Signed, sealed and delivered

Signed, sealed and delivered

Few organizations send confidential information on postcards. Credit card statements, medical records, job offers and personal correspondence are invariably sealed in envelopes before they are sent.

But few organizations have adopted similar measures for protecting mail sent over the Internet. Techniques for digitally signing and sealing electronic communications have existed for nearly two decades, yet their adoption has been wretchedly inadequate.

Privacy Enhanced Mail (PEM) was the first attempt by the Internet Engineering Task Force at standardizing the way encrypted mail is sent and received. But while hundreds of engineers created standards and demonstration software, the system was never widely deployed.

That's when Phil Zimmermann, a computer programmer in Colorado, US, decided to take matters into his own hands and create his own e-mail encryption system. Called Pretty Good Privacy (PGP), it was released on the Internet in 1991.

RSA was best known as a purveyor of encryption toolkits -- its software was at the basis of the SSL encryption built into Netscape's first Web browser and used a system called S/MIME. Unlike PGP, S/MIME was designed for use worldwide. Today, S/MIME has emerged as the standard of choice for e-mail encryption.

With most S/MIME-enabled mail clients, you can simply click a button labelled "sign" and the message will be signed with the certificate in your private key. Click "encrypt" and the message is automatically encrypted with the public key of the recipient. What could be easier?

But despite the apparent simplicity of today's S/MIME implementations, most e-mail is not encrypted.

With any encryption system based on the RSA encryption algorithm, before you can send somebody an encrypted message, you need to have that person's public key. The problem with S/MIME is that creating your own key is not enough -- you also need to have it digitally signed by a so-called certification authority that can assert that your public key actually belongs to you.

Sadly, this emphasis had the effect of creating a system that is harder to use for everybody else. But even organizations that have deployed personal certificates as part of a broad PKI initiative have run into problems with S/MIME.

A different approach is super-trusted third parties that automatically create a key whenever you try to send an e-mail message to somebody who is not in the system.

I believe that encrypted e-mail will become ubiquitous once basic usability problems have been worked out. What's needed is making the sending of sealed electronic mail as easy as sending an electronic postcard.

Simon Garfinkel is a technology writer for CSO magazine:

Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Internet Engineering Task ForcePGP

Show Comments