- Distribute identities to its customer base out of band, e.g. on the last statement or by letter.
- Invite customers to sign up (low return rates).
- Implement a shared key secure email system (fraught with danger and a big deployment cost)
- Implement a public key system like PGP/MIME (customers don't understand it + who should own the key directory?)
- Implement a secure pick up solution by emailing out a link
The problem is that many of the solutions implement the latter because of the technical and cost limitations of the other strategies. Another key problem with all of these strategies is that the Government and the Banking Industry are aquite rightly advising the public not to click on links that offer to retrieve messages etc - this flies in the face of the secure email product strategy and shows a clear weakness. A 'secure email' with a constructed link to pick up the email looks too similar to a phishing scam to be useful.
At present, only PGP/MIME is an email encryption strategy that I support because it maintains the postal metaphor in that "I send you an email" and that you can open it in your email client. All the other schemes break the metaphor by requiring the recipient to go and find a webserver to get the message with credentials 'owned' by a third party leaving the recipient with an enormous number of schemes and credentials to remember. However, until PGP public keys become ubiquitous and key management made to be usable by an ordinary user then secure email will continue to be a mish-mash of unique solutions across corporations and product providers.
No comments:
Post a Comment
Thanks for adding a comment; I moderate all posts.