PGP Universal - Usable Email Security?

An anonymous reader writes "For years, noted cypherpunks such as Brad Templeton, Ian Goldberg (PDF link), Bram Cohen, and Len Sassaman (PDF link) have been calling for easy to use email encryption solutions which involve little crypto comprehension on the part of the user. Now, it seems like someone has listened: PGP Corporation has announced its PGP Universal, which says it 'shifts the burden of securing email messages and attachments from the desktop to the network in a way that is automatic and entirely transparent to users'." The Register has more information on these newly announced proxy servers.

Thus defeating the object?

[Moth7]

shifts the burden of securing email messages and attachments from the desktop to the network in a way that is automatic and entirely transparent to users'

If you think that letting the powers that be implement our security by shifting the responsibility for encryption to them is going to make us take off our tin foil hats then you have another thing coming o.0 Methinx that if anything this will make me consider constructing a newer, stronger hat.

Can't...resist....blatant.....plug...

[ALecs]

This looks a lot like what the company I work for does.
(A box/infrastructure) that does the crypto/key management for you)

why bother?

[c4ffeine]

If someone really needs to use PGP security, which is almost unbreakable, they would figure out how to use existing programs. Most potential customers for this program have no need for it; the vast majority of people would be fine with little or no encryption. Really, though, who sends their credit card numbers over email? If it's that important, people go to the trouble to figure it out. So, in my view, this is a luxury. People who have a real need for PGP will take the 5 minutes to figure it out. Other people simply don't need the security.

Shouldn't keyfob USB help here instead?

[Uncle+Op]

Key management - and paranoia management - remain the problems with all PGP/GPG solutions. If it's too easy to use, it's usually not secure enough and vice versa.

It seems that a device - like the keyfob-sized USB "memory drives" should be nearly enough for any personal use. Ideally there would be some sort of fingerprint or biometric reader in it too, though the existing passphrase mechanism could suffice. Just put your secret key on it and you can take it with you. I guess the problem is keeping randome machines from snagging a copy, though, since the same machine you plug the fob in to can also snag your keystrokes and thus your passphrase.

If it's not one thing, it's another.

If the burden transfers...

[wmaker]

The article states that the network is then responsible for decrypting and encrypting... it has to be clear text someplace on the network to begin with then. Doesn't that defeat the purpose? And, why is this necessary when the future 'ipv6' to be done by 2007 will be completely encrypted anyway (internet version 2 if you will).

Great for Spammers

[hysma]

This would be a great way for spammers to send their junk and bypass any server-side spam filters.

The spam can't be scanned while in PGP form, and according to their diagram it won't be decrypted until AFTER hitting the mail server.

I suppose one point up for security, one point down for preventing spam :(

Text scrambler

Personally, I'm just going to use jwz's new script for all my communications:

Aoccdrnig to rscheearch at Cmabrigde Uinervtisy, it deosn't mttaer in waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist and lsat ltteer be at the rghit pclae. The rset can be a total mses and you can sitll raed it wouthit a porbelm. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe."

http://jwz.livejournal.com/256229.html