Slashdot Mirror
Ask Slashdot: Could E-Mail ever Replace Snail Mail?
dlc asks: "The recent USPS question got me thinking. One of the major things traditional mail has going for it that email doesn't is the fact that, for the most part, signing a letter (marking it as authentic) is easier to do, or, at least, the technology to do so is much more common, and is much more widely understood. Similarly, one of the obstacles standing in the way of universal acceptance of email as a legitimate means of reliable transmission is the fact that it is difficult to verify the sender of a message. Digital certificates and a world wide (or at least wide-spread) public key infrastructure would go a long way towards removing this obstacle. My question for the slashdot population is this: Under what circumstances do you see digital cirtificates, PKI, and encryption in general becoming part of normal email usage, to the point where people have as much confidence in the authenticity of email as they do in regular mail? "
I can probably send a nicer e-birthday-card. All I've gotta do is send a Email consisting of:
And have a neat HTMLized card at that address, or you could just send a image as an attachment (PNG or JPEG)
-- The act of censorship is always worse than whatever is being censored. Always.
So says the Anonymous Coward. Could this have been flame bait?
Now I'm sure you really didn't mean that, but you should be careful that you truly mean what you say!
Time is Nature's way of keeping everything from happening at once... the bitch.
You say the solution is : Some sort of biological print, such as iris, or thumbprint. There's no need for this type of hardware - you just need a better 'secret' than a password, so production of this secret means it's you. Passwords get lost, passed on, copied, stolen and put on "post-its'. Take a look at www.Passcenter.com and see a really neat type of 'secret' that's apparently hard-wired into all of us...
There _is_ a standard for mail delivery receipts, and it's even specified in an RFC: it's called Delivery Status Notification (DSN). Sendmail supports it, for example. I think the problem is that most MUAs don't.
Well, if I write my sweetie a personalized piece of software with emotional content, that almost gets across the emotional interest. (Judging from reactions.)
I agree that physical tokens are even more endearing, though; it's like the difference between sending sheet-music for a song you wrote, and singing it yourself.
You just asked a question that has already been answered by companies such as Verisign, Entrust, Baltimore and others. It is called PKI (with uses digital certs to validate, along with a Registration Authority, a person's identity and his public key). PGP is poor in managing large groups of public-private key pairs. Ask Network Assoc. if their PKI strategy is booming based on PGP (not!). As for the international aspect, a few companies (like VeriSign) are doing international partnerships where a particular set of companies in other companies chain up to a common root in the PKI chain of trust. So any company/individual (eventually) in the world can trust and validate another. The answer is already there. The question is only beginning to be asked.
Besides, which would you rather receive? A meaty email or a one-liner greeting card? Personally, I value the former more.
ufdraco
I too have done some work with certificates (no book contracts yet :-) )
In Australia, there has been much noise by government but little action regarding PKI's. Australia Post had a CA scheme going but decided to can it about 3 months back. Your only options now for an Australian CA (other than becoming one yourself, which has its own sociopolitical issues though the technology is there) are a couple of the big accounting/consulting firms, neither of whom seemed to have a clue about what they were trying to do last time I looked.
If you don't go with Verisign or Thawte, or a few other CA's, who appear as default trusted CA's in MS and Netscape products, you run the risk of scaring techno-illiterates away with those "untrusted authority" dialogs.
For a server cert, the Verisign signup procedure is not simple, quick or cheap. Particularly for a small company trying to, ahem, "leverage the level playing field of the Internet."
The US export laws cause problems for anyone trying to write automated secure email programs. for example, RSA's S/MIME toolkits are only available to US and Canadian citizens. And S/MIME is what MS mail software would have you use by default for mail encryption. (Yes I know you can get PGP plugins, I use them myself, but does Joe Average Clueless User?)
I have written programs to send encrypted email. But I used PGP, which does not use certificates. Finding something for S/MIME using certs was just too hard.
Oh, yeah. I can't see Dell delivering my next computer electronically any time soon.
Eagles may soar, but weasels don't get sucked into jet engines.
I shouldn't have been posting that early in the morning prior to coffee consumption :)
The USPS and Federal mail fraud regulations along with the length of time society has used snail mail have played a part in creating that implied level of trust. But the majority of that trust comes from the relationship between the sender and recipient. Handwriting or letter style of grammer play a part in building that relationship which is why you trust that the message you have received is really authentic. The relationship's trust is also based on the type of message being conveyed:
That same implied trust does not exist today with PKI-enabled email. We don't have many of those associations in email to imply the same level of trust. PKI has limitations in that the trust placed in the transportation of the email has nothing to do with the content of the message. It also has nothing to do with the relationship between the sender and recipient. It is purely a clinical way of ensuring either privacy between sender and recipient, or the sender signing the message for non-repudiation. All it ensures is that:
None of this has anything to do with the content of the message or the relationship between the sender and recipient. PKI trust is effectively sterile.
Now add onto that the reliability of your regular email provider, your ability to store your keys securely yet have them easily at hand to actually use, add the average IQ of those you trade email with on AOL, and you suddenly realize that none of this is ready for prime-time.
Several suggestions have been presented to create the infrastructure for PKI. A recent recommendation is to have the DMV issue Smart Card drivers licenses, and an initial certificate which you would use for an electronic signature. This is probably the quickest way to get certs to the unwashed masses, but opens a whole can of worms related to government intervention. Let's look forward to that time (hinted at in the Book of Revelations) when you can only buy and sell electronically using such a cert as your "unique signature ID". If the DMV can revoke your driving privelidges and cert for any reason, then you have no reason to imply any trust in such a system unless you truly believe it can never happen to you. Of course, if you're prone to paranoia....
Back here on planet earth, most certificates are issued for two years and then automatically expire. After it expires anything you have signed will be no longer be able to be validated by the CA. Legally this is still unknown territory. Can you still trust email that was signed, but the certificate of authority has expired? Or is your trust now based upon the implied trust (context and the relationship) that was established when the cert was valid?
The conclusion that seems to gathering consensus is the Smart Card route. Whether you would trust VISA/Mastercard more than the DMV to issue you your card, and whether you can add your own certs to your Smart Card remain to be hashed out. Either way the trust relationship we know from snail mail will be different in PKI.
We can trust who sent and received the message. We can trust the integrity of the message. But we are still no closer to being able to trust the contents of the message any more than snail mail.
It will take more than 5-10 years to work out all the policy and procedural issues associated with digital certificates. Expecting anything from the PKI industry, equivalent to the confidence in the snail-mail industry, in 3-5 years is wishful thinking. Until then, digital certificates are about as useful as photocopied driver's licences. Lyal
> You can't send checks. (You can send credit card- an-ATM BS.
/. post.
> info. But, dammit, I want a check. None of this
> credit-card-direct-deposit-get-all-your-cash-from
Why would you want to send or get checks? Speaking as someone from a society (Finland) where checks have been outdated for close to 10 years now, I think they are old technology. Bank account transactions are the way to go. I can send money to people via a nice web interface to my bank account, at any time of day or night I might want.
So really, why would anyone need checks in mail? Just let the other person know your account number, and they will do the transaction, and if you have accounts in the same bank then you can see the money on your own account in minutes via the web interface.
Hmm, my first ever
There is more to the problem of adapting email as a replacement to smail...the biggest is the fact that email is not given the same secure privacy backing as snailmail is. It is flat out illegal for my employer, you, the maildeliverer, etc, to open and read my mail. With email this same protection doesn't exist. It is NOT enough to say, "Use PGP then", because this is a complexity layer that will always hinder its use by most generic users. I would hat to have to try to get my father to understand and use PGP...besides which there is just too much enduser "work" and effort required to make PGP actually work. None of this complexity exists for snail mail. If I am just passing non-personal/non-sensitive info to someone, then email is fine but if I want PRIVACY and protection of information, I will use snail mail forever...until email is given the same privacy/security consideration as regular postal mail. Simply KNOWING who sent an email is NOT enough. Having the email be secure and PRIVATE in and of itself (like snailmail) is the real kicker.
Second, with snail mail we've got real guarantee that your letter is delivered. That's because with buying postage stamp, placing it on the envelope and then putting the whole package into a postbox you kinda sign contract with that post service, which you can in turn, sue for not delivering the mail (if you happen to know it of course) On the other hand, sending email doesn't sign such a contract. If you complain to your ISP that your e-mail hasn't been delivired, he can just say there are some hackers or servers down or lightning stroke Microsoft office (not that 97, of course) or whatever.
And last but not least, you just can't send your friend a real souvenir which any postcard is.
"but, without my illegibly-scrawled signature" Now I know I have seen many scrawled signatures printed out on laser printers... that's what scanners are for...
--"Cynical?? Who's cynical???" -k-
- Too much new info coming out of your browser. Typical customers don't understand the deluge of messages they'll get about Certificate Authorities, and accepting things forever, etc... Solution: I don't know. It took a long time (and lots of bad scifi movies) for people to understand the notion of username and password. It's going to take longer to understand the notion of a digital certificate.
- You're still expected to provide a password (to protect your private keys). In many eyes, this defeats the purpose. Sure, you've reduced a bunch of username/password combinations to one password, but it's still something to remember. Solution: Some sort of biological print, such as iris, or thumbprint. The key being that you don't have to remember anything, you just have to show up. (Of course this brings up all sorts of privacy/security issues about copying that data. I've met people with about $100 in the bank who are afraid of being killed and having someone cut off their thumb. Seriously.)
- Corporate paranoia. I've seen places where they take out the normal username/password, and put in clientside certificates, and then put BACK a webserver ACL protection. They're paranoid about turning off the passwords. Then they ask, what did we gain from certificates? Well, nothing. Solution: More knowledge usually lessens paranoia. A few companies out in front demonstrating that it can be done, a few Forrester reports or something saying that certificates are ok, and here look, company X is using them without a problem, will start getting the pointy haired bosses interested.
- Non portable. Although a variety of standards exist for transporting your certificates, see earlier point about the whole process being too confusing for the average surfer. Solution: Smart cards. Put the digital certificate, along with a copy of your thumbprint, on the card. Stick the card in, put your thumb on the scanner, it's you.
Those are a few of the main problems with certs, in my experience. Of course, each of those has it's own issues and could be an entire thread. But I'm at work doing non certificate related things, so I can't really discuss it all day.www.HearMySoulSpeak.com
of course he doesn't mean that.
he means have a government body sign keys. (go research PGP if you aren't familar with signing keys, its in a nutshell putting your key's reputation on the line verifying that the other key belongs to who they claim to be.)
That makes more sense..
-bugg
You're right - it's not really what I meant, although I expect it's what some governments would be only too keen to implement.
I meant, have the government keep a list of every individual's public key, and verify this by requiring you to turn up at a registry office with birth certificate, passport or whatever.
Having the government sign people's public keys, as somebody suggested below, is a good way of doing things. Of course, you can get them signed by companies as well if you don't trust the government. But I would expect that any company operating within the law is no more trustworthy than the government it operates under.
-- Ed Avis ed@membled.com
Personally, I haven't bought a stamp in approx. 3 years. I don't even remember how to send snail mail. Everyone I care about communicating with has an e-mail address. (and if I really wanted to get wierd, my pager can send "e-mail" to a phone number through a text-to-speech engine...) the thing is, I don't use encryption and digital sigs all that much, and it doesn't matter too much to me. Yes, I trust them much more than an ink signature. But that doesn't mean that I trust it all that much. Digital sigs I don't need at all, because I generally don't care who an e-mail came from. If it came from my dad, I can generally tell whether it's signed or not. The actual applications that I use these tools for are few and far between. I would prefer it if everyone used encryption, but things are getting better. There's a reasonable level of interworking between the mailers that I and my friends use (outlook, netscape, pgp-elm and eudora) I've had very few problems.
