Gavin Greig (ggreig) wrote,
Gavin Greig

Why don't more people sign their e-mail?

An excellent question posed by tobyaw, and one which I would also like to know the answer to. tobyaw, qidane and I signed up as Thawte Web of Trust notaries a number of years back because there were no notaries in Fife at that time and, as tobyaw notes, we've not had much demand since then for our (free, gratis) services.

It's clear that even among geeks there isn't much interest in using certificates to sign mail, never mind "normal" people, as none of my colleagues use them.

What's the actual benefit of signed e-mail? It's an additional piece of evidence that suggests (it doesn't prove) that the e-mail really did come from the person claimed. My guess is that the reason it's not more popular is that that's a fairly weak statement of benefit. People are usually perfectly happy to accept that e-mail came from the person claimed anyway (although that information can be faked), and if a signed mail isn't proof positive, how does that make things any better?

Well, a solution doesn't have to be complete to offer some benefit. In order to fake an e-mail from someone who doesn't sign their mail, you need to know or guess their e-mail address. In order to fake an e-mail from someone who does sign their mail, you also need a certificate associated with that address, which immediately implies much greater effort and access to that person's secure data. While it's not impossible for that to happen, you can have a significantly greater degree of confidence in the origin of the e-mail.

Currently, people don't value that confidence highly enough to invest effort in getting certificates for themselves, or requesting that others use them. They put more trust in the perceived unimportance of their personal data to others, and in the common sense of themselves and other e-mail recipients in detecting when something ain't right. In a way that's a good thing - common sense will always be required, certificate or no certificate.

Should the uptake of e-mail signing increase? I don't really know. Although I do think it's a good thing, I don't feel strongly enough about it to evangelise! In some ways it wouldn't take much for signing to take off - the support is already there in most software (though not web e-mail), and if it started to become popular it could easily become de rigueur. But for that to happen, there would need to be some pivotal change that may or may not ever come.

As a final aside, I have to say that Thawte aren't helping the cause of e-mail signing with a very poor experience of obtaining a certificate for Outlook on Windows Vista. It's fine on other platforms, and older versions of Windows, but on Windows Vista the process fails and the suggested workaround begins "Switch off the Windows personal firewall...". Not acceptable. As far as I can tell (it's not an area of expertise for me) Thawte have not rewritten their certificate enrollment procedure to use CertEnroll instead of XEnroll.

Tags: information technology, thought

  • Hey DJ!

  • Dad’s Army Too

    For anyone who missed it, the trailer for the forthcoming Dad’s Army movie was released a couple of weeks ago. It's due in cinemas in February.…

  • Dad’s Army

    I’ve taken a bit of an interest in Dad’s Army ever since I ran a short-lived roleplaying game in the 1990s in which the player characters were…

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.