-----BEGIN PGP SIGNED MESSAGE----- To: provos@wserver.physnet.uni-hamburg.de, coderpunks@toad.com, cypherpunks@toad.com Date: Fri Aug 09 15:56:37 1996 Niels, Thanks, for describing the features of Pronto Secure :) This is how Pronto Secure matches up to your checklist:
Here is just a short list what such a programm should be able to do: ( all options should be optional ;)
Sending Mail: - Clear signing of outgoing mail YES
- If public key of recipients is known encrypt with those keys YES
- If there is access to a public keyserver try to get a public key for the recipients YES
Receiving Mail: - While reading mail ( similiar to premail ) try to check existing signatures if public key is available otherwise try to get public key from server YES (do on the fly signature checking as mail arrives in inbox)
- Traverse the web of trust and show how the public key is related to one own keys to mutual signatures on other public keys ( For example mean distance to a key signed by the recipient himself ) NO (we handle certification by allowing the user to modify a list of trusted certifiers for signing keys)
- If the mail contains a public key add it to the keyring NO (Key is shown as an attachment icon double click on it adds it to the keyring)
- Don't show pgp blocks in Mail since they might confuse YES
Keymanagement: - Should be integrated in the addressbook together with E-Mail Address and name. YES
- Keys should be imported via generation or via mail or via a file YES (or the clipboard)
- If you have a public key without an entry in the addressbook take the EMail and Name from the public key YES (or prompt user to supply address)
- One should be able to sign the keys during import if origin is known NO (signing keys is a separate process. This gives the user an opportunity to authenticate on another channel)
Misc: - Passphrase should be kept in memory for a definable time, 0 for immediate deletion, thus you would be prompted for the passphrase each time you use it. Question about Windows Swapspace ? or tag the memory as uncacheable ? NO (Keyboard sniffing is too easy to do in Windows, This would give a false sense of security)
I would suggest creating a library with seperate io and gui parts in order to motivate peeple in helping who do not want to support mainstream products like Windows. Like taking the PGP 3.0 lib ( is it out yet ?) and modify it a bit. YES (Separating UI from security functionality is also the right way to go for offering plug in security providers)
Since there are a variety of good functioning mailers available already it wouldn't make sense developing the whole stuff but instead only integrate the library into existing products. NO (It will not be an easy task to design a general library of UI elements that any mail client will be able to seemlessly plug into.)
Do you think that such proposal is senseable and that there are people who would be willing to support the idea with programming affords ?
It exists. Plus a few additional features not mentioned, and a much longer wish-list in the process of being implemented. Check it out. It is available from http://www.commtouch.com/p1.htm IMPORTANT: COMMTOUCH WILL GIVE A FREE COPY OF PRONTO SECURE TO ANY MEMBER OF THE CODERPUNKS/CYPHERPUNKS LISTS SUPPLYING USEFUL FEEDBACK ABOUT THE PRODUCT. The impressions of early users of Pronto Secure can be viewed at: http://www.commtouch.com/testers.htm (many of whom are list members) Regards, Geoff. - --------------------------------------------------------------- Geoff Klein, Pronto Secure Product Manager; www.commtouch.com My PGP public Key 1814AD45 can be obtained by sending a message to geoff@commtouch.co.il with "Get PGP Key" as the subject. - ---------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBMgs1ikLv5OMYFK1FAQGe/gP/RdXtVIwo7aupkJn6X4VNTuNHHymPf9fJ k7FAsONAAP9qbr4UaWzJXxWuvmxLgt5gsMpk6yzp6vY80krQqPf6SqphW7FOjGTq PB05bNLDHm9SRGjVvKRHzGbOr094gkFpeso2C3MeMiDbT0J5gsLJOeMJsIb4NW2A lHZ6e+o535w= =R2jc -----END PGP SIGNATURE-----