I guess my general answer is that it's happening already, and encryption is not an obstacle. Encryption is more secure than any snail mail you can send, and easier than your average certified mail.
Pound! Bang! Bin! Bash! is this a shell script or a Batman comic?
Seeing first hand the many problems less computer savy people have with email (from friends to co-workers) there is a much simpler reason than encryption/verification of sender... too damn easy to lose. I see people delete mails all the time, forget the can undo and lose it for good. I see people delete entire mail folders on accident... imap stores crash... pst files get corrupted. Paper for all its faults is a pretty easy medium to hold onto and not lose.
F /...
---
Openstep/NeXTSTEP/Solaris/FreeBSD/Linux/ultrix/OS
--- I do not moderate.
Other than expensive biometrics (which can almost certainly be spoofed) there is no way to reliably assure that the person who clicked send is the person you think. There's no easy way to create a human computer interface which can't be spoofed somehow. Authentication right now at best tells you it came from a given _machine_ not a given user. If you require passwords to access client certificates, the user will create a simple password (pet, lover, kid, birthday, userid). If you require complex passwords, the user will write it on a little yellow sticky and put it on their monitor. The only way I'll trust digital certificates over paper signatures is if they are streamed off of a chip implanted in the middle of the users brain. Actually, probably not even then.
-Aaron McHugh
I have several collections of letters written by many authors. One of them is (natch) Hunter Thompson. He was carbon-copying his letters from the time he was a teen. What a fascinating read! Now how many people keep their email like that?
Taking the time to go thru letters and cards is fun and reminds us that we're human, rather than hi-lighting and hitting delete delete delete
OTOH, I'd take spam over regular junk mail any day. I'm sick of those crappy two-bit pizza places that have to advertise in green in pink!
I'm out several hundred dollars because someone cashed my IRS refund check three months after I reported it missing. In the three or so years following the initial loss, the only response from the IRS to them having me fill out the same form over and over again ("no, I did not benefit from the cashing of this check." etc) was them sending me a photocopy of the cashed check.
On the back of the photocopied check was my name, signed in a hand that in no way resembled mine.
I'm hard pressed to imagine that written signatures mean a d*mn thing. The bank that cashed this check certainly didn't perform authentication of my identity. So I while the "technology to do so is much more common", it certainly is not "much more widely understood".
Smart jurisdictions are going for electronic signatures, of which digital signatures are just a small subset - and the hardest to implement policies, procedures and system integration for. Why waste the time - use technology that's already working and call it a "signature". Lyal
Legal opinion is still varying on this, but merely having a machine automatically digital sign something does not make a signature. One important element is did the signer INTEND to sign the document/transaction/message. if done automatically, it means nothing legally - but may be ok for birthday cards and notes to mum. Lyal
>Just let the other person know your account number, and they will do >the transaction, and your own account in minutes via the web >interface.
Idoit. What if I don't want *WANT* to let the other person know my account number? Forget paying bills by email or any other of the crap people like you seem to be fond of, it's stupid and you have no real control over it. I'ld rather buy a money order from the post office for the exact amount *I* want to *PAY* on a bill rather than go through that "electronic banking" bullshit that's basically a consumer rip-off.
There is no real way to confirm receipt. You send an acknowledgement, and await an acknowledgement for its receipt...ad infinitum. An unsolved network problem.
is not the end all be all of communication. In order for e-mail to completely replace good old snail mail it would have to be something everyone had access to. But that is not something that everyone has, the internet is basically a toy for those able to afford it. How many households with a low income do you suppose have a computer and if they do do they have an e-mail address? Some things are more important than the internet-clothes, food, a warm place to sleep-that some people don't realize because they're able to take technology for granted. If I have a mailbox, I can get mail. Mailboxes come free with your house and paper is damn cheap. Computers can write email but are expensive (when you're living paycheck to paycheck even a 300$ computer is expensive) oops to send that email you've written you need an ISP which will cost you some more money. Oh lets also pay bills over the computer...oh wait, I need a credit card to do that. Until a viable virtual check is available that idea doesnt work, not everyone has a credit card either. The closest thing I have to a credit card is a debit card I got free with my checking account, but I won't probably ever get a regular credit card. It's fine if some parts of the snail mail is taken up by confusers, I like the idea of buying postage by the stamp and printing it with my printer which means it's read much faster by the machines at the processing center. When you give everyone access to e-mail you can suggest replacing snail mail.
I'm a loner Dottie, a Rebel.
The problem is, you are asking people on SlashDot. Of course they think so. What you should do is go ask a room full of 60-year-old lawyers, who need signatures on documents every day. They will tell you, not a chance! Most of them don't even have e-mail, and I know my dad's office for one, still addresses letters with a typewriter. Most of the offices in Century City, CA and not high-tech in the least, and these are the people who would have a reason to do this. Big corps may, but doctors and lawyers and such will stay away...
As Online banking takes it's hold (as it has already begun doing) Intuit is responding with software like Quicken, Quickbooks, and Turbo Tax. (Along with a small Redmond Ba$ed Company). And it has become a goal of these companies to absorb the bulk of this large portion of postal mail usage. (And with the resources that that are inplace, online checking is on the verge of dawning on the electronic finance field.)
My timetable for a purely electronic mail system is quite short (at least for my position) - since bills are the only thing that I use postage stamps for.
*Carlos: Exit Stage Right*
"Geeks, Where would you be without them?"
*Carlos: Exit Stage Right*
"Geeks, Where would you be without them?"
"Got Linux?"
> What if I don't want *WANT* to let the other person know my account number?
Why not? It's like saying "why would I want to give out my email address to people? I don't want them to know my address." You can do it, but it will inconvenience you. And it's not like they can do anything with the number except send money to it, AFAIK. Maybe your account is different though.
