The poster is correct, to a point. There does need to be some international identification scheme if we decide that we actually need a trusted e-mail system.

However, the postal mail system has existed and worked perfectly well for many, many years with absolutely no attempt to engineer in a sender authentication system. Why should e-mail be different?

Because, some will argue, bad things get sent by e-mail - like trojans, and phishing scams.

Of course, no-one has ever fallen for a 'You're a winner! Call this premium rate number to claim your prize' scam delivered by post have they? Nor have bombs or toxic chemicals ever been maliciously sent by post have they?

The remedies implemented to combat such misuses of the postal system have included technology to inspect the content of un-opened mail, and controls over how premium rate telephone services are offered.

Many of the problems associated with e-mail (phishing, malware etc.) have nothing to do with the underlying protocols or mail transport software. Poorly designed add-ons to the original e-mail system (e.g. HTML email & embedded graphics) and stupidly designed clients (and some operating systems) have allowed e-mail to be misused. There is nothing inherently wrong with the design of SMTP - it is a perfect mail system for the supposedly free and open Internet.

We don't need a trusted e-mail system. Those of us who do should continue to implement closed systems (like PGP) that run atop e-mail.

If those who do not (i.e. everyone who uses the postal mail system happily) were to operate their computer with reasonable care and attention then none of the supposed problems would exist.

Not everyone can operate a computer with the required level of care and attention? Well, not everyone can operate a motor vehicle with the required level of care and attention, so we don't give such people licenses. We don't do this because we care that they could hurt themselves; we do it to prevent them from hurting others. Access to the Internet should be granted only to those who will not abuse it to the detriment of others in much the same way as access to public highways is controlled. I'll admit there?s a lot that the tech industry could do to make computers far simpler and safer to operate, much as the motor industry has done over the last 100 years or so, but given the current state of the IT industry I don't foresee any significant change soon - our current priorities are still all wrong; we're far more interested in adding new 'killer app' features than in refining and improving the technology we have.

If we do go down the route of a global trusted e-mail system, the we're all going to end up with something like a UN mandated global identity register and we'll all be implanted with RFIDs or at least be forced to carry ID cards. No one in their right minds should advocate that. To those who disagree, might I suggest a quick read of Orwell's increasingly relevant Nineteen Eighty-four.


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/404/33659#33659