Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Germany Builds Encrypted, Identity-Confirmed Email

CmdrTaco posted more than 3 years ago | from the wo-ist-jones dept.

Government 188

jfruhlinger writes "Looking to solve the problems of spam, phishing, and unconfirmed email identities, Germany is betting very, very big. The country will pass a law this month creating 'De-mail,' a service in which all messages will be encrypted and digitally signed so they cannot be intercepted or modified in transit. Businesses and individuals wanting to send or receive De-mail messages will have to prove their real-world identity and associate that with a new De-mail address from a government-approved service provider. The service will be enabled by a new law that the government expects will be in force by the end of this month. It will allow service providers to charge for sending messages if they wish. The service is voluntary, but will it give the government too much control?"

Sorry! There are no comments related to the filter you selected.

No end-to-end encryption though (4, Interesting)

Anonymous Coward | more than 3 years ago | (#35388326)

As far as I've read, they decrypt messages in the middle "to check the messages for viruses".

Re:No end-to-end encryption though (4, Insightful)

moonbender (547943) | more than 3 years ago | (#35388408)

Yup. Sounds like a bad joke right? A new messaging standard, incompatible with everything else, that doesn't even do end-to-end encryption! It's pathetic. It purports to solve problems that are already pretty much solved -- spam, reliable delivery -- while not solving all the difficult ones and introducing new dangers for the customers, like missing a "registered email". Oh, and you'll be charged per mail! The worst outcome would be if people ended up using it, but at this point I'm guessing it'll be a huge dud; some government entities will support it, as will a few corporations, but that's it.

Re:No end-to-end encryption though (0)

Anonymous Coward | more than 3 years ago | (#35388474)

What did you expect? The same people thought this [slashdot.org] was a good idea (like "world-leading data privacy" good).

Re:No end-to-end encryption though (1)

somersault (912633) | more than 3 years ago | (#35388616)

Spam has not been solved, just covered up. It is a pointless waste of incoming bandwidth and server power (if you do your own filtering). This would do nothing to stop spam either, it doesn't matter if you know the identity of the sender if the sender's machine is a zombie. There will always be more idiots with compromised machines.

Re:No end-to-end encryption though (1)

rotide (1015173) | more than 3 years ago | (#35388750)

Until any email to _any_ government agency (applications for services, jobs, taxes, etc, etc, etc) _requires_ you use this service..
Until any company wishing to do business with the government is _forced_ to use this service to keep their contract..

There are ways to make sure it's not a "dud", if they are willing to make the laws, and it sounds like they are.

Re:No end-to-end encryption though (2)

divisionbyzero (300681) | more than 3 years ago | (#35388844)

YThe worst outcome would be if people ended up using it, but at this point I'm guessing it'll be a huge dud; some government entities will support it, as will a few corporations, but that's it.

I don't think they will be so lucky. I'd bet the government will require it for some communication and account access. Over time it will become more inconvenient to have multiple email accounts and people will just default to using de-mail.

Re:No end-to-end encryption though (3, Insightful)

Anonymous Coward | more than 3 years ago | (#35388454)

As a native German, I can confirm this. Encryption is only used for Client Server communication.

There are further flaws in the concept. For example, our government lately decided that de-mail addresses do not have to be visually distinguishable from other mail addresses (i.e. de-mail addresses do not share a common tld, nor do the tlds have to contain something like "de-mail"). Instead, they came up with the idea that email client vendors could implement a mechanism for telling users whether an email address is a de-mail address..

Re:No end-to-end encryption though (0)

Anonymous Coward | more than 3 years ago | (#35388606)

IIRC some politician said introducing end-to-end encryption would endanger the success of De-Mail.

Make of that what you want.

How does this prevent zombie spam? (1)

goombah99 (560566) | more than 3 years ago | (#35388952)

Spam sent from zombies will be encrypted and signed with the certificate of the zombied computer. so how does this help?