> Forget paying bills by email or any other of the crap people like you seem to be fond of, it's
> stupid and you have no real control over it.
I've never paid bills by email, and I don't think there's any technique like that available for me. As for the rest, I can view my account information, current balance, and complete whatever transactions I wish. It's exactly the same things you can do otherwise too, only the "interface" is different. I don't see how I don't have real control. I actually feel I have more control over my account since I can check it much more easily than I normally could.
> I'ld rather buy a money order from the post office for the exact amount *I* want to *PAY* on
> a bill rather than go through that "electronic banking" bullshit that's basically a consumer
> rip-off.
Well, for me, when I pay a bill via the web form I enter the recipient (account number & name), the sum, the date and the code number (not sure how to translate that term) for the bill, if any. I have complete control over the sum and time of payment, I can choose any amount I want too.
As for rip-off, I think that banks shouldn't charge for this kind of service but they do, so that part is true. Mind you, they charge for every other kind of service so it's no more a rip-off than the other "services" they provide. It's also true that this form of customer service reduces the costs for the bank, but I don't care about that since I feel it also provides me with better and more convenient method to take care of my account and transactions.
I'ld guess that it will take 3-5 years after
a standard crypto based authentication system
is built into every email client and available
world wide. Of course, this is totally governed
by when (if ever) legal restrictions are removed
on the free movement of crypto products.
Many companies such as hushmail, tumbleweed, and postx are already creating commercial secure email products that just about everyone can use.
Just remember that at the turn of the century, people got around in horse-drawn buggies, as they had in one form or another for nearly a millenia.
and people should have confidence in snail mail? how do you know where it came from?
US Citizen living abroad? Register to vote!
This touches on two talks I had the pleasure of hearing at yesterday's USENIX Security Symposium. The first dealt with the usability of PGP 5 for the Macintosh. The results of the study clearly showed that for crypto to be used by the masses, it must be able to pass the so-called "parent test." The second talk was on US Crypto policy. AFAIK, only California has a law that recognizes digital signatures. This must change. Even if the US continues its idiotic crypto policy they must recognize unforgable digital signatures if they want electronic commerce to take off. Regarding US Crypto policy: Much of it is built on exaggerations, lies, and misinformation. Regardless of its basis, it must change to allow all people to feel as secure sending email as they are sending a letter if email is to be an important mode of everyday communication for everyone the world over.
Andrew G. Feinberg
First of all, a major problem with email (just as with snail-mail) is that it is unreliable. You send an email out and in the general case you have no clue whether it reached its destination or some host on the way folded, spindled and mutilated it, and then discarded it.
The same could be said of snail mail, no?
-witz
One thing I've learn is that it won't happen until most people already have the tools to make it easy. I use a mailer that integrates with PGP (SeriousVoodoo); you just check off if you want the mail signed and/or encrypted. But when I send PGP'ed mail to a friend, if they have to tell elm to save it to a file, and then they manually run PGP on it, it is too much of a pain in the ass. So they tell me, (paraphrasing) "Quit encrypting your emails unless it's something important." (*groan* I don't want to just encrypt the "important" stuff! I wanna overwhelm the snoopers. Let 'em spend a few years decrypting my "Let's go to the movies on Saturday" message.)
The tools have to get out there first, before people will start using it a lot. Old mailers need to be updated or replaced.
---
Have a Sloppy day!
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Email won't completely replace snailmail for one simple reason. Even after you've got email secure enough that even the most paranoid technophobe is happy to use it, you still can't use it to send someone a nice birthday card.
Being a young person, I've moved (and foresee moving) often (college, work, etc) and it is difficult to maintain an email address. (It's difficult to switch 40 friends and relatives every few months.) So I just toughed it out and suffered through Hotmail. (It was fine before they were bought by you-know-who.)
;-)
Outlook Express integration of Hotmail is one of the major things keeping me with Win95 and IE5 (don't laugh, it's useful!) Now that feature hasn't worked for several days. I guess that's what "limited Beta" means. Another straw on the camel's back. Time to shop for a hardwareModem... and a distro again...hehe
I'll still use postal mail for small packages, special letters, and bills that i dont trust to electronica.
** Oh, anyone else think the "Submit" button oughta be removed so previewing is mandatory and we won't have the "oops, blank/incomplete post" phenomenon? *cough*
"I want peace on earth and good will toward men." "We're the U.S. government. We don't do that sort of thing!!"
First of all, a major problem with email (just as with snail-mail) is that it is unreliable. You send an email out and in the general case you have no clue whether it reached its destination or some host on the way folded, spindled and mutilated it, and then discarded it. Some MUAs offer delivery receipts, but generally they require that you run the same mail client on both ends. We really need an RFC (maybe there is one?) for mail delivery receipts and have it implemented in all MUAs.
/. community will like even less is that authentication and encryption will become widespread when they will become default settings in Microsoft Outlook [ducks, quickly pulling on his asbestos long johns...]
As regards to authentication and encryption, this is a bigger issue. The general answer, I would say, would be: the general population will use authentication and encryption when it will be build into all mail tools, switched on by default, and work transparently. I am rather pessimistic about more than 1% of computer users doing something proactive to use encrypted email. And from personal experience I know that trying to communicate by encrypted email with people who don't understand either encryption or the need for it is a pain in the ass.
Authentication (i.e. digital signatures) is a complicated topic with the key problem of correlating a digital signature with a real-world or an online identity. There are two major approaches -- one uses centralized certificate authorities that vouch for the key-identity correspondence, and another (PGP) uses what it calls a web of trust. Both have significant problems and are not in widespread use.
I guess my answer is 'don't hold your breath'. Security is complicated by nature and people are generally unwilling to spend the time and effort to work it out and set it up. Another answer, which the
Kaa
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
I don't think that there is going to be true acceptance of email as a replacement for snail mail. The reason is not the lack of security, or the conflicting standards, or whatever, the problem is that if it has to do with a computer, some people are going to be wary of it.
