What email encryption is actually in use?

[David Howe]

at Tuesday, October 01, 2002 3:08 AM, Peter Gutmann
<pgut001 at cs.auckland.ac.nz> was seen to say:
> For encryption, STARTTLS, which protects more mail than all other
> email encryption technology combined.  See
> http://www.cs.auckland.ac.nz/~pgut001/pubs/usenix02_slides.pdf
> (towards the back).
I would dispute that - not that it isn't used and useful, but unless you
are handing off directly to the "home" machine of the end user (or his
direct spool) odds are good that the packet will be sent unencrypted
somewhere along its journey. with TLS you are basically protecting a
single link of a transmission chain, with no control over the rest of
the chain.

> For signing, nothing.  The S/MIME list debated having posts to the
> list signed, and decided against it: If I know you, I can recognise a
> message from you whether it's signed or not.
Signing has a limited application - I wouldn't use it routinely other
than to establish an association (key-->poster) early in a conversation,
and then omit it except for things whose source *I* would want verified
if I was receiving it.
It is unusual for me to use a sig outside of encrypt+sign.

> If I don't know you,
> whether it's signed or not is irrelevant.
Depends on the definition of "know". If a poster had a regular habit of
posting at least one signed message every week, and had never protested
that the sigs were faked, then you could assume that the poster whose
sig just cleared is the same as the poster who has been posting for that
time period - mapping that to any real-world individual is more
problematic, but mostly you don't need to. There are plenty of people I
only know online from email exchanges, and in some cases am not even
sure what sex they are :)