On Thu, May 23, 2019 at 12:49 PM Mick <michaelkintz...@gmail.com> wrote: > > On Thursday, 23 May 2019 16:40:23 BST Dale wrote: > > Howdy, > > > > I'm trying to get some legal work done. I'm trying to do this over > > email with a lawyer. For obvious reasons, I want to do this encrypted > > but suspect they are not set up for this. > > Have you asked them? If they have some setup they use to ensure client > confidentiality and data privacy, you'd be much better off to jump onto their > system, rather than trying to negotiate the configuration of PGP and S/MIME > with legal staff who may have zero technical capability and poor/uncooperative > IT support.
++ >From what I've seen these sorts of systems are usually just security theater, such as emailing you a link to go to an SSL website to view the "secure" message, never mind that somebody else could do the same thing if they intercepted your email. But, it probably satisfies some box-checker because the actual message is transmitted over SSL. I think this is probably the best you're going to do if you're not communicating with people who get crypto, which is just about everybody. Otherwise the rest of the email already covered some of the details. You can just add multiple identities to a single GPG key or x509 certificate, but if they aren't already using PKI/etc that seems like a huge uphill battle. I think a corporate environment is much more likely to be using S/MIME/etc than GPG. When I've seen these there is usually a central CA that has some way to systematically assign certificates to employees. Often this is only done on request. Law firms are also notoriously bad at IT from what I've seen. I know a lawyer or two and many of these firms just let every partner do things their own way, and their individual staff follow the partner's lead. They're as bad as doctors, especially since the whole EMR thing hasn't hit lawyers in the same way. -- Rich