:)
Another problem is the lack of personality of a regular email, the lack of humanity. There is only so much personalization that you can do with an email. You have the regular emoticons, and strange fonts; but they just aren't the same as big loopy handwriting, with smily faces dotting the "i's".
Until there is some way to do something like this, I believe that the USPS will still be in business for a good deal longer. What really needs to be done, is to have some "datapad" type deal, that allows you to access your email easily, let's you write in your own handwriting (maybe translating it if it is atrocious like mine). Think of a Palm VII with a nasty crack habit.
Well, umm, I am just tossing ideas out, so this is the end
--This was not spellczeched. So leve me bee...
I think the technique is already there. In order to use them, there will have to be standardization and new laws. The laws should provide legal status to emails. Right now it is hard to claim things if it is not written down on paper. Digitally signed documents need to be treated in the same manner so we can use them to replace paper contracts and letters.
One major obstacle has been the US position on encryption keys for the past few years. As long as that has not been resolved, it will be hard to get useful standards.
So yes I think email will replace snailmail in the long term. There is no technical issues here and I think laws and standards will show up eventually.
Since I'm not a legal expert nor an encryptionb expert perhaps somebody else can point out if there are any major flaws in my reasoning.
Jilles
see title. As a sidenote, the monitor just doesn't look as good as a real postcard even if you ues flash.
CY
I know that most Slashdot readers think the government should stay out of the Internet, but I think there is one useful thing that governments could do - which would also make email more widespread:
Issue every citizen with a PGP public key pair. The problem with current PGP keys is that you have no way of knowing that the 'real' person got the keys in the first place. Your lovingly encrypted / signed communications may be going to an interloper. What's needed is an agency that will require physical authentication, as well as a passport and maybe other ID, before issuing a key, and then provide an easy way to look up the public key of each individual.
I know that there's not a snowball's chance in hell of this happening in countries like France, the US or Britain, but governments of more enlightened countries, who don't want the NSA tapping their citizens' messages, might go in for such a plan.
And before you all complain, I know that you can't trust the government in matters like these. However, I think this would provide a little more security than just looking at a public key server. You could of course do both.
-- Ed Avis ed@membled.com
There are two ways we can look at this.
On one level, mail as a way of passing information from a to b. Here e-mail could well win, ultimately, in terms of security, speed, and convenience. It works! You can send and receive text and graphics.
But on another level, you cannot hold an e-mail in your hand. You can't have somebody elses creation, as they had it, on your mantelpiece.
Sure, you can print it out. But you can't lift that printout up to your nose to smell your girlfriend's perfume. You can't receive an e-mail you can run your hands over because somebody has chosen special paper for you. You can't receive an e-mail that's been handpainted. Perhaps you can digitize it. But then its just not the same object.
While we're receiving information, the value of snail mail will become less, with electronic mail becoming more commonplace. While we're receiving emotion, the value of snail mail will grow, as simply something more special.
Comments? Anybody disagree?
The camels are coming. I'm in love.
Hasn't this topic already been covered in Ask Slashdot?
2 .shtml
http://slashdot.org/askslashdot/99/07/22/013925
Granted it's not the identical question, but pretty much the same concept....
...I agree completely.
For me, email is a "standard" means of communication now. Letters are "special". If I get a letter from a friend who has access to email, it means that the friend took the time to write the letter and post it. I would say that handwritten letters are nicer than printed ones, but my handwriting could never be described as "nice" :-)
Like I said in an article above, you can't send someone a birthday card using email. You can sent them a "greeting card" from some Web page. Your friend will get it in their email, and could print it out and put it on his or her mantelpiece. But it simply isn't the same. It's not a physical object that you took the trouble to buy, sign and post.
...if ever, before email replaces snail mail. Reasons? Okay, here ya go:
- an-ATM BS. (Okay, I do get all my cash from an ATM, but I like having the option to talk to an actual teller.))
1. It can't happen until pretty much everyone has email. EVERYONE. Worldwide. What percentage of people in Africe today have email? Hell, what percentage of people in the US have email today?
2. There are still a lot of things you can't do through email. You can't send birthday cards to your friends. Your SO can't send you a letter with lipstick marks in the shape of a mouth puckered up for a kiss on the flap of the envelope (or you can't do so, if you're the one in the relationship inclided to do so). You can't send checks. (You can send credit card info. But, dammit, I want a check. None of this credit-card-direct-deposit-get-all-your-cash-from
3. Lack of a physical address. Just because my email is @something.demon.co.uk doesn't mean I'm actually in the UK. I could be in Germany. Or Canada. Or New Zealand. Or Antartica (I'll grant that it's unlikely, but...). Companies, for some reason, frequently want to know where you are. Some will only ship to the billing address on your credit card. Those companies might not like the idea of sending something to an @{ISP name}.nz address if the billing address is Boston, Mass.
So: email will not snail mail because of it's not universal, it's can't carry all the things that snail mail can, and, in some cases, disparities between physical and email addresses.
Just my 1/50 of a dollar.
-Ender
Loose things are easy to lose. You're getting your hair cut. They're going there to see their aunt.
CNBC is going to have some information on this topic this evening, i wonder where they got the initial idea..? ~Roach~
Techno babble forsooth! Enough. This is not really an issue of supporting technology or of the general public's trust of that technology. The rules of trust are the same, no matter the media. I use email extensively for business. I trust emails that are: 1). from a known source. 2). within the context of our current ongoing discussions, etc. 3). reasonably accurate in it's presentation of facts. These same criteria apply to snail-mail, fax, email, voice messages, all of it. But I don't use those methods, in that manner, to document a contract for work. Our concepts of developing trust around a contract trace back to ancient customs. Way back when, before cell phones even, 3 copies of a contract were written. These were certified to be identical, witnessed, and one copy was sealed inside a jar. The sealed copy could be brought out (by breaking the jar) in the event that there was a dispute. (Like, say, someone had altered the contract.) Do these things sound familiar? Sure. We do similar things every day. Keep in mind, many people in our world can't read. They depend upon the reliability of witnesses to establish trust. How do we make email useful for contracts? Easy. provide a means to: 1). duplicate the contracts. 2). "seal up" one copy in a secure location. (can we say encryption?) 3). provide a permanent, meaningful way to reference each copy to the sealed copy. (i.e. no email contract could be valid without a reference signature that would uniquely identify the contract and all copies.) Then people will trust the email, and they won't care what media it was written on. IMHO.
Well, for me, anyhow. It can't replace either one entirely.
Since my parents and most of my friends from college now have an e-mail address, I send e-mail when I need to get something responded to reasonably quickly but not THIS SECOND.
There are certain situations that I don't think call for e-mail or for telephone calls -- good old-fashioned snail mail is the only polite option. Wedding invitations and sympathy cards come immediately to mind.
Likewise, if there is an emergency and next of kin need to be notified, you better believe I'm using the telephone, at least as a first attempt. If that proves ineffective, THEN I might send an e-mail saying "please call" or something similar.
E-mail is the best option if you need to send out the same news to a lot of people that live in a wide geographic area. Individual phone calls are time-consuming and expensive, and for some reason form snail mail is much more irritating than multiple "TO" e-mail. That could just be a personal quirk, though.
For average, ordinary, mundane communication with friends and family, I tend to use e-mail because it's convenient and cheap and I don't have to remember where I put my stamps.
And don't forget, the computer was supposed to bring us the "paperless office." Yeah right, like THAT will ever happen.
"Somebody exploded a letter-bomb today
I never used the USPS for anything other than bills and such. The ease of email has allowed me to send little notes to people that I would never have used the USPS for. I have not sent any less mail through the USPS than normall although I sent about 20 emails a day.
If there is one company that is losing out on my email, its the phone company, not the USPS.
USPS will always be around...I have yet to be invited to a wedding through email.
I think letters and basic paperwork will change over to electronic form w/in the next couple years and expect to see it intergrated into the IM infrastructure as new more powerful standards become popular. I think IM's will begin to come w/ encryption/signing built-in and most likely will only require the user click an 'Update and Secure' button to download the crypto plugin from a server off in X country. IM's do to electronic messages what the WWW did to Gopher, essentially simplifying the process and interface to give more powerful features and still make them accessible to the average person.
On the other hand.. I think package delivery will increase. If the U.S. Gov't really wants to start making profits they should stop worrying about taxing email or increasing the cost of stamps and instead lower the rate to ship packages, make packages better insured to reach their destination quickly, and make a free interface that e-stores can use to figure up shipping costs, schedule package deliveries, etc. Not only could this keep the Postal Service in business it could also help pay for the Internet infrastructure w/out adding any new taxes.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
I believe the great problem we will have to deal is that by analogy with the real world, individual certificates and keys are a right in the digital age. The same way you don't have to "buy" your signature, you shouldn't need to pay for a certifying agency to have your digital identity. I'm not quite sure how this problem should be approached. Perhaps the government should issue certificates to it's people, but of course this is hard to the government and big bussiness for companies. Otherwise, privacy will be exclusive of the "have"s while the "have not"s will have no access to crypto and digital security in general.
It already has for me, just ask anyone who does not send me a self addressed, return postage paid, request for anything via snail-mail they get nothing in return. Ask anyone who expects a reply to an e-mail, they always get someting back, even if it's a "duhhhh, I don't know".
Retired dinosaur, simple user, volunteer, guinea pig
I don't think so, at least not for a long time. This is because in order for it to be effective you'd have to have pretty much everybody who uses mail switched over, and there are billions of people in the world who have not ever used a telephone, let alone a computer. But, those billions still get paper mail.
This questioner sounds very U.S.-centric. You've got to think in a wider view.
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
Disclaimer: This answer is not definitive, and I know that the innocent word 'trust' has been turned into a buzzword, or at least it's close to it now ... but FWIW;)
... suspicious. If my mom wrote to say that my sister will be home for a certain week next month, I would probably not be.
In discussing the concept of "trust" / "authenticity," etc. context changes everything, and when people talk about trusting email vs. trusting snail mail, I think there's sometimes the impression that people ever (or often, say) rely on either of these methods in complete isolation.
In my job, I sometimes request and receive publication permissions for logos and quotes via email; it's usually the most reliable way to reach people in my industry (I work in advertising for personal computers that rhyme with "Smell").
Now, since the email originates with me for the most part, and there is usually some level of phone contact, the occasional fax, etc, I have no real problem with presenting the resulting replies as permission to our client, though usually we also get paper copies in the mail as well.
If someone with the email address "EdMcMahon@whitehouse.gov" wrote email to say that I'd won a million dollars and simply needed to mail him $10 to cover the shipping on the winnings, I would be
Point is, spoofing someone into thinking that *any* communication (phone, fax, email, snail mail, smoke signals, whatever) is legitimate when it is not requires that it be innocuous seeming and have enough clues indicating authenticity that they would never question its legitimacy. It's not just putting on a Halloween mask and saying "I'm Papa Smurf!" -- you actually have to at least make the other person think that you are only 3 apples tall, blue, etc.
And another thing to point out is that people seem to have a lower threshold of trust for paper mail (because everyone knows you can't trust that dang in-ter-net), so perhaps it's easier to actually fool someone with it. In fact, that's my opinion, at least in business contexts.
Just thoughts,
timothy
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
I think California recently passed a law which treats digital signatures as legally binding. I'm not sure if this only applies to written digital signature (ie, when you sign on the UPS pad) but even if it does, it might provide a precident for using other forms of digital "signatures."
