Paranoid Penguin - Interview with Marcus Meissner
MB: Your team, of course, digitally signs its communications. But 17 years after Phil Zimmerman gave us PGP, only a tiny percentage of ordinary users employ any kind of e-mail encryption. Any thoughts as to why, and what to do about it?
MM: It's too hard to use and, more so, too hard even to understand why to use cryptography. “Why does Aunt Emily need to encrypt letters to her niece Tina? Who cares about them anyway? And, how do I do it?”
MB: Maybe the real issue here is identity management. We haven't yet figured out any kind of universal identification on the Internet, which is part of the problem space that PGP, S/MIME, x.509 and LDAP are all supposed to address. But the paradox is that although such an identification infrastructure would greatly simplify all sorts of security problems—single sign-on, directory services, encryption and the like—the technology itself is very complicated.
MM: Yes, definitely. Perhaps a hardware solution might help here—something that Aunt Emily and niece Tina could physically exchange and so would physically grasp.
One could imagine doing premade USB tokens that can be torn off a strip and distributed for every family member involved, in a size that fits in regular letters. Or, using cell phones to pass encryption keys back and forth, as everyone owns cell phones now.
MB: Any time you talk about centralized identity management in the US, for which the logical starting point is the federal government, the discussion gets very strange very quickly. Americans are reluctant to trust their government not to abuse this information (which is perhaps strange given that they've got all sorts of information about us already). Are things different in Europe?
MM: They are better. People trust the government more, because they already hand out our passports and ID cards. But, with the current government trying to enter into our privacy more and more, I think even in Germany we will see more mistrust.
MB: We've amply filled this month's allotted space with a very wide-ranging discussion indeed. Thanks so much, Marcus, for a thoughtful and fun conversation!
Novell's SUSE Security Team: www.novell.com/linux/security/team.html
Mick Bauer (email@example.com) is Network Security Architect for one of the US's largest banks. He is the author of the O'Reilly book Linux Server Security, 2nd edition (formerly called Building Secure Servers With Linux), an occasional presenter at information security conferences and composer of the “Network Engineering Polka”.