and
products (at a cost). These services may provide a certain level of
"trust" but it up to the individual/organisation to make the
decisions regarding the suitability of a product to be used by them.

I personally believe that PGP on it's own is simple enough to use on
a home PC but companies that need to communicate with 3rd parties
should be looking at gateway solutions that utilise multiple open
standards (such as the CipherTrust Ironmail Secure Delivery, Cryptoex
Gateway and Utimaco SecurE-Mail). I have seen companies initiate
projects concentrating on one standard only to have to start a new
project six months later because their new business partner uses a
different standard.

Cheers,

Ian Kelly,
e2chameleon Information Security Resource.

http://www.e2chameleon.btinternet.co.uk

- ----------------------------------------------------------------------
- ---------------------------------------------------

"JHLee" <JHLee2003@canada.com> wrote in message
news:bsh8ml$rs0$1@e22.peterstar.ru...
> I am sorry for unclear posting. I am talking about the alternatives
> for mail security, which will comply the following:
> - point-to-point
> - strong cryptography
> - easy to use
>
> The only thing, which I have found was www.cryptoletter.com, but
> this thing does not seem to be trusted enough...
> Thank you for information !
>
> Jim
>

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBP+x5WixQXFcxDk2dEQJCBACgqeBWOrGxik4v1rerFRC2fzuii/QAn2tC
Wq7wC0OI8gAp9pB/fygOd7ZX
=oVxk
-----END PGP SIGNATURE-----