Re:How does this prevent zombie spam? (1)

machine321 (458769) | more than 3 years ago | (#35389004)

You do the same thing you do when any certificate gets compromised, revoke the cert.

Not that I think this is a good idea, though.

out of thin air? (1)

StripedCow (776465) | more than 3 years ago | (#35388328)

So why didn't we read about this on slashdot before? Or did I miss something?

Re:out of thin air? (0)

Anonymous Coward | more than 3 years ago | (#35388346)

How could you miss it? It's slashdot! Aren't you required to come here 12 times a day everyday?

Re:out of thin air? (2)

ludwigf (1208730) | more than 3 years ago | (#35388350)

Wikipedia: "The project was announced in 2008"

Google: couldn't find a coverage of de-mail on /. before

Living in Germany I've heard about it several times before.

Re:out of thin air? (1)

Anonymous Coward | more than 3 years ago | (#35388372)

Slashdot is powered by your submissions, so send in your scoop. [slashdot.org]

Lot of peoples complain about slashdot, but not much are doing anything about it.

Re:out of thin air? (0)

Anonymous Coward | more than 3 years ago | (#35388402)

Because the editors choose the shittiest submissions. (I sent a few too.)

Re:out of thin air? (2)

tomhudson (43916) | more than 3 years ago | (#35388566)

Because the editors choose the shittiest submissions. (I sent a few too.)

You sent in a few of the shittiest submissions?

No wonder you're posting A.C.

Re:out of thin air? (1)

stealth_finger (1809752) | more than 3 years ago | (#35388508)

Living in Germany I've heard about it several times before.

I used to work at DHL and they never shut up about it.

Re:out of thin air? (2)

muuh-gnu (894733) | more than 3 years ago | (#35388634)

DHL, i.e. "Deutsche Post" isnt participating in De-Mail at all. Since the basic purpose of De-Mail was to obsolete a large part of legally binding snail mail, and Deutsche Post realized they would be hit the hardest by this, they developed their own competitive service called "Deutsche Post ePostBrief", which works exactly the same as De-Mail, but of course isnt compatible with De-Mail, so you cant interchange legally binding emails between providers. Deutsche Post is kinda alone in their camp, since basically everybody else (ISPs, Email-Providers) is in the De-Mail camp.

What both of course have in common is that there is no end-to-end encryption, so now you have not only to trust your lawyer/bank/doctor for confidential stuff, but now you also have to trust the carrier. Oh, and, in order to not hurt their snail mail business, every "Deutsche Post ePostBrief" will cost EUR 0,55, exactly as much as a snail mail.

Re:out of thin air? (1)

smurfsurf (892933) | more than 3 years ago | (#35388918)

http://service.deutschepost.de/faq/wie-steht-die-deutsche-post-zum-geplanten-de-mail-gesetz [deutschepost.de]

Natürlich unterstützen wir die De-Mail-Initiative des Bundes und werden – sobald das Gesetz in Kraft ist – eine Akkreditierung als De-Mail-Anbieter beantragen.
Schon jetzt erfüllt der E-POSTBRIEF die hierfür erforderlichen Standards, soweit sie nach dem derzeitigen Gesetzesentwurf absehbar sind.

(Loose translation: We support the de-mail intiative and will apply for an accredition as soon as the law is enacted. e-postbrief already meets all criteria of the upcoming law.)

They were stalling the legislation, but they have no chance but to participate as they could not stop it.

Want to send email in Germany? (-1)

Anonymous Coward | more than 3 years ago | (#35388332)

Show me your papers!

Hitler would be proud.

All is good as long as... (0)

Anonymous Coward | more than 3 years ago | (#35388334)

All is good as long as it remains an optional service, but if (hypothetically) the market somehow makes this a de facto standard or the government demands it for certain services, issues will arise.

Re:All is good as long as... (1)

i-linux123 (2003962) | more than 3 years ago | (#35388550)

It's all fun and games until someone that doesn't know about the system tries to send you an email. I like the idea of having real names registered to email addresses, but certificates already do this.

No, thank you. (2)

Mortiss (812218) | more than 3 years ago | (#35388340)

I can encrypt on my own and Gmail already does a fine job removing spam. I don't need a Government oversight and much less a possibility of paying per message for this "privilege".

Re:No, thank you. (1)

X-Power (1009277) | more than 3 years ago | (#35388490)

But you willfully accept this same privilege from Google?

Re:No, thank you. (1)

Lennie (16154) | more than 3 years ago | (#35388502)

It is not even encrypted. Just a the mailservers use encryption for the transport and the system is seperate from the normal internet mailservers.

My guess is, it is SMTP-authentication over SSL/TLS for sending mail so they know exactly who send it (atleast which e-mail client).

Re:No, thank you. (0)

Anonymous Coward | more than 3 years ago | (#35388588)

so they know exactly who send it (atleast which e-mail client).

The whole point is to know who is communicating. This is not a system designed to replace private (or even: anonymous) email communication. It's designed to allow standardised, legally binding actions via some special form of email, which otherwise would be done eg by signature on a sheet of paper.

Re:No, thank you. (2)

TheRaven64 (641858) | more than 3 years ago | (#35388642)

Then why not use existing standards? We already have S/MIME, which allows a digital signature to be used to sign and encrypt mail. Simply pass a law saying that emails with S/MIME encryption and a certificate signed by the government's CA are viewed as legally binding. Then, anyone can continue to use existing clients, can continue to use existing servers, and can just get a certificate signed by the government if they want to opt in to this.

Re:No, thank you. (1)

Lennie (16154) | more than 3 years ago | (#35388664)

Yes, I'm sure that is interresting. But why not use DNSSEC, SSL/TLS-certificates, SSL/TLS Certificate Authorities and DKIM which already solve all these problems.
1. SSL/TLS-certificates are created by the Certificate Authorities
2. SSL/TLS encryption for communication between mailservers
3. SSL/TLS encryption with authentication for delivery from the user to the mailserver
4. DKIM signing of the e-mail on the mailserver to verify that the mail came from the user
5. DNSSEC to publish the DKIM key
6. DNSSEC to verify the domain
7. All we need is an interface in the e-mail client (or maybe partly on the mailbox server where the e-mail is delivered to) which checks that the the above is valid and the domain has an HTTPS EV-like certificate (green bar in the browser) to prevent phishing with similair looking domains.

I think simpler is possible too, it is more a list of technology which can already be applied. :-)

Re:No, thank you. (1)

Kvasio (127200) | more than 3 years ago | (#35388586)

nobody prohibits you from using your gmail account, this is just that when dealing with state offices (e.g. tax office, land registry, local authorities, voting), their registered email would be useful.

Every mistake in the book (5, Informative)

Anonymous Coward | more than 3 years ago | (#35388342)

They put a price on every email.

The system will not provide end-to-end encryption: Mail will only be encrypted to and from the mail service providers.

While the accounts are free, individual mails will cost money.

Mail delivered to these accounts will count as delivered to the recipient, so any respite associated with the delivery starts running. Don't read your email regularly - miss deadlines.

Did I mention that mails cost money?

I have recommended to everyone who has asked me to stay away from this system if at all possible. Don't even get an account.

Re:Every mistake in the book (0)

Anonymous Coward | more than 3 years ago | (#35388456)

And botnet operators will value any associated computer even more!

Re:Every mistake in the book (1)

maweki (999634) | more than 3 years ago | (#35388480)

"Mail delivered to these accounts will count as delivered to the recipient"

Yeah, well, not true. Actually, you start counting three days after the technical delivery. Check your mail reguarily and gain three days. Check your analog mailbox not often enough (people in my house check their boxes once a week) and you will miss deadlines as well.

