Re: EmailSigning feedback

On 10/1/12 11:37 AM, Jürgen Jakobitsch wrote:
> hi,
>
> thanks, i'm clear about that, thing is that i would like to have signed
> mails a "green" footer in most cases anyway. i already had feedback from
> people who were not able to open my signed mails and i'm thinking about
> not scaring people if there should be some sort of viral effect.

We have the following choices:

1. leave people scared and in the dark
2. enlighten them about what's amiss re. identity and eventually privacy.

We have to turn these miscues into triggers for knowledge exchange.

> i don't
> want my signed mails to be rejected or deleted by someone who just
> doesn't know that it has no meaning.

So you can explain to them the value of clicking on the scary icon. For 
example, copy and pasting the WebID into their browser (since most email 
clients you treat the WebID as an actual live link) .


> i also don't want to change my
> email signature to include an argument about why an "invalid" or "not
> trusted" certificate doesn't really matter.

Correct, no need for that.

>
> i just started a small survey in our company per email, with some
> questions like :
>
> -do you notice at all, this email is signed
> -does it look invalid, not trusted
> -if yes, does this scare you somehow

They are all scared. That's why they are all under the control of broken 
email clients and dysfunctional PKI. Net effect, we have social network 
silos emerging around what's already addressed by existing open 
standards :-(

Kingsley
>
> will report back
>
> wkr turnguard
>
>
>
>
> On Mon, 2012-10-01 at 11:05 -0400, Kingsley Idehen wrote:
>> On 10/1/12 9:12 AM, Jürgen Jakobitsch wrote:
>>> apparently this whole emailSigning thing not so easy and there is a
>>> plethora of "reactions" from different email clients.
>>>
>>> maybe we should set up a wiki-page with a matrix of the creation process
>>> and the experiences with different mail clients to come up with a
>>> solution that suits most people.
>> I wrote a number of howtos [1] for all the major email clients due to
>> what you outline above. Sadly, the world of PKI exploitation has been
>> turned on its head by the overbearing nature of those in the CA business.
>>
>> In the world of eCommerce, 3rd party verification of vendor identity is
>> crucially important. Sadly, that's a single use-case pattern that's come
>> to cloud (obscure) the entire realm of PKI exploitation as you are now
>> experiencing with inconsistent behavior across S/MIME clients.
>>
>> For social networking, 3rd party identity verification doesn't have to
>> follow centralized CA pattern. In short, therein lies the fundamental
>> essence of the WebID authentication protocol. Even without adding the
>> requirement for IdP's to generate certificates with the issuer/signer's
>> WebID in the Issuer Alternative Name (IAN) slot, it is still possible to
>> ignore email client behavior en route to looking up the WebID that
>> watermarks a senders certificate. This is base #1, the first step.
>>
>> Beyond the basics above, without the tedium associated with writing
>> plugins for each email client, it is possible to incorporate WebID into
>> IMAP4 which enables smart organization of mailboxes. This is what I'll
>> demonstrate next as we've implemented this feature a while back as part
>> of our exercising the practical utility of WebID within the context of
>> existing protocols.
>>
>> Links:
>>
>> 1. http://bit.ly/U9tvcP -- various G+ howtos for different email clients .
>>


-- 

Regards,

Kingsley Idehen 
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen