[cryptography] Security Pop-Up of the Day
Joe St Sauver
joe at oregon.uoregon.edu
Wed Sep 21 17:27:56 EDT 2011
#> When smime.p7s files start getting stripped, there goes yet another
#> potentially critical piece of security technology.
#All email client vendors had to do to give smime a chance in life was to
#make it easy to generate and use a cert. Automatically. Add an
#account, generate a cert. The rest can follow in due course...
Well, its obviously not quite that easy yet, but users can currently get
a free client cert by visiting a web page and filling out a form, and
then clicking on a link. That part is relatively easy (and arguably easier
than installing GPG and Enigmail (for example), and generating PGP keys
and getting them signed, and submitting them to a keyserver, etc.)
Where things get ugly is after the user has gotten their client cert, and
then needs to manually incorporating the client cert into their web browser
or MUA or hardware token or smart card or whatever. I show the process for
configuring Thunderbird on the Mac (by way of example) on a one sheet/two
I've tested that document with a random selection of folks, and all were
able to do it, FWIW.
So yes, there is a bit of nastiness up front, but it's one time only, and
nothing that can't be overcome if the user is willing to give it a shot.
#Dunno why, but the architecture seems to be an exercise in won't work.
#Is it possible that nobody really wanted smime to work?
Well, consider the large free web email providers. If their business
model is "we're going to sell contextual ads to pay for the service,"
about the only "context" you get for S/MIME-encrypted mail is the
content of the message's subject plus the header info. That's often
fairly meagre gruel. It is thus perhaps not surprising that Gmail
isn't pushing S/MIME encryption routinely as part of their product.
On the other hand, I don't see them interfering with Penango, a nice
third party S/MIME plugin for Gmail. That said, their non-interference
might be the ultimate commentary that current levels of adoption of
S/MIME for encryption represents absolutely no threat to their core
contextual ad business model, unfortunately. :-(
Disclaimer: all opinions strictly my own
More information about the cryptography