Eric Hughes writes:
It has become clear from the discussions on the list here that the first step should be encrypted e-mail. Unfortunately, mail is not homogeneous; there is no one place to push on the mail system to add encryption.
I may disagree with this (I say, "I may" as there are many sides to this compicated issue, but the side I currently agree with I will state here) and I hesitate to bring this up as I don't want to slow down the (imo) much-needed development of encrypted mailers. But I think that an approach may exist that has better long-term consequences than the one that advocates shoe-horning PGP into every mailer. There is an attempt to to create a new mail standard on top (or next to) the current so-called RFC-822 mail standard that will allow multi-part typed messages. This proposed standard, known as MIME (for Multipurpose Internet Mail Extensions) is nearly complete and will allow rich text, binary and other formats to be included in a single internet mail message. There has been a disagreement between the PEM (Privacy Enhanced Mail) and MIME communities as to which should be integrated into the other; simply put, the PEM folk feel that you simply encrypt an entire MIME message, and the MIME folk think that PEM messages are just another one of the many types of content parts that a MIME message can contain. I tend to agree with the latter camp, as it appears to be more flexible. For example, what happens if I wish to start communications with someone using a different standard than PGP (gasp - they may be using RSA's mailsafe), or even a newer, perhaps incompatible version of PGP? Or maybe I want to send them a message partly encrypted and partly in the clear? MIME is designed to handle these scenarios (and more). I must admit that this thought coalesced in my head due to the confluence of two different streams of communications both heading towards this solution at the same time: 1) I asked Steve Dorner (author of the excellent Eudora Macintosh email reader) if he was considering adding encryption to his mailer (specifically PGP) and he replied no, but that he was integrating MIME into it; 2) The pem-dev email list, which has been discussing threads on PGP and MIME, recently carried an interesting proposal on MIME-PEM integration (though I expect to see the other camp come out with their PEM-MIME integration plan soon!). I think this latter document is excellent reading, and I will forward it in a followup message to this one. By the way, it has a short set of six references that I consider required reading for anyone interested in doing serious work on Internet mailers. In case all this is new to you, I've included at the bottom a blurb from the RFC-index explaining how to find these RFCs and more. My $0.02. Fen ~~~ Many RFCs are available online; if not, this is indicated by (Not online). Online copies are available via FTP or Kermit from NIC.DDN.MIL as rfc/rfc####.txt or rfc/rfc####.PS (#### is the RFC number without leading zeroes). Additionally, RFCs may be requested through electronic mail from the automated NIC mail server by sending a message to SERVICE@NIC.DDN.MIL with a subject line of "rfc ####" for text versions or a subject line of "rfc ####.PS" for PostScript versions. To obtain the RFC index, the subject line of your message should read "rfc index".