How to make secure email easier to use

Cryptographically protected email has a justly deserved reputation of being difficult to use. Based on an analysis of the PEM, PGP and S/MIME standards and a survey of 470 merchants who sell products on Amazon.com, we argue that the vast majority of Internet users can start enjoying digitally signed email today. We present suggestions for the use of digitally signed mail in e-commerce and simple modifications to webmail systems that would significantly increase integrity, privacy and authorship guarantees that those systems make. We then show how to use the S/MIME standard to extend such protections Internet-wide. Finally, we argue that software vendors must make minor changes to the way that mail clients store email before unsophisticated users can safely handle mail that is sealed with encryption.

[1]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[2]  David M. Balenson,et al.  Privacy Enhancement for Internet Electronic Mail: Part III: Algorithms, Modes, and Identifiers , 1993, RFC.

[3]  Mark Delany,et al.  Domain-Based Email Authentication Using Public Keys Advertised in the DNS (DomainKeys) , 2007, RFC.

[4]  Steve Kent,et al.  Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management , 1989, RFC.

[5]  John Linn,et al.  Privacy enhancement for Internet electronic mail: Part I: Message encipherment and authentication procedures , 1989, RFC.

[6]  John Linn,et al.  Privacy enhancement for Internet electronic mail: Part III - algorithms, modes, and identifiers , 1989, RFC.

[7]  John Linn,et al.  Privacy enhancement for Internet electronic mail: Part II - certificate-based key management , 1987, RFC.

[8]  Alma Whitten,et al.  Making Security Usable , 2004 .

[9]  Rob Miller,et al.  Views, Reactions and Impact of Digitally-Signed Mail in e-Commerce , 2005, Financial Cryptography.

[10]  Michael Elkins,et al.  MIME Security with Pretty Good Privacy (PGP) , 1996, RFC.

[11]  C. R. Snow,et al.  A proxy approach to e-mail security , 1999 .

[12]  Blake Ramsdell,et al.  S/MIME Version 3 Message Specification , 1999, RFC.

[13]  Sean W. Smith,et al.  Trusted S/MIME Gateways , 2003 .

[14]  Tatu Ylonen,et al.  SSH: secure login connections over the internet , 1996 .

[15]  Ian Brown,et al.  A Proxy Approach to e-Mail Security , 1999, Softw. Pract. Exp..

[16]  Blake Ramsdell,et al.  Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification , 2004, RFC.

[17]  William Stallings,et al.  PGP Message Exchange Formats , 1996, RFC.

[18]  Simson L. Garfinkel,et al.  PGP: Pretty Good Privacy , 1994 .

[19]  Paul E. Hoffman,et al.  S/MIME Version 2 Message Specification , 1998, RFC.

[20]  Simson L. Garfinkel Enabling Email Confidentiality through the use of Opportunistic Encryption , 2003, DG.O.

[21]  John Linn,et al.  Privacy Enhancement for Internet Electronic Mail: Part I: Message Encryption and Authentication Procedures , 1987, RFC.