An interesting side-effect of web-based mail: non-repudiation

The thing about web-based mail is that you can't mess with the data. If you run you're own mail server, you can mess with the data. This is actually a very good reason to use webmail, even if you have the skill and desire to run your own webserver. Indeed, if you get in the habit of sending signed messages, it's even better.

Of course, privacy is very good reason to NOT use webmail.

There is an elegant solution that allows one to have both: encrypted web mail. FireGPG is a wonderful little plugin that modifies the gmail interface so that you can sign, encrypt, or sign & encrypt outgoing email.

The only drawback is that your recipient has to know how to deal with such messages, which is a nontrivial problem. (even with nice tools like GnuPG, FireGPG it's a tough row to hoe. PKI (public key infrastructure) is difficult for people because not only does it require the installation of special software, but it absolutely requires that they have some bits with them (their private key) and remember a password (to unlock the private key). There can be no "I forgot my password" function in the system (at least, AFAICT).


P.S. Solving the PKI adoption problem is bound to be more social than technical. However, one could go a long way by a) pre-installing PKI tools in operating systems and web interfaces, b) offering hosted private keys (very safe if password is strong), and c) reducing the number of passwords people have to remember to 1 and making sure that they never forget it (which really helps achieve b), too).

No comments: