We have two end to end email security schemes already, PGP and S/MIME both are great as far as the security properties go. Neither is acceptable from a usability standpoint. They are tools written by geeks for geeks. They don't meet the 'iphone' level of usability.
So I have spent the past four months looking at ways to fix this. I think that we are far closer than people imagine. the good news is that we can have a system that is:
- Frictionless, it takes absolutely no more effort to send mail encrypted as without encryption. Sending email encrypted can now become the default.
- Unencumbered by patent or IPR claims (to the extent that this is possible these days)
- Backwards compatible with 95% of existing email clients through use of an outbound mail proxy on the same host.
- Supports Enterprise and Individual use.
- Does not require reliance on trusted third parties (but allows them to add value).
- Supports legacy PGP and S/MIME deployments.
I am currently working on converting the prototype code base which was written in C# for speed to C so that it is easier for people to add support in to mail clients directly.
There is a series of podcasts in preparation, the first one of which is here:
I am aware that people may not agree with all my design decisions and so I have divided them into two parts 'plumbing' and 'research'. The 'plumbing' choices either don't matter (except that a sensible choice be made) or are entirely constrained by the legacy base. Whether the research part is right will only be known after deployment. The code is structured so that multiple research groups can make use of the common 'plumbing' platform. Supporting the 'plumbing' platform will also enable the client for OpenPGP at the same time.
To deploy any email security infrastructure we eventually need to add native support to every email client. That is a huge barrier for researchers. Sharing that effort between research groups makes it much more likely one of us might succeed.
If people want to get into cryptography work, implementing the plumbing platform in an email client would be a great way to start. Also I need someone to re-implement the key manager since any platform like this should have more than one set of eyes looking at the code and more than one set of code.