E-mail has its set of advantages over US Snail, consider the time it takes to e-mail someone on the other side of the continent, or across the world compared to the time it takes to send a hardcopy letter. As far as bills are concerned, I prefer mail, yes, you can have bills paid via electronic draft of a bank account: not a bad thing, fairly reliable. Now what about official legally bound documents? Two points that I whole heartedly agree with from previous posts are such that Digital Sigs and Encryption do need to be widely spread and accepted as everyday options before the postal service can be challenged, not only that, but who is to be the 'trust' for holding on to the table of data linking RealPeople(TM) to their digital signatures? The various governments need to rethink their policies on encryption, and we the users need to rethink it all as well: an envelope does not stop someone with prying eyes from viewing your mail. and someone determined enough to view your email most likely will--if it's the government or some nut who wants to know what your Visa balance is, it does not matter. Right now the technology is available, but the laws are not right for it. Besides, how am I to receive the care package from Mom and Dad...printing out that box of stuff just doesn't work, but then they could use UPS I suppose or FedEx ;) and yes, a physical card from Hallmark is so much more personal than the e-mail of birthday congratulations you could get...
Some day, I hope, every junior-high-school student will learn the basic cryptographic concepts behind PGP and its kin. Then, most people will know enough about cryptography to evaluate products that use published cryptographic protocols and shun products that don't. (I can dream, can't I?) Until then, most people will continue to trust ink on paper more than anything else, and the field of commercial cryptography will be littered with buggy software, snake oil, and Trojan horses.
send all spam to theotherwhitemeat@ropine.com
. . . discussed the reliability issue, particularly the reliability of delivery. And he suggested that snail mail was more reliable, based on a study he did sending a post card every day versus an email every day, for as month.
I think that snail mail is nice because it's non-electronic form forces a rather large infrastructure on anyone who wants to open, scan in, and archive/process all the mail out there. Although if they can pull off Echelon, they can pull off this. It's just harder, and less likely that they want to deal with all the issues.
In the case of "a nice birthday card," why not send the data portion electronically and use local physical printing and local delivery services? Such would reduce delivery cost and delay (and provide a greater variety of messages).
Borders, is appears, is experimenting with such a combination for books (though it seems they will ignore local-CD production and production of out-of-print books (books with insufficient demand to encourage publishers to do a full press run, but profitable with single-volume printing)). (This kind of publication has benefits for material that changes rapidly (e.g., books on technology or open-source software), material that has minimal copyright restrictions (public domain and open-licensed, but even single sub-licensor (as Borders plans to use)), and material with differing user-bases (e.g., many O'Reilly books and, of course, Linux distributions).
There are psychological barriers to all-electronic transmission. (See L.M. Bujold's comment (through Cordelia) near the end of Shards of Honor.) There are also cost limits to localization of production.
The same way you don't have to "buy" your signature, you shouldn't need to pay for a certifying agency to have your digital identity.
Then go to www.thawte.com and get a free certificate. They will verify your email address and give you a certificate for that address (it won't contain your name, because they can't verify that easily). They can also sign your PGP key, after verifying that you own it.
While snail mail will obviouly never go away completely, I think package shipping has pretty much got it made.
Snail mail is typically a delivery of INFORMATION, which can now be better done in other ways. With packages, you are sending a THING, and until some star-trekkish system goes into widespread use, more and more packages will be shipped through FedEx, UPS, etc.
I used to almost never have things shipped to me - I'd go buy them. But since I can now easily do price comparison shopping and find good deals online, I have ordered things shipped to me every week or so.
So THAT service is definately on the increase.
Vidi, Vici, Veni
Instead of nitpicking over the details of the current email system, look at the fundamental way computers can move - and authenticate - information.
You can be sure email was delivered and unread if you encrypt it, digitally sign it, and send it, and then get back an encrypted, digitally signed confirmation from the reciever that they got it.
This level of security and authentication could never be claimed by snail mail.
Vidi, Vici, Veni
The BIG issue is how to setup a widely accepted and standardized infrastructure for authentification and non-repudiation so everyone can talk to everyone. Europe is going there the European way : governement initiative. Germany is actively endorsing 3rd party escrows for public transactions. I also expect France to move there very quickly. By some way, the now defunct US gov Clipper initiative could have given a decisive lead in this domain to the United States. Too bad, those stupid suits couldn't help and make the system insecure to satisfy their egotistic paranoia.
I've been working with signatures and PKI at my company for more than two years now, and I've seen a lot of the things that kill it. There are three main reasons that the average joe doesn't want to have anything to do with it:
(1) The average user doesn't know what signatures or certificates are, or what they do (i.e. they're too obscure), so why do they care?
(2) Too complex and too much of a hassle (why pay Verisign or someone else for something that you'll probably never be able to use anyway). Most security UIs are overly complex, and no average user will want to deal with it. It is also difficult to manage certs. What if Alice wants to send an encrypted email to Bob, but she doesn't have Bob's cert? Without a lot of common LDAP servers and other such things getting people's certs will be a hassle, and so nobody but us geeks will bother.
(3) For those people who care enough to figure out the complexity, and deal with the hassles, there is still an issue of trust. How do I know that IE5's implementation of S/MIME is secure? They could be storing things on my system insecurely, or perhaps Netscape (even though it is open source, the security areas of the code are not) has a bad security implementation. Granted that I trust that once things hit the network, that they are secure because I trust the S/MIME and the involved algorithms, but on my own system I'm not so sure. If I was to be really paranoid about security, I would still use PGP (or my own custon S/MIME implementation) so that I knew that what was going on was secure. For the average user who can't (or won't) use PGP or their own software, trust is a major issue, and perhaps a roadblock.
So all of that being said, what can be done to fix it? There are three things (again, three, hmmmm...) that I think could move things a very long way.
