Log in

No account? Create an account
Gavin Greig [userpic]

Why don't more people sign their e-mail?

October 16th, 2008 (03:54 pm)
current location: DD4 9FF

An excellent question posed by tobyaw, and one which I would also like to know the answer to. tobyaw, qidane and I signed up as Thawte Web of Trust notaries a number of years back because there were no notaries in Fife at that time and, as tobyaw notes, we've not had much demand since then for our (free, gratis) services.

It's clear that even among geeks there isn't much interest in using certificates to sign mail, never mind "normal" people, as none of my colleagues use them.

What's the actual benefit of signed e-mail? It's an additional piece of evidence that suggests (it doesn't prove) that the e-mail really did come from the person claimed. My guess is that the reason it's not more popular is that that's a fairly weak statement of benefit. People are usually perfectly happy to accept that e-mail came from the person claimed anyway (although that information can be faked), and if a signed mail isn't proof positive, how does that make things any better?

Well, a solution doesn't have to be complete to offer some benefit. In order to fake an e-mail from someone who doesn't sign their mail, you need to know or guess their e-mail address. In order to fake an e-mail from someone who does sign their mail, you also need a certificate associated with that address, which immediately implies much greater effort and access to that person's secure data. While it's not impossible for that to happen, you can have a significantly greater degree of confidence in the origin of the e-mail.

Currently, people don't value that confidence highly enough to invest effort in getting certificates for themselves, or requesting that others use them. They put more trust in the perceived unimportance of their personal data to others, and in the common sense of themselves and other e-mail recipients in detecting when something ain't right. In a way that's a good thing - common sense will always be required, certificate or no certificate.

Should the uptake of e-mail signing increase? I don't really know. Although I do think it's a good thing, I don't feel strongly enough about it to evangelise! In some ways it wouldn't take much for signing to take off - the support is already there in most software (though not web e-mail), and if it started to become popular it could easily become de rigueur. But for that to happen, there would need to be some pivotal change that may or may not ever come.

As a final aside, I have to say that Thawte aren't helping the cause of e-mail signing with a very poor experience of obtaining a certificate for Outlook on Windows Vista. It's fine on other platforms, and older versions of Windows, but on Windows Vista the process fails and the suggested workaround begins "Switch off the Windows personal firewall...". Not acceptable. As far as I can tell (it's not an area of expertise for me) Thawte have not rewritten their certificate enrollment procedure to use CertEnroll instead of XEnroll.


Posted by: Toby Atkin-Wright (tobyaw)
Posted at: October 16th, 2008 04:11 pm (UTC)

Presumably if you downloaded a certificate using Firefox (or other non-IE web browser of your choice) on Vista, you could then manually import it into Outlook, bypassing the IE problem?

Was amused to note the differences in the title between your post and mine; the apostrophe in “don’t” and the hyphen in “e-mail”.

Posted by: Gavin Greig (ggreig)
Posted at: October 16th, 2008 06:13 pm (UTC)
Robot Maria

You would think so, wouldn't you? I gave it a quick try before posting and couldn't get it to work. It's possible that I overlooked something or made a daft mistake, but even if I did, it doesn't bode well for the average end-user.

I had considered explicitly pointing out your error in spelling "e-mail", but I let it lie. ;-)

Posted by: Marcus L. Rowland (ffutures)
Posted at: October 16th, 2008 05:09 pm (UTC)

Signing is presumably OK if you only ever use one PC and program for email; in my daily routine I generally use at least three, two of them accessing my account via webmail services which as far as i know don't allow signing. Next year I'll be working in two buildings and it will go up to four PCs. And a lot of people don't know what office they'll be in from one day to the next.

Posted by: Gavin Greig (ggreig)
Posted at: October 16th, 2008 06:22 pm (UTC)
Robot Maria

I use two or three machines and have found it mostly manageable, but signing in webmail is pretty much a non-starter, and I'm sure using more machines would also reduce my usage. As with any technology, there'll be some situations - maybe common ones - in which it's impractical.

Thanks for your answer to the question!

Edited at 2008-10-16 06:41 pm (UTC)

Posted by: Nik Whitehead (sharikkamur)
Posted at: October 16th, 2008 06:31 pm (UTC)

I have a certificate but as I generally use Gmail though their webmail interface I don't actually use it.

Hmm... if both of you are Web of Trust notaries then I could get my necessary points to get my name added to it... Perhaps that would be a good idea for future reference.

Posted by: Gavin Greig (ggreig)
Posted at: October 16th, 2008 08:48 pm (UTC)
Robot Maria

All three of us: me, tobyaw and qidane.

Posted by: Toby Atkin-Wright (tobyaw)
Posted at: October 18th, 2008 10:33 am (UTC)

Setting up email certificates would be a good practical demonstration of encryption for your students to take part in.

7 Read Comments