You have cut up my comment in a way that makes it look like I am
saying something different from what I intended. I am not saying
S/MIME as implemented in Outlook or Netscape is hard to use in
general. On the contrary, I think it is a shame that secure e-mail
clients are on most people's desktops and are not being used.
What I am saying is that it is way to hard to initially establish a
secure link between two individuals who know each other. That is the
most common need for individual users. I write Dummies books (e.g.
E-mail for Dummies, Internet for Dummies Quick Reference, ...) so
these people, not corporate users, are my customers and my area of
interest. Asking two individuals who want to correspond in private
to each get a Thawte cert is far too much to ask. It should not be
much harder for two individuals to exchange keys than it is to get on
each other's AOL buddy lists. The right tool for key exchange could
make it that easy.
At the moment, Thawte makes getting a cert harder than it needs to
be. Go to www.thawte.com and you have to wade through three pages of
gobbledygook before you even get to the registration page. I am not
talking about the CPS, just the initial pages. Take a look. But even
if Thawte got its act together, I have a hard time understanding why
people have to give a corporation their date of birth and social
security number just so they can correspond in private with a friend.
Then there is the question of just what legal obligations you are
undertaking when you get a Thawte cert. Most users cannot protect
their private keys from theft. What is your liability if it is
stolen? There is no need for people to have to deal with that
exposure just to have private e-mail.
The biggest challenge I face in my work is comprehending just how
confusing our world of computers and networks is to people without a
technical background. Certs are way over their heads. PGP is far from
being simple enough but at least it handles the simple case of two
people wanting privacy. I agree that PGP has limitations in verifying
identity or enabling digitally signed contracts. I am not even sure
that either are in consumers' interests, particularly in the absence
of mechanisms to fully protect their private keys. In any case,
identity and privacy are two separate problems. Remember what the
initial PGP stand for.
Arnold Reinhold
P.S. I love the Windows interface. It sells my books. Exercise: Write
a step by step description of transferring a file from a removable
disk to a folder on the hard drive in Windows. Now do the same thing
for a Mac.
At 11:17 PM -0500 3/5/2000, Phillip Hallam-Baker wrote:
> >I think the problem with S/MIME is that it violates a major principle
>>of software usability: make the most commonly performed tasks the
>>easiest to accomplish.
>
>You find clicking on the little icons difficult?
>
>This is just more of the same - parotting out some slogan you
>read in some book in the hope it might be applicable. The
>fact that you make the accusation tends to imply that you
>have never used S/MIME.
>
>I note that you are not signing your emails with PGP, wheras
>I sign every one of my messages with S/MIME (except for those
>I send from the PalmVI or RIM which I don't yet have an S/MIME
>client for).
>
>I sign every one of my messages because S/MIME makes that easy.
>Anyone who is reading the message with a recent edition of a major
>email client (except Eudora) can check the signature without
>downloading the plug-in.
>
>Is this about persuading as many people as possible to use strong
>crypto?
>
>
>> Most people who want e-mail security have a
>>one or a few corespondents with whom they wish wish to exchange
>>e-mail in secrecy.
>
>Most corporations want to deplopy S/MIME to employees desktops
>without the employees having to think very much about the process.
>
>Going to the Thawte server to get a free 12 month cert is hardly
>a difficult process.
>
>
>> S/MIME, at least as widely implemented, makes
>>doing that hard,
>
>That is your personal opinion, not a statement of universal fact.
>
>I would regard it in the same category as people who say that
>'Macintosh is easy to use', meaning 'it is what I am used to
>and what I find easiest to use'.
>
>I personally think the Mac user interface sucks, especially
>the mechanism for ejecting disks. Go roung the MIT AI lab and
>I guarantee you that where you find a Mac, an unwrapped
>paperclip for popping out disks and CDROMS is not far away.
>
>
>In the same fashion, I find explaining the Web of Trust idea
>to folks who are not highly computer litterate a challenge to
>say the least.
>
>To claim that there is such a substantial difference in ease
>of use between S/MIME and PGP that one is unusable is simply
>ridiculous.
>
>PGP is in my view popular with people who want to have absolute
>control over their environment - even if that is at the expense
>of security. To use PGP securely, one pretty much has to only
>use keys signed by people you know are meticulous in checking
>credentials. In my case that means I only use keys signed by
>Jeff Schiller. Now I have the advantage of actually knowing Jeff,
>but for the life of me I can't see the scalability in that
>solution. What do I do if I want to speak to someone who hasn't
>yet met Jeff - buy them an air ticket to Cambridge MA so they
>can meet him?
>
>
>As you say, it would be quite easy to write an S/MIME key signing
>tool, CAPI provides all the necessary functionality, it just
>needs a UI.
>
>PGP is unfortunately not scallable to commercial usage. It is
>therefore only a partial solution for a restricted community.
>There is absolutely no way that PGP could provide a PKI structure
>to support applications such as Identrus or ANX. Unfortunately
>PGP is only about privacy. PGP does not provide any meaningfull
>or usefull statement about identity. The integrity capabilities
>of PGP are as a result not usefull if one wishes to provide any
>degree of assurance with respect to the enforcement of digitally
>signed contracts.
>
>
> Phill
>Content-Type: application/x-pkcs7-signature;
> name="smime.p7s"
>Content-Disposition: attachment;
> filename="smime.p7s"
>
>Attachment converted: Arnold's iMac:smime.p7s 5 (????/----) (0002568E)
