Louis,
Not only does it make a great deal of sense to ask users what they want,
it's an essential part of building something they'll want. We don't have
to use technical terms when we talk to them. They know whether they're
more concerned about snoops or fakes. Privacy helps protect us from
snoops. Authentication helps protect us from fakes. Our users easily
understand the difference and know which is more important. I'll bet
yours would too if you'd ask them.
As for the rest, send flames via personal mail, Louis. I'm beginning to
think we need an acronym here: SFVPM. And yep, you were wrong in your
assumption.
Doug
Doug:
You talk a good marketing game, I especially like your ability to explain
things without fancy technical jargon. But you don't play the game very
well. You have:
a) polled a group of developers rather than potential customers.
b) asked them what primary functionality they require.
c) confused that primary functionality with the full set of
services required to deliver that functionality.
Please try the following: tell your potential customers (not us) that you
have a product that encrypts their messages so securely that only individuals
with the correct key can recover the message. Tell them that you are so
sure of your product that you are willing to guarantee them all damages
up to $XXXX billion dollars if a message is ever decrypted without prior
possession of the key. And tell them that the only minor hitch in your
product is that you don't really have any idea who has this key, and can't
be held responsible if it's not the correct individual. For this is what
you get with on-line key management and no authentication.
I know what the response will be. This has led virtually every developer
looking at email security enhancements, including those who responded
"privacy" in your poll (excluding yourself, of course), to come to the
following conclusions:
No Authentication + encryption = worthless
Authentication + No encryption = usefull for EDI
Authentication + Encryption = of general use.
Of the possible combinations that have merit, both require authentication,
encryption is "optional" depending upon the application. This is why
every protocol for security enhanced email from Lotus Notes to X.411 to
MSP and PEM requires authentication but makes encryption optional. Even
when the menu option just says "encrypt" and doesn't mention authentication,
the message will be authenticated.
Are you perhaps confusing a protocol with a product?
Charlie Watt
SecureWare, Inc.