Cryptography Mailing List 2016
There is a common misconception that we have to dump in order to make progress. It's the idea of "transparent security" in relation to using the internet.
Some people think, that in order to provide secure email to ordinary users in a way that they will actually use it, all change has to go into the infrastructure not into the endpoint facing (and including) the user. People should do essentially the same thing they do today, but also be secure because an improved network in future (PKI that works, bullet-proof protocols that have been fixed, servers that provide encryption, etc) will take care of the security they need. Users don't play any role in providing this security, it is transparent to them, if it happens, it happens because experts have ensured it's there and works.
In this view, the user's contribution to security, and also their responsibility, is close to zero. I'm quite sure this is *not* the way secure and usable email will become a reality.
With zero involvement in the security of his email the user has zero reliability too. The obvious conclusion is, that "using the secure system" cannot be "as easy as using the insecure one".
If we can determine what the user's indispensable role is, what the technical solution can expect the ordinary user to do before he might be deterred from using it, because of its complexity, we can also determine what a secure and usable email system will look like.
I may be wrong, but these are the basic requirements in my opinion:
Prologue: Secure means authenticated and confidential message exchange. The two persons that exchange messages using the system must be reasonably sure that each message they receive was created by their correspondent and will be visible only on both screens connected to these people's endpoint devices and not anywhere else. This does not (necessarily) include secure storage of the information received nor the invisibility of their exchange. Every user of a secure and usable email system must have the ability to
1) accept or dismiss the secure exchange of messages, deliberately.
2) actively enable a secure exchange with a particular correspondent.
3) prove that all the messages leave his endpoint device properly encrypted.
These are three abilities to control the system that the user must have to develop trust in its reliability.
If a user cannot control (1), the system would continue to "secure" the communication under circumstances where a compromise of a system has become obvious. A user must be able to stop the exchange with selected correspondents that have become unreliable, malicious or "hacked", he must be able to pull the plug.
If a user cannot control (2), he cannot guarantee that only his own decision makes the secure exchange possible. Without this control, the message exchange may be readable by a number of other third parties in addition to the intended recipient. The initiation of the secure exchange must rely exclusively on what the user does at the beginning of an exchange. Once initiated, the system can change encryption keys as needed, but the system cannot take the initiation out of the user's hand.
If the user cannot control (3), nothing can convince him that the intended protection actually happens on his endpoint device using authorized initiations by components that can be audited to do what they should do and nothing else. Without this control, which includes physical control of the device(s) a user needs to understandably produce the intended protection, secret information can easily be leaked to network devices outside his control.
It is my firm believe that we cannot design a usable and secure system if we do not provide support for these three controls in a way that is as unobtrusive to the user as possible.
Now, what does a usable and secure system look like in technical terms, precisely?