Times 7/3/2000: "How secure is your e-mail?"

[Michael Bacon]

> Richard.Cox@mandarin.org wrote
> 
> Ben Laurie <ben@algroup.co.uk> wrote
> 
> > I _never_ encrypt email to myself - adding such a facility
> > would encourage people to indulge in bad practice.
> 
> Indeed.  But some people still do it and in any event there 
> will be times
> when there is a need to encrypt a single file to more than 
> one recipient.
> Whatever the reason, it would seem to be good policy to 
> minimise the number
> of separate keys that are capable of decrypting any 
> particular cyphertext.
> 
Thinking about this is a business rather than personal context, one needs to
bear in mind the requirements of a global organisation that corresponds with
recipients in many different countries - some of which have (severe)
restrictions on the use of crypto (and/or are one of the 'Seven Dwarfs').
Using a combination of (eg) e-mail, telex, telefax and voice/video
technologies to communicate the same message means that (likely) different
keys will be used.  It is also likely that different strengths of
algorithm/key will be used.  It is also likely that different people will be
the custodians of the different keys.  It is also likely that recipients in
the same organisation (a la 'myself') will receive (multiple) copies of the
communication (perhaps via the variety of media).

Nevertheless, it is good policy to minimise the number of keys associated
with one communication - but how achievable will that be in practice?

For example, I know of organisations that encrypt (certain) outbound e-mails
at the e-mail server.  Some users encrypt also at their PC client - many
don't know that their employer encrypts outbound (and vice versa).

Michael (Streaky) Bacon
  ____
~(____)>
  "  "
The views expressed herein are my own and
do not necessarily reflect those of my employer