Educause Security Discussion mailing list archives

Re: Encrypted email

From: Mike Wiseman <mike.wiseman () UTORONTO CA>
Date: Wed, 19 Mar 2008 12:45:24 -0400


Perhaps a better place to start would be to define what the goals are.

Clientless encryption is impossible if the goal is end-user to end-user
encryption.  Even Hushmail fell into this trap when they offered a
clientless way for users to access their mail.  They didn't make it
clear to users that any time the server is involved with the decryption
process, it means that your mail can be decrypted if there is a
subpoena
or a server is compromised.


These issues apply to *any* enterprise encryption technology since keys
would need to be backed up or escrowed.


However, I wouldn't necessarily call it
encryption.


Not sure what you're referring to - the Voltage product is based on
identity-based encryption which is based on elliptic curve cryptography. No
technology concerns there. Password strength is a concern but this can be
dealt with via policy or the use of multi-factor authentication.

Mike



Mike Wiseman
Computing and Networking Services
University of Toronto

Current thread:

Encrypted email Heather Flanagan (Mar 18)
- <Possible follow-ups>
- Re: Encrypted email Mike Wiseman (Mar 18)
- Re: Encrypted email Jesse Thompson (Mar 19)
- Re: Encrypted email Jesse Thompson (Mar 19)
- Re: Encrypted email Mike Wiseman (Mar 19)
- Re: Encrypted email Heather Flanagan (Mar 19)
- Re: Encrypted email Matthew Gracie (Mar 20)
- Re: Encrypted email Jesse Thompson (Mar 21)
- Re: Encrypted email Jesse Thompson (Mar 21)