Encryption: OpenPGP vs Digital ID

Note: Since writing the article below I’ve found that many things I wrote were incorrect. I have corrected them here.

From time to time I think about email security. We don’t tend to think about it much, but our email is essentially like sending a postcard – it’s in the open and anyone with the right tools can read it. The answer is encryption, but these days it’s easy to feel as though using encryption is somehow wrong, as though we have something to hide. Well, we do have something to hide, and there’s nothing wrong with that. It’s called having privacy.

Anyway, so I’ve got a bee in my bonnet to encrypt my email. This is one heck of a lot more complicated that you might think, because there are a lot of places and ways I get email:

  • On my machine at work, via Outlook and also via Fastmail’s web interface – Fastmail rocks, by the way.
  • On my machine at home, again via Outlook, synchronized via VPN with work, and also via Thunderbird and web interface to Fastmail.
  • On my Palm, using Snappermail.
  • On my machine at home using Linux, via Thunderbird.

So far, I’ve learned the following about two approaches: OpenPGP and Digital ID. Incidently, OpenPGP is available as both freeware and commercial products. The commercial version has the most sophisticated approach (uses a web proxy) and the smoothest interface, but is $100 (although free to use in a limited way for non-commercial use). The rest are free.

Digital ID is not available as a separate product. Instead, the funtionality is built in to just about every email app out there. However, it doesn’t do file or disk encryption, where OpenPGP does.

Cost of Keys. OpenPGP is zero, Digital ID’s range from free to expensive depending on the features desired. Thawte does it for free, Verisign wants $20/year for a “Class 1” ID. ID’s are burried sufficiently well on the Verisign site that I couldn’t find anything past Class 1. When you consider that Digital ID’s are good only for a single email address, this could be more expensive yet.

Ease of Key Management. OpenPGP keys are portable, support multiple User ID’s (email addresses) and work with any OpenPGP application. They can be stored on a USB drive for more security, and since you create them no one else has the private key for even more security. You can change the password on the key at will. You can add User ID’s at will. You can revoke it, and un-revoke it (via a backup). All of this can be done using a key management application which facilitates this pretty well. It also make searching for public keys for others much easier via keyservers.

None of this seems to be possible with Digital ID – at least, I can’t find how to do it. Digital ID keys are application specific (at least, when getting one you have to specify what application you use) and User ID specific, so if you have three email addresses that’s three keys you’ll need. Getting a key means going to a site and either requesting or buying one. The ID/key (both private and public parts) is created and then sent to you. The downside is that someone else has the key, the upside is that if you lose it, you can get it back pretty easily and don’t have to worry about backups.

I haven’t yet experimented to find out how application specific the Digital ID’s are, but I had to kind of cheat the system to get one on my Linux system – it kept downloading it into Firefox. I can’t imagine why because FF has no email capability. Anyway, I had to export it and then import it into Thunderbird because the Verisign site had no “Download for Thunderbird” button. Here’s the funny part: In order to export, you have to enter your password twice. I don’t know why on earth it’s necessary to enter it, let alone twice, since you need the password to use it, but there you go. Then, when you go to import it into another program it asks you to create a new password! Sheesh!

A thing about passwords: OpenPGP takes them very seriously, and even calls them passphrases to encourage people to make them long and truly strong. Mine is over 15 characters, and it still wasn’t considered strong. The Digital ID folks, on the other hand, don’t seem to care other than to put a short blurb about how it shouldn’t be a word, and should have numbers and punctuation.

Ease of use. Digital ID has the upper hand here because it is built in to Outlook and just about every other email application. OpenPGP can be installed in such a way that it’s very painless for users, but that really only works in a multi-user environment. The other OpenPGP-based methods are not painful to install, and are fairly easy to use once you understand what they do, but for users who are encryption-ignorant and want to stay that way it’s not the smoothest.

However, if you are using Thunderbird, and if you are using POP or IMAP you should be, you can get a really slick extension called Enigmail. It’s very, very nice.

Long term workflow integration. The real trick is not to send and receive a few encrypted emails. The trick is for it to be part of the overall communication system over the long haul, and here OpenPGP rules.

Digital IDs expire and have to be replaced. This happens more or less automatically, but it means that email from 4 years ago will require a key from 4 years ago to read. That could be 40 keys ago. More if you include more User IDs, more email systems, etc.

