The problem of messaging security right now is very similar to the problem
we had early on with stopping spam. Whenever someone proposed a solution to
problem X, they would be drowned out by a chorus of people saying that the
REAL problem is Y and then someone would insist it is Z and then someone
would demand that the solution work in zero gravity.
There are many problems to be solved with messaging security and I think
they are all solvable *in time*. There are problems that can be solved
right now and there are problems that we can't address for a couple of
years when some critical Intellectual Property is no longer encumbered. And
there are problems that can't be solved without completely re-doing the
messaging infrastructure.
So here is the problem I have been working on recently. At the start of
this thread Fred complained that he has a list of people's PGP keys and
email addresses but can't send them encrypted mail. I have a PGP key on one
of the key servers but I tell people not to use it because I don't have the
private key. I installed a plug in, started the program and it uploaded the
key to a server without asking me and didn't tell me how to delete it
either. And it turns out that isn't possible.
We can't get everyone using encrypted mail if we design products for
outselves, like Fred pointed out. But another part of the problem is that
these days we all have multiple devices and neither OpenPGP nor S/MIME has
any mechanism that is suitable for managing that situation.
No copying my private key file about is not a solution. A private key that
is installed on more than one machine should be rolled over regularly. By
which I mean once a month. So using fingerprints of public application keys
isn't going to be an answer either.
My point here is that the email security apps are not currently usable and
there is no way to make them usable without standards support to automate
the administrative tasks that are dumped onto the user.
Which is what I have been building the Mathematical Mesh (MMM) to address.
I have released the code:
http://sourceforge.net/projects/mathematicalmesh/
Next week I will be working on some demonstrations. The bottom line is that
any time that the user is given a set of instructions to follow, that set
of instructions should be given to the computer instead as code.
The prototype runs on windows and will configure unmodified Windows Live
Mail to use S/MIME without the user needing to do anything other than say
which applications they want to secure.
The same approach can be applied to OpenPGP. But rather more interestingly,
it can be applied to SSH as well and the same tool that simplified
management of cryptographic configuration can be used to simplify network
configuration as well.
PHB