The state of secure Internet e-mail standards and products might be best described as that of a sucking chest wound. There are no technologies that are multi-vendor or interoperable. None have been approved or endorsed by the Internet’s standardization body. What is the cause of this grim state?
First off, the so-called standards are in a state of flux. There are two different sets, one called Secure MIME (S/MIME) and another that arose from a product called Pretty Good Privacy (PGP). Having yet to be endorsed by the requisite international Web standards organizations, neither set can be called a true standard. Of course, the banner ads on the S/MIME Central Web site go a long way to dispelling the purity of the group’s global good will.
Second, the products suck. I had trouble up and down the secure product food chain, starting with an attempt to obtain a certificate for my e-mail software and ending with an attempt to exchange encrypted messages between different products. Certificates are used by all secure products to authenticate a sender’s identity to his or her correspondents and to encrypt and decrypt the messages. For encryption to work, a trust must be established between senders’ various certificates to determine whether or not they are privileged correspondents. There are different mechanisms for establishing this trust relationship. One way is to use an independent certificate authority such as Verisign and Thawte.
The latest browsers from Netscape and Microsoft are equipped with special routines that go to these and other Web sites, which verify the user’s identity and offer secure certificates either for free or a small fee. However, getting certificates is just the beginning. What follows is a rather intricate multiple-step process that makes encrypted e-mail work:
1. Choose which of the two competing technologies (and specific e-mail software) you wish to use for your encrypted correspondence.
2. Choose whether you want to sign your messages digitally, encrypt their entire contents or both.
3. Choose an enterprise certificate authority and set up the appropriate server software or obtain a certificate from a public authority.
4. Enroll with the certificate authority and obtain an encryption certificate or key for a particular machine and a single e-mail address.
5. Exchange keys with your correspondents and arrange for the keys to be stored on your machine.
6. Encrypt and decrypt messages.
I had all sorts of trouble getting two different products to recognize each other’s encryption methods, directory entries and other components that are supposedly standard. Apparently, I’m not alone: Dan Backman of Network Computing magazine had http://techweb.cmp.com/nc/902/902r2.html)similar trouble.
Which brings me to the next issue: the initial software setup is excruciating. In one case, I was never able to get the certificate to work properly within my browser, although the software said it worked successfully and my credit card was charged the requisite $9.95! Verisign will continue to charge me $9.95 each year, unless I can get this certificate canceled or working, which ever comes first.
Cryptographic algorithms have evolved as computers have gotten better at cracking them. The US government has muddied the waters by placing restrictions on what kinds of algorithms can be exported outside the country and as a result products have had to offer different versions for domestic and foreign usage. All government agencies aren’t necessarily singing the same tune when it comes to cryptography, with differing points of view on how to properly encrypt messages. This has created all kinds of confusion, and trying to keep track of which version you can use legally is a chore for user and vendor alike.
Encrypted messages that pass through e-mail gateways may get mangled because the gateway doesn’t understand the encoding and tries to convert the message into another language, inadvertently corrupting the message and making it indecipherable to the recipient. This is complicated even further because today’s messages are no longer simply text: graphics, HTML tags and video can complicate how messages are encoded and decoded.
