10. September 2014
Bill Volz
Privacy , SMTP
Since there is a lot of talk and work recently on email encryption I thought I would attempt to list the requirements. These requirements are a combination of things that I would want and some things that others have asked for.
- Easy to use - Everybody and their Grand MOM should be able to use it. That means it shouldn't take 20 minutes to apply for and setup keys and certificates.
- TKO (Trust No One) - There can't be any organization responsible for holding encryption keys. All keys need to be generated by the client and never leave the client.
- Key Negotiation (Perfect Forward Secrecy) - No key should be able to decrypt a message after the fact. That fact that your machine and key is compromised it shouldn't be able to decrypt all your messages from the past.
- Meta data protection - Headers must be encrypted. The email headers can reveal a lot of information in addition to the Sender and Recipient information.
- Key Management - Keys need to be revoked and updated. Losing your private key shouldn't mean you lose all your messages.
- Compatibility - Should be able to work with most existing mail clients. Without compatibility you will not get everyone on board.
- Spam Free - Spam filtering techniques need to be leveraged to block unwanted encrypted emails. These need to work as well as those available today on non-encrypted email.
- Standardization – There needs to be a single agreed upon standard that allows all mail clients to compatible with each other.
As you can see some of these are tuff requirements while some seem to contradict each other. There is going to be a long road ahead for those attempting to standardize this.