Re:Every mistake in the book (1)

Splab (574204) | more than 3 years ago | (#35388702)

Yeah, I hardly ever check the mailbox, once a week tops - unless I'm expecting something.

Re:Every mistake in the book (0)

Anonymous Coward | more than 3 years ago | (#35388484)

Mail delivered to these accounts will count as delivered to the recipient, so any respite associated with the delivery starts running. Don't read your email regularly - miss deadlines.

To me this is why I'll never get an account. It's mandatory by law you check your account regularly because delivery by the provider equals reception by you. Sick in a hospital? On vacation? Good news! Once you'll return you're life will be fucked because you missed a few legal messages to which you had to respond yesterday.

It would have been an interesting approach to communicate with government offices. Then again, as far as I undestand the system, it's completetly non-confidential since the provider (and probably the offical issuer of encryption certificates) can read the contents in plain text. But hey, since they put ALL responsibility on the user, I'm not even going to consider it.

Re:Every mistake in the book (1)

maxwell demon (590494) | more than 3 years ago | (#35388770)

To me this is why I'll never get an account. It's mandatory by law you check your account regularly because delivery by the provider equals reception by you. Sick in a hospital? On vacation? Good news! Once you'll return you're life will be fucked because you missed a few legal messages to which you had to respond yesterday.

How is this different from legal messages arriving in your physical mailbox when you are away (in hospital/on vacation)?

Re:Every mistake in the book (1)

smurfsurf (892933) | more than 3 years ago | (#35388970)

> How is this different from legal messages arriving in your physical mailbox when you are away (in hospital/on vacation)?

You claim to the sender (and have to prove if he disagrees) that you were not able to retrieve the letter for that reason and any deadline has to be restarted. The legal term is restitutio in integrum (although it seems the US uses restitutio in integrum only for demages?).

Re:Every mistake in the book (1)

Thad Zurich (1376269) | more than 3 years ago | (#35388496)

Sender-pays may well be the ultimate spam defense (but see comment about botnet operators...) That bit about delivery=receipt has to be reworked; it's not comparable to snail-mail return receipts, which have to be signed by the recipient. Might make more sense for business-to-business, since the other real value is in non-repudiation.

Re:Every mistake in the book (1)

maxwell demon (590494) | more than 3 years ago | (#35388804)

It will make things harder for the botnet operators as well because, unlike now, the infection will only remain undetected until you receive your next bill from your de-mail provider. And after that, people will try to remove that bot ASAP. So as soon as you use a bot to send de-mail, that node will soon be lost for the botnet.

But then, normal mail won't go away anyway. So spam will continue to exist on normal mail, but de-mail will likely be mostly spam-free (mostly, because after all some companies happily pay for "snail spam" to be delivered to your physical mail box).

Re:Every mistake in the book (1)

rmstar (114746) | more than 3 years ago | (#35388504)

Mail delivered to these accounts will count as delivered to the recipient, so any respite associated with the delivery starts running. Don't read your email regularly - miss deadlines.

How is this different from mail delivered to your snailmail box? "I wasn't at home" has not been a particularly good excuse for a very long time.

The lack of end-to-end encryption is another matter entirely, and a rather obvious strategy to ensure that the government can eavesdrop. So much is clear.

Re:Every mistake in the book (2)

crtreece (59298) | more than 3 years ago | (#35388716)

Anything sent via snailmail that is expected to be time sensitive and/or legally binding would require a signature, it would not just be left in the mailbox.

Or it would be sent via FedEx or UPS, again requiring a signature.

Not so sensitive items, bills and such, don't require a signature, but you're still on the hook. Mail carrier left the door to the mailbox open, and your mortgage payment invoice got blown down the road? You are still on the hook for the payment.

Re:Every mistake in the book (2)

mxs (42717) | more than 3 years ago | (#35388820)

Mail delivered to these accounts will count as delivered to the recipient, so any respite associated with the delivery starts running. Don't read your email regularly - miss deadlines.

