email Crypto- third party

Donald Ramsbottom donald at ramsbottom.co.uk
Mon, 02 Aug 1999 16:11:18 +0100 

>>It may suprise this list to know that many (if not all ) the large London
>>firms of solicitors habitually send correspondence by fax only.
>
>rather than ever generating a real letter ?

Yes


>
>> It is
>>cheaper,
>
>cheaper than 26p stamps I assume (or motorcycle couriers).

Yes, and enevlopes, paper, secretarial time etc etc etc, these all build up
when (as with large firms), you are sending out many thousands of letters a day.

>
>It is in principle more expensive than email, although minimum pricing
>on telephone calls may obscure this.

Yes it is, but they do not like using email (I do not know why) Indeed the
last time I sent a London firm documents by email, they objected as it
"clogged up " their system, and this despite the fact their note paper
clearly announced both email address and website, which in legal terms means
that it is deemed reasonable to use that medium. I suspect that it more a
fashion accessory than a  practical tool for most solicitors ( IP and IT
related departments being an exception).
>
>> and they know it has arrived as they get a print out that says so.
>
>An important quibble is that the print out actually says that it has
>been sent - NOT that it has arrived in a readable form.

Depends on the fax used.


>
>Since there is no store and forward in the system (in fact there can be,
>since faxes can be turned into emails or be collected by computers which
>then make them available on a screen before putting them onto paper)
>then the assumption made is that sending and delivery occur
>contemporaneously - hence the practical, working, assumption is that the
>fax has "arrived". However, that assumption can be incorrect.

Quite correct and in May there was a case on this very point. The email had
been sent and delivered, but was stored in the fax buffer until after a time
limit had passed. The court ruled that it was time of delivery and not
printing which counted (plus a "reasonable" length of time, (not defined)
for the fax to come to the adressees attention.
>


>>The fact that it is totally insecure eludes them, probably through
>>ignorance,
>
>the main insecurity would be in the dialling [a human may send it to the
>wrong place - hence those disclaimers on the cover sheet which attempt
>to put people on notice of the confidential nature of the contents].



True, but Go online to virtually any security store to get devices to "tap"
lines and the bodies concerned even give you the number.




>
>There are several schemes for email that provide proof of delivery,
>either to systems or to particular end users (depending on the
>situation, both can be seen to be of use).


I bow to your knowledge in these matters.


>
>The MDN (Message Disposition Notification) scheme is (finally!) an IETF
>proposed standard and several email packages now provide interworking
>versions of it. The scheme does not provide for cryptographic signing of
>the requests or responses, so it could be seen as insecure. However,
>getting something into the field was seen as a key first step. Automatic
>notifications are, in general, a nuisance unless your software can hide
>them away from you completely - so I'm unclear how much it will be used
>in practice.

Good, then bad.


>
>When asked how to know if an email has been received and read I always
>recommend adding the magic mantra
>
>        "please ring me to confirm receipt when you've read this far"
>
>just after the third paragraph. I find that this is effective, very
>reassuring, and by using sophisticated audio authentication techniques I
>find it gives me great confidence that the correct person received my
>email.


But you do not always want to talk to the other side, especially in the
Machevellian legal world! We are quite slimey sometimes , ok all the time :)



>the issue you raise is a general one to do with email delivery. It is
>not a crypto issue per se - except in so far as encryption can give you
>the reassurance that mis-delivered email will be unreadable because the
>private keys will not be to hand; not something one can be happy about
>when sending faxes.

The point was that it is unusual (if not unheard {in this country}), for the
phones to be down for the length of time referred to in the quoted email. To
build confidence in the "new" (as many in the real world still see it), then
you have to be confident in the new technology preferably on the basis of
reliability and security. To have the security element you must have the
delivery element but not vice versa.




Donald Ramsbottom LL.B, BA (Hons).

RAMSBOTTOM & Co. Solicitors

Internet Law & Global Cryptology Law Specialists