In OpenPGP it would be one key if you like, or more if you like. You can make a copy, put it on a CD, stick it in a safety deposit box and rest assured it will work when you need it to.

Mobile Applications. PGP Corp used to make PGP Mobile, but it’s no longer available. I hope they’ll put it in the public domain. There is a freeware version, but it is not compatible with later Palm OSs.

There is an app or two available for Windows Mobile – one I’ve seen just creates a console to use the command line version of PGP on.

I don’t believe, but someone please correct me, that either support Digital ID.

I’ve chosen OpenPGP for now. Since I have the old PGP Mobile for Palm, it provides a nice palm solution. It’s also included in Linux, and is available in so many apps there’s bound to be one that fits. Last but not least, key management while a little daunting at first is much better.

I tried the 60-day trial for Verisign, and for my work stuff it seems ok. The problem is that moving it to any other system is a misery and even so it’s not going to work with any other email address. It’s also $20/year, which isn’t much for a single address but starts to mount when you consider 4 or 5. I thought for a while that I would use Digital ID for work stuff because it’s so well integrated into Outlook and exchange, but the key management is so obscure I don’t think I could reliably explain to anyone how to get to my mail after I left. OpenPGP will be much easier.

So why aren’t these solutions more widely adopted?

I think the fundamental problem is that as much as we care about our privacy, we don’t care enough to use the tools required to preserve it on the internet. After all, the threat is invisible – where an envelope shows evidence of being opened, an email does not. I suspect that the only market for these tools exists in large corporations and the government, and therefore the marketing and support is non-existent. Nearly so, PGP Corp. does a pretty good job of educating people who seek to be educated.

I don’t want to sound like some crazed guy from the backwoods of Montana, but I’d like to ask a favor: Pick one and use it. If we don’t use this stuff, someone in Washington will get the idea we don’t need it. We do. ID theft is still mostly a paper-based thing, but it won’t be forever. We can either have encryption now on our own terms, or later on someone else’s. You choose.

7 thoughts on “Encryption: OpenPGP vs Digital ID

  1. We also need to make sure our POP/SMTP/IMAP servers use ssl(or some form of transport encryption) either that or you are sending your password in the clear every 10 minutes when your Outlook checks the mail automatically. You are also downloading the entire email messages in the clear if your server does not use ssl.

    If you are interested to see how many of your passwords (and other info) go thru the clear download ethereal and scan your network.

    I also like the Thawte Web of Trust idea for personal certificates. You have to meet up with another trusted Thawte WOT member and have them verify your identity and they give you points based upon how well you proved your identity.

    I ended up going with PGP Corps product because it allows you to create mountable encrypted disk images which I store my passwords in. It was also the only product that integrated with Apple’s Mail.app without having to go to the command line.

    Like

  2. Hey Mike – thanks for the response, and the tip about Ethreal, I will definitely check that out.

    The web of trust is also part of the PGP system although nobody uses it. In theory, you should not be using a public key unless it’s been verified to come from the person you expect to. Once that is verified you sign the key using your own, and then upload that to the key server. As your key collects signatures, and each person assigns trust to it, it become a more trustworthy key. Really the same thing, I think, as you’re talking about.

    Anyway, thanks again for stopping by!

    Like

  3. “It was also the only product that integrated with Apple’s Mail.app without having to go to the command line.”

    This is not entirely correct. Mac GnuPG integrates with Mail.app without having to go to the command line.

    Like

  4. I use a product called Taceo for encrypting and adding Rights Management controls (such as “Read only”) to my email. I like the product because I don’t have to manage keys and neither do my recipients. Moreover, it is free. If you’d like to check it out go here:
    Taceo

    Like

  5. I support about 40 executives in a 50,000 strong corporation in an email encryption proof of concept.

    I just wanted to correct a misunderstanding. When you go to a website to order a digital certificate, it is not the website that generates the key pair. It is the crypto provider on your pc.

    One of them is arbitrarily selected as your private key and stored on your machine’s certificate store, while the other (public) is sent to be included in a certificate where it is tied to your rmail address and signed by the CA. The CA essentially certifies that this is genuinely your public key, and not someone pretending to be you.

    The CA never ever sees your private key.

    Hope this helps.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s