(1) This is the biggest. Since good certificate systems usually tie a certificate to an email address, and you get your email address from your ISP, I think that if when you got your ISP account a certificate/keypair were created automatically (without much in the way of user interference), then things would be much easier. Like with all certificate authorities today, the keypair and cert request would be generated on your machine, and then sent to your ISP. They in turn would create your certificate, and send it back. Just as secure as todays systems, but the advantage is that it would happen automatically when you first set up the ISP connection (maybe custom software from the ISP?). Imagine if ISPs acted as certificate authorities (or proxies for CAs) (listen up AOL). If that happened, most people with home internet accounts would have certificates. This is the most crucial thing: making sure that everybody has a certificate/keypair, and that there is no hassle for the user in getting this. If this service were part of the cost of the ISP connection, it would be no big deal. (Verisign charges something like $10 for their basic level 1 cert, and that works out to less then a dollar/month, so it wouldn't be too expensive for ISPs I wouldn't think, especially if they only acted as secondary CAs and didn't have to handle the physical security of a root cert)
(2)Biometric security devices standard as part of new computers. This isn't totally necessary, but it has the potential to make things a lot more secure in general. If I remember right, Compaq started shipping a thumbprint scanner with one of their lines sometime last year. If this became common (or if smartcards to store keypairs became common), security would mean a lot more.
(3) If a big name like the USPS, or Verisign got involved with being a central repository of certificates (using LDAP or whatever) and application developers made lookups to this database invisible to the user, it wouldn't matter if you already had a cert or not. Your application could simply fetch it from the repository if you didn't already have it. On a similar note, if a body was formed to certify products as secure, that would also help. If I knew that some trusted thrid party had verified the security of Netscape's, or Microsoft's, mail programs, I would feel a lot better about using them. I suspect other users would feel the same.
In the end, the answer is: security will be used when all the average John (or Jane) Doe has to do is click the Signing or Encryption button on their outgoing mail, and the rest is taken care of for them. If security is supremely easy to use, then everybody will use it (there will be no reason not to).
Impossible = A fun challenge
people once declared the death of books when TV came along, but there are more books sold now than at any other point in history. people once declared that pocket calculators were dead when personal computers became available. yet computers have not displaced the pocket calculator. there are more calculators in use now than when they were invented. i am pretty well living a paperless existence. i use email for business, and for rapid correspondence with friends and family. yet, when i want to send someone a letter that is important to me, i will type it out on my computer, and then transcribe it onto paper BY HAND. why? simply because it is more special when you know someone has taken the trouble to write you something by hand. for work, this personal touch is not called for. but for my friends, its a way of saying that i care enough to give them an original piece of handwritten correspondence. its says that i took time and sweated over what i wrote them without the option of a backspace key. a handwritten is simply more trouble to produce. and sometimes this very trouble is worth the aggravation, because the medium itself tells something about the message. the more prevalant rapid-efficient electronic communication becomes, the more special it will be to recieve a handwritten message from someone personally. that is why old mail will never die.
In the case of "a nice birthday card," why not send the data portion electronically and use local physical printing and local delivery services?
If I were to send a card like that, it would certainly be a tangible object that the recipient could hold and put on his or her mantelpiece. There's still one problem though - I'd be unable to sign the card. The recipient would get a nice, freshly-printed card with my greeting on; but, without my illegibly-scrawled signature, it's missing the personal touch. Well, I think it is, anyway. Maybe I'm overly-sentimental about such things.
letters are much more personal, especially hand-written ones. i get flooded with near a hundred email messages a day, mostly from mailing lists, but many from friends or project partners or whomever. so when i get a nice hand-written letter--with either illegible chicken-scratch (like my handwriting) or nice big, smooth, loopy, pretty cursive (which only girls seem to have a natural talent for)--it really makes my day. i like to think others feel that way too. and to that end, i try to write a nice, thoughtful letter everyonce and awhile to friends that i don't see that often. sure, e-mail would work just fine, and be quite a bit quicker, but it just isn't as personal.
in short, i agree completely. regular postal mail is definately more special. and that is why e-mail will never completely replace it.
"onward!" cried the copper man, little knowing brass corrupts...
The discussion about email security and authentication is interesting, but I don't see the need to extrapolate the consequences to THE END
OF SNAIL MAIL. Snail mail has distinct advantages, like the fact that all you need is a pen, paper, and a stamp. Until we live in a Star-Trek world where money is abolished, not everyone is going to
have instant access to a computer all the time.
Besides, why should you need something as complicated as a computer to write something as simple as a letter? I love email, but the option
of just writing should always be there. Technology is supposed to help us, but there's no advantage to becoming completely dependent on it (even though modern society IS dependent on it - I'm just saying that dependence is a by-product, not a goal).
Finally, I don't personally consider email to be very permanent. I've lost lots of mail when I've changed schools, just because I left it on some account somewhere. I only bothered to translate about half my mail from one email program to the other when I made my last big switch. It's not always trivial to read documents that were written several years ago, purely because programs change their file formats all the time, and not every translator is 100% effective. I'll never have to worry that my eyes won't be compatible with the letters on a printed page (unless I go blind, but that's a different story).
In short, I don't think printed mail will ever be obsolete.
What about those lovely care packages from mommy and daddy. what about all that lovely hardware we order from the net...so until we get those cool printers like on the commercial that can print out physical items...snail mail will stay. I did read about something in wired that said that e-mail comprises about 50% in like 94 where in 84 snail mail was that much plus some.
JediLuke
JediLuke
-Do or Do Not, There is no Try
I think it will probably take a long time before snail mail is replaced. Besides the authenticity issues, there is also issues of regulation. If we start making email authentic, it would start being regulated by someone like the USPS. So what happens then? If someone was stuffing a 100 envelopes in your mail box, or reading your snail mail, it would probably be a Felony. It sure would give more of a reason to charge people who messed with your email or authenticated online materials. :)
People, their what's for dinner.