Re: Using S-MIME (encrypted & signed email)

From: Karl Levinson [x y] mvp (jamescagney90210@excite.com)
Date: 11/23/02 

From: "Karl Levinson [x y] mvp" <jamescagney90210@excite.com>
Date: Sat, 23 Nov 2002 08:57:37 -0500

I am glad to hear that there is a transparent solution out there. [OTOH, no
matter how transparent it is, it still requires the other entities you email
to also implement a compatible system, which is still a significant hurdle,
for it to be useful.]

"Michel Gallant (MVP)" <neutron@istar.ca> wrote in message
news:3DDE4769.64B1F7CE@istar.ca...
> I think the main issue you seem to emphasize is a "preceived"
> complexity. I have quite a bit of experience with a new un-named
> PKI vendors, and my experiences are that the main reason more
> people don't use it is NOT because they feel they "don't need to",
> but rather that it is too complex.
> This is an implementation issue: Typically, the folks in charge of
> supporting PKI are also the overly-techie guys who have too much
> say on how it gets deployed to end-users and configured.
> This is an end-user education issue also:
> I have demonstrated to lawyers, gov't officials etc.. how easy it is
> to get up and running with a transparent commercial CA S-MIME
> certificate and their reaction 99% of the time is "why didn't someone
> tell me or show me how easy it is to use??" We all know that issuances
> practices by CAs are not perfect, but it does work reasonably well.
>
> We all know that is is inappropriate to use signed and/or encrypted email
> for everything. Again, this is about reasonable judgment. Being able to
> encrypt email is about better security practice, not about bullet-proof
> security. Think about important information, being sent by companies on
> business practices, company strategy, board minutes, legal correspondence?
Many of the
> workers have no idea that their emails are potentially sitting on several
> servers, ready to be used by an IT admin on those servers, waiting to make
> his/her big strike! We are not talking about CIA cloak-dagger stuff here,
but
> IMPORTANT information that ought to be protected. The fact that there has
> been no (publicly visible) incident yet is a poor excuse to not use secure
> email IMHO
>
> off the sandbox ...
>
> - Mitch
>
>
> "Karl Levinson [x y] mvp" wrote:
>
> > "Michel Gallant (MVP)" <neutron@istar.ca> wrote in message
> > news:3DDAD314.314484BF@istar.ca...
> >
> > > so are you saying that you view the risks are worth living with, given
> > your
> > > preceived view of complexity in deployment?
> >
> > Well, sort of. We've been living with the theoretical risks of internet
> > email for years because convenience always trumps security every time.
We
> > didn't view it in terms of risks but in terms of the loss of convenience
in
> > exchange for a feature we weren't convinced we really needed and that no
one
> > else seems to need either. E.g. 1) encryption and signing is worthless
> > unless you can convince all other companies you are emailing to use the
same
> > software, 2) even then it might be worthless if the users fail to
encrypt or
> > sign a particular email before it is sent or miss the message that an
> > incoming email is not authentic, 3) everyone else continues to use
> > unencrypted email and realize that it is not appropriate for sensitive
> > communications, 4) not counting FBI's Carnivore, email capturing is I am
> > guessing at an all-time low for most companies due to increase in
traffic
> > and noise on the internet and increase in switched technologies, 5) the
> > attached signature makes the email uglier and increases bandwidth usage
and
> > reduces the speed and capacity of various systems, 6) even a security
> > consious administrator doesn't want to have to enter in a long
passphrase
> > every time an email is sent and received and sometimes twice per each
email,
> > 7) it's hard to get buy-in from top execs for a product that requires
the
> > password be entered in so frequently, 8) I don't trust any security
scheme
> > that relies on the user to manually make the right choices to prevent
the
> > data from being compromised, 9) I would think that administrative
overhead
> > would go up in the form of more help desk calls and questions, CA
> > maintentance, etc.
> >
> > As I said, my email encryption experience is just with one product, so
maybe
> > some of this is off base. I don't know.
> >
> > > I am somewhat surprised that Microsoft do not "walk the talk" by
posting
> > important
> > > notices (here or via email) that are digitally signed email :-) I
have
> > seen some PGP,
> > > but what about something a bit more transparent and standarized ?
> > Afterall, Win2000 and XP
> > > have a healthy dose of WFP (Window File Protection) built on similar
> > signature technology.
> >
> > Well, I don't know how important these posts really are... partly
because
> > people understand this is kind of like chatting on a busy city street
and
> > that eavesdropping and impersonation are risks. The incidence of a
forgery
> > here seems to be pretty slim, too. Also, signing your posts every time
you
> > answer the question "how do I turn off content advisor" would slow
> > downloads, increase the server disk space utilization and internet
bandwidth
> > use, possibly require entering a password for every post, etc. Looking
at
> > other similar Usenet sites, it seems to me that signing Usenet posts
remains
> > pretty uncommon except for a few isolated security professionals.
>

Relevant Pages

  • Re: Using S-MIME (encrypted & signed email)
    ... > so are you saying that you view the risks are worth living with, ... We've been living with the theoretical risks of internet ... email for years because convenience always trumps security every time. ... I don't know how important these posts really are... ...
    (microsoft.public.security)
  • Re: Is Firewall essential in this case?
    ... posts you'll soon change you opinion. ... accessing risks in terms of security. ...
    (alt.computer.security)
  • Risks Digest 25.25
    ... Intermittent network card causes air traffic control problems ... Risks of Inflation: new Zimbabe bank notes ... Inside the Twisted Mind of the Security Professional ... Details of DNS Flaw Leaked ...
    (comp.risks)
  • Risks Digest 25.74
    ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... U.S. Passport RFID security ... Taiwan president in ruckus over prerecorded web messages ... What could be one of the most important books for developers of low-risk ...
    (comp.risks)
  • Risks Digest 24.75
    ... Improve Private Sector Cybersecurity (CHSMajorityPress) ... IT risks in the Chemical Facility Anti-Terrorism Standard? ... Cellular carrier account security ...
    (comp.risks)
Quantcast