--
What email encryption is actually in use?
When I get a PGP encrypted message, I usually cannot read it --
it is sent to my dud key or something somehow goes wrong. When
I send a PGP encrypted message in reply, stating the problem, I
seldom receive an answer, suggesting that the recipient cannot
decrypt my message either. Kong encrypted messages usually
work, because there is only one version of the program, and key
management is damn near non existent by design, since my
experience as key manager for various companies shows that in
practice keys just do not get managed. After I release the next
upgrade, doubtless fewer messages will work.
The most widely deployed encryption is of course that which is
in outlook -- which we now know to be broken, since
impersonation is trivial, making it fortunate that seemingly no
one uses it.
Repeating the question, so that it does not get lost in the
rant. To the extent that real people are using digitally
signed and or encrypted messages for real purposes, what is the
dominant technology, or is use so sporadic that no network
effect is functioning, so nothing can be said to be dominant?
The chief barrier to use of outlook's email encryption, aside
from the fact that is broken, is the intolerable cost and
inconvenience of certificate management. We have tools to
construct any certificates we damn well please, though the root
signatures will not be recognized unless the user chooses to
put them in. Is it practical for a particular group, for
example a corporation or a conspiracy, to whip up its own
damned root certificate, without buggering around with
verisign? (Of course fixing Microsoft's design errors is
never useful, since they will rebreak their products in new
ways that are more ingenious and harder to fix.)
I intended to sign this using Network Associates command line
pgp, only to discover that pgp -sa file produced unintellible
gibberish, that could only be made sense of by pgp, so that no
one would be able to read it without first checking my
signature.
I suggest that network associates should have hired me as UI
design manager, or failing, that, hired the dog from down the
street as UI design manager.
Presumably the theory underlying this brilliant design decision
was that in the bad old days, a file produced under unix woudl
not verify under windows because of trivial differences such as
the fact the whitespace is expressed slightly differently.
Here is a better fix, one that I implemented in Kong: Define
several signature types with the default signature type
ignoring those aspects of the message that are difficult for
the user to notice, so that if a message looks pretty much the
same to the user, it has the same signature, by, for example,
canonicalizing whitespace and single line breaks, and treating
the hard space (0xA0) the same as the soft space. (0x20), and
so on and so forth.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
OmUO5eB/pLnuFIgCU2splCvKO4x0U1Ik31pVFPaU
49B5UrVKc5ETzoxGcfl+q9ltoh61l4ncSyE+R5h6P
