[148251] in cryptography@c2.net mail archive
Re: [Cryptography] Email is unsecurable
daemon@ATHENA.MIT.EDU (Nico Williams)
Mon Nov 25 17:01:06 2013
X-Original-To: cryptography@metzdowd.com
Date: Mon, 25 Nov 2013 14:28:39 -0600
From: Nico Williams <nico@cryptonector.com>
To: ianG <iang@iang.org>
In-Reply-To: <5292E7BB.20601@iang.org>
Cc: Cryptography <cryptography@metzdowd.com>,
Ralf Senderek <crypto@senderek.ie>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Mon, Nov 25, 2013 at 09:01:31AM +0300, ianG wrote:
> >Yes, but it's about time we do something about that. Do we *exactly know
> >why* it is such a failure?
E-mail has been not secure for... 40 years. So what? It works well
enough for a lot of things, and nothing else we've yet seen would work
as well for some uses (e.g., fora like this one).
It'd be better to incrementally deploy more secure protocols for
specific use cases (IM, video chat, ...) move use cases off of email
where/as possible. In fact, we're doing that all the time: with web
services and IM for example.
E-mail generally cannot be secured, I think this is true. The
anonymization concepts discussed in this forum theoretically work, but
they aren't likely to be widely adopted.
And as to mass-adoption keep in mind that only a few thousand (or a few
tens of thousands) of people at most can really be expected to review/
audit/build/run their software stacks. Which is to say that pretty much
everyone will necessarily be running bits subject to backdooring. It
might be interesting to consider cross-border commercial certifications
for software stacks, but I doubt those would be feasible for a long
time, and to be meaningful they'd have to include certifications from a
variety of countries, some friendly and some hostile to the end-user's
(not that that matters, for as we all know, Oceania hasn't in fact
always been at war with Eastasia).
(Among other things, certifications are massively expensive, in large
part due to their opportunity costs, some of them relating to their very
negative impact on development schedules. End-users aren't going to pay
for them.)
Nico
--
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
