Eddy Nigg wrote:
Getting a certificate happens at some CAs already during the registration process (cough, cough).
This is an interesting point, which I think supports at least some of Ian's arguments. What you've done is to provide a real incentive for users to get client certificates, certificates that can then be repurposed for S/MIME email or other uses.
IMO, in general there is little or no a priori reason for a typical (non-corporate) user to get a client certificate for S/MIME use. Even though it make take only a small effort to get the cert, getting a client cert is not necessarily justifiable given the uncertain benefits of having one, especially if none of your friends and other correspondents have one. (It's the network effect in reverse.)
But in this case users are willing to go through the minor hassle of getting a client cert because they're motivated to get those super-duper free SSL certificates, and they need the client cert to access the administrative interface. It's a clever way of getting around the problem.
Considering the amount of public client certs stored in my TB, it seems that many of the somewhat more technical orientated audience are A) able to use it, B) actually using it. And not all of them are geeks either.
With all due respect, this is merely anecdotal evidence. IMO the only two metrics of interest for S/MIME email are a) the fraction of email users who have personal certs usable for S/MIME; and b) the fraction of all email messages that are send using S/MIME. I don't happen to know of any authoritative studies on this.
S/MIME is an easy to use solution to encrypt mail, sufficiently secure, provides reasonable protection and easy to obtain (free client certificates are all over - Verisign, Thawte, StartCom, Comodo and perhaps more).
To be clear, I don't think that S/MIME email is irreparable. I think it could benefit from an improved UI in products like Thunderbird and more attention to making the initial "bootstrapping" process more automatic and invisible. (For example, when a user gets a certificate, have Thunderbird automatically offer to send a signed message with the cert to all people to whom you've sent mail, or all people in your addressbook, or whatever.) And as noted above, I think a fundamental problem is providing more incentives for users to get client certs, particularly outside the context of S/MIME proper. (For example, have some interesting web service that uses client certs for authentication.)
Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
