I'm more in agreement with Anders on this issue than not. In particular:
- Client certificates are [still] uncommon
You think so? In some countries in Europe, everyone has one through a
chip in their identity card. In some countries, every medical
professional has several of them. Some Fortune-100 companies provide
them to every employee.
I really don't see client certificates being used much. My Amex Blue card has a
cert on it. Maybe even more that one. But I can do exactly two things with
these certs: Jack and squat. So the existence of certs isn't necessarily an
indicator of their existence in a useful way.
The US Department of Defense has issued client certs certs to roughly 5 million
users, and they still can't be used for much. If the DOD ever gets the $5
billion or so that they've asked for to PKI-enable applications, these certs
may be put to use, but that funding doesn't seem to be coming any time soon.
The US government has spent over $1 billion on PKI so far, and has very little
to show for it. I understand the political need to keep PKI engineers at
government contractors employed, but $1 billion really seems like a lot of
The cost of using client certs can be painfully high. One study that I read
estimated that the TCO for using a cert for e-mail was $816 per user per year.
Ouch. That kind of cost is usually a bit tough to justify. Maybe that's why
certs are really not that popular, at least as we're probably talking about
here. If you use Windows, you may be using a cert without even knowing it, for
example, but I don't think that the intent of the original comments.
- Encryption at the desktop by consumers does not work
What makes you think so?
I believe this one also. Studies of the US DOD PKI have shown that the vast
majority of key recovery is done because of lost or forgotten passwords.
Without this capability, the home user is a bit stuck. With it, you've got
significant support costs.
Usability of encryption has gotten better but it's still not very good. The
famous "Why Johnny Can't Encrypt" was followed by the more recent (2006, IIRC)
"Why Johnny Still Can't Encrypt," that showed that usability still has a long
way to go. Poor usability equals high support costs, which in turn means no
business case to use the technology.
- Trusted third-parties is the norm (from your employer to Google)
- You cannot send an encrypted e-mail to the IRS and you probably never will
You want to bet? If IRS's in other countries can do it, why wouldn't
the IRS in the US do it in the near or not so near future?
I don't see this happening any time soon. The dead horse of usability is now
probably sufficiently beaten by my comments above, so I won't further defile
Instead of issuing certs to people, it might actually be cheaper for the IRS to
use its FedEx account number as a sort of public key that lets people get
documents to them in a secure way, just without using the S/MIME standard.
- e-mail encryption is incompatible with many organizations' internal policies
What are you referring to? We see the opposite being true in every
company we talk to.
Most businesses like to filter e-mail for spam and other annoyances, which is
fairly difficult to do with encrypted e-mail. That's a fairly common request.