[Top] [All Lists]

RE: Goal for S/MIME 2007?

2007-01-21 21:52:57

I'm more in agreement with Anders on this issue than not. In particular:
- Client certificates are [still] uncommon

You think so? In some countries in Europe, everyone has one through a
chip in their identity card. In some countries, every medical
professional has several of them. Some Fortune-100 companies provide
them to every employee.

I really don't see client certificates being used much. My Amex Blue card has a 
cert on it. Maybe even more that one. But I can do exactly two things with 
these certs: Jack and squat. So the existence of certs isn't necessarily an 
indicator of their existence in a useful way.
The US Department of Defense has issued client certs certs to roughly 5 million 
users, and they still can't be used for much. If the DOD ever gets the $5 
billion or so that they've asked for to PKI-enable applications, these certs 
may be put to use, but that funding doesn't seem to be coming any time soon. 
The US government has spent over $1 billion on PKI so far, and has very little 
to show for it. I understand the political need to keep PKI engineers at 
government contractors employed, but $1 billion really seems like a lot of 
The cost of using client certs can be painfully high. One study that I read 
estimated that the TCO for using a cert for e-mail was $816 per user per year. 
Ouch. That kind of cost is usually a bit tough to justify. Maybe that's why 
certs are really not that popular, at least as we're probably talking about 
here. If you use Windows, you may be using a cert without even knowing it, for 
example, but I don't think that the intent of the original comments.

- Encryption at the desktop by consumers does not work

What makes you think so?
I believe this one also. Studies of the US DOD PKI have shown that the vast 
majority of key recovery is done because of lost or forgotten passwords. 
Without this capability, the home user is a bit stuck. With it, you've got 
significant support costs. 
Usability of encryption has gotten better but it's still not very good. The 
famous "Why Johnny Can't Encrypt" was followed by the more recent (2006, IIRC) 
"Why Johnny Still Can't Encrypt," that showed that usability still has a long 
way to go. Poor usability equals high support costs, which in turn means no 
business case to use the technology. 

- Trusted third-parties is the norm (from your employer to Google)
- You cannot send an encrypted e-mail to the IRS and you probably never will

You want to bet? If IRS's in other countries can do it, why wouldn't
the IRS in the US do it in the near or not so near future?
I don't see this happening any time soon. The dead horse of usability is now 
probably sufficiently beaten by my comments above, so I won't further defile 
the body. 
Instead of issuing certs to people, it might actually be cheaper for the IRS to 
use its FedEx account number as a sort of public key that lets people get 
documents to them in a secure way, just without using the S/MIME standard. 

- e-mail encryption is incompatible with many organizations' internal policies

What are you referring to? We see the opposite being true in every
company we talk to.

Most businesses like to filter e-mail for spam and other annoyances, which is 
fairly difficult to do with encrypted e-mail. That's a fairly common request. 



<Prev in Thread] Current Thread [Next in Thread>