From: geoff@commtouch.co.il (geoff)
Date: Sat, 10 Aug 1996 01:15:06 +0800
To: provos@wserver.physnet.uni-hamburg.de
Subject: Re: PGP Mailer for the masses ?
Message-ID: <19960809124443785.AAA218@[194.90.103.93]>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

To: provos@wserver.physnet.uni-hamburg.de, coderpunks@toad.com,
 cypherpunks@toad.com
Date: Fri Aug 09 15:56:37 1996
Niels,

Thanks, for describing the features of Pronto Secure :)
This is how Pronto Secure matches up to your checklist:

> Here is just a short list what such a programm should be able to
>  do: ( all options should be optional ;)
> 
> Sending Mail:
> - Clear signing of outgoing mail
YES

> - If public key of recipients is known encrypt with those keys
YES

> - If there is access to a public keyserver try to get a public key
>   for the recipients
YES

> Receiving Mail:
> - While reading mail ( similiar to premail ) try to check existing 
>   signatures if public key is available otherwise try to get 
>   public key from server
YES (do on the fly signature checking as mail arrives in inbox)

> - Traverse the web of trust and show how the public key is
>    related to one own keys to mutual signatures on other public keys
>    ( For example mean distance to a key signed by the recipient
>    himself )
NO  (we handle certification by allowing the user to modify a list of  
    trusted certifiers for signing keys)

> - If the mail contains a public key add it to the keyring
NO  (Key is shown as an attachment icon double click on it adds it to  
   the keyring)

> - Don't show pgp blocks in Mail since they might confuse
YES

> Keymanagement:
> - Should be integrated in the addressbook together with E-Mail
>   Address and name.
YES

> - Keys should be imported via generation or via mail or via a file
YES (or the clipboard)

> - If you have a public key without an entry in the addressbook
>   take the EMail and Name from the public key
YES (or prompt user to supply address)

> - One should be able to sign the keys during import if origin is
>   known
NO  (signing keys is a separate process. This gives the user an     
opportunity to authenticate on another channel)

> Misc:
> - Passphrase should be kept in memory for a definable time, 0 for
>  immediate deletion, thus you would be prompted for the passphrase 
>  each time you use it. Question about Windows Swapspace ? or tag the 
>  memory as uncacheable ?
NO (Keyboard sniffing is too easy to do in Windows, This would give    
   a false sense of security)

> I would suggest creating a library with seperate io and gui parts in
> order to motivate peeple in helping who do not want to support 
> mainstream products like Windows. Like taking the PGP 3.0 lib ( is it 
> out yet ?) and modify it a bit.
YES (Separating UI from security functionality is also the right       
   way to go for offering plug in security providers)
 
> Since there are a variety of good functioning mailers available
> already it wouldn't make sense developing the whole stuff but instead 
> only integrate the library into existing products.
NO  (It will not be an easy task to design a general library of UI    
   elements that any mail client will be able to seemlessly plug into.)

> Do you think that such proposal is senseable and that there are
> people who would be willing to support the idea with programming 
> affords ?

It exists. Plus a few additional features not mentioned, and a much 
longer wish-list in the process of being implemented.

Check it out. It is available from http://www.commtouch.com/p1.htm

IMPORTANT: COMMTOUCH WILL GIVE A FREE COPY OF PRONTO SECURE TO ANY 
MEMBER OF THE CODERPUNKS/CYPHERPUNKS LISTS SUPPLYING USEFUL FEEDBACK 
ABOUT THE PRODUCT.

The impressions of early users of Pronto Secure can be viewed at: 
http://www.commtouch.com/testers.htm (many of whom are list members)

Regards, Geoff.



- ---------------------------------------------------------------
Geoff Klein, Pronto Secure Product Manager;   www.commtouch.com 
My PGP public Key 1814AD45 can be obtained by sending a message
to geoff@commtouch.co.il with "Get PGP Key" as the subject.
- ----------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBMgs1ikLv5OMYFK1FAQGe/gP/RdXtVIwo7aupkJn6X4VNTuNHHymPf9fJ
k7FAsONAAP9qbr4UaWzJXxWuvmxLgt5gsMpk6yzp6vY80krQqPf6SqphW7FOjGTq
PB05bNLDHm9SRGjVvKRHzGbOr094gkFpeso2C3MeMiDbT0J5gsLJOeMJsIb4NW2A
lHZ6e+o535w=
=R2jc
-----END PGP SIGNATURE-----