mwood at IUPUI
Oct 18, 2011, 6:42 AM
Post #16 of 80
On Mon, Oct 17, 2011 at 05:50:42PM -0600, Aaron Toponce wrote:
> At any rate, I would love to see more client-to-client encryption in email.
> I've always wondered if there could be an "OTR" approach to mail, somehow,
> so people don't need to generate and manage their own sets of keys, as that
> seems to be the largest hinderence to widespread adoption. The only thing
> the user should do, is compose the mail, hit send, and everything is
> handled with very minimal user interaction.
"Three can keep a secret, if two of them are dead."
If your computer holds the ultimate secret, anyone who can control the
computer can use that secret. The user *must* be actively involved.
We can remove *needless* complexity, but security could be said to be
the art of *introducing* specific complexity that's a lot worse for
the attacker than it is for you. It can't be automagical.
Anyway, key generation is already automated. All you have to do is
(1) choose to employ crypto, and (2) supply a passphrase that you can
remember. There are even methods and tools to help you do (2)!
To be secure without being involved in the process is an unreasonable
expectation which can never be met. We need to teach our kids to
expect to protect themselves online the same way we teach them to look
both ways before crossing the street. Probably at the same age.
Otherwise they'll grow up to believe the hype that you can buy
security the same as buying bread.
Mark H. Wood, Lead System Programmer mwood [at] IUPUI
Asking whether markets are efficient is like asking whether people are smart.