@ Nick P
>I think the solution is to have email clients clearly indicate the security status of the message.
7-8 years ago, I tried (and actually succeeded) to get my midsized (100-120 employees) company to mandate that all emails are sent with S/MIME.
Since everybody was using Outlook and email certs were available for free with a simple registration -can't remember which CA it was, but it wasn't Verisign or Thawte- I got everyone onboard. I wrote a simple step by step howto, complete with screenshots, did 2-3 training sessions and before you know it (well, sort of) everybody was using it. No problems, and everbody was happy.
Well, for some time anyway.
After a year, when the certs expired, Outlook started popping up warning messages. And if there's anything C-level execs ABSOLUTELY HATE, it's worrying messages using technical language.
The problem was that &%*&% Outlook thinks that, when an email was signed with a now-expired certificate, the email is invalid/dangerous/scary/whatever.
WHY THE %*&%&* WOULD IT THINK THAT, THE CERTIFICATE WAS PERFECTLY GOOD ***WHEN THE BLOODY MAIL WAS SENT***. OFCOURSE ITS NOT VALID AFTER ITS EXPIRATION DATE, THAT'S WHAT IT'S THERE FOR.
I got blamed for this failure, had some horrible meetings and ofcourse the project was quickly abandoned.
I've always wondered how other email clients treat the same issue. Is it just MS nonsense ?
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.