How is this different from mail delivered to your snailmail box? "I wasn't at home" has not been a particularly good excuse for a very long time.

Actually that is a very, very good excuse when you require proof of delivery/acceptance -- since those are usually signed-for. Recipient not there to sign ? No proof of personal delivery. The difference with DE-Mail is that messages count delivered when they hit your service provider, no matter whether you read your account or not. This can have far-reaching consequences under German law.

The lack of end-to-end encryption is another matter entirely, and a rather obvious strategy to ensure that the government can eavesdrop. So much is clear.

Yes, and the lies and bullshit they spew when defending this are even more so. Too bad too few people will get the message -- or care.

Basically the whole things boils down to a giant waste of money and resources for everybody. Well, everybody not implementing such a system and getting paid for it.

Re:Every mistake in the book (1)

stealth_finger (1809752) | more than 3 years ago | (#35388512)

Mail delivered to these accounts will count as delivered to the recipient, so any respite associated with the delivery starts running. Don't read your email regularly - miss deadlines.

Surely not, even regular email has read reports, so unless it does that automatically and it counts that. Any company will tell you with regular post proof of postage isn't proof of receipt.

Re:Every mistake in the book (0)

Anonymous Coward | more than 3 years ago | (#35388872)

I doubt that stopping spam is really the point of this. It sounds more along the lines of creating an electronic version of certified mail. This is really something for business purposes rather than every day use. This sort of thing would be useful for my job, actually. I've had an email from a client that was missed for a month because it inexplicably wasn't delivered. Well, either that, or the client later forged a backdated email and claimed it wasn't delivered. With something like this with confirmed delivery (in a more substantial way than receipt requests in current email), that wouldn't have happened.

Dibs on the nickname! (1)

ClayJar (126217) | more than 3 years ago | (#35388344)

From the sound of it, it'll almost inevitably end up costing money. With that in mind and by the powers vested in me by absolutely nobody in particular, I hereby dub it "feemail".

(One *could* say that it is supposed to be a kinder, more respectable alternative to the rough-and-tumble wild west of existing (e)mail, but then there are those who think it's just a prettier version that will inevitably cost a bunch of money.)

Re:Dibs on the nickname! (1)

OeLeWaPpErKe (412765) | more than 3 years ago | (#35388418)

Don't you think it's probably more meant as a kinder, faster alternative to confirmed (ie. legally valid) snailmail delivery, in addition a way for that long-awaited legally valid electronic signature ?

Because that's what Europe's various governments have been trying to create for a long while now. Belgium, Holland, France. The good news (for you at least) ? They all failed miserably. Somehow I doubt this will work better.

They are busting it again. (1)

Anonymous Coward | more than 3 years ago | (#35388348)

Typical mix of greedy corporations in bed with clueless *and* greedy lawmakers.

I bet you:

* Mails will live unencrypted at provider's server (check!)

* Users won't have any control on their keys and identities (check)

* There will be a central place to map identities to Real Life users (check)

Darn. And OpenPGP is out there for years. Sad. But hey, with OpenPGP the Deutsche Telekom and other parasites won't be able to leech on "consumers", right?

Re:They are busting it again. (0)

Anonymous Coward | more than 3 years ago | (#35388400)

Legislated by the same people who endorsed this horse manure [slashdot.org] and claimed that it was going to be world-leading data privacy made in Germany...

We call them "Internetausdrucker", people who print out the internet.

Re:They are busting it again. (1)

binarylarry (1338699) | more than 3 years ago | (#35388404)

Poor RMS.

Re:They are busting it again. (1)

HungryHobo (1314109) | more than 3 years ago | (#35388414)

as far as I can see everything this service provides has been done better for free elsewhere.
nothing novel.
but it'll probably be pushed hard by the german government.
and if it works even poorly then other governments will follow their lead because since what happened in egypt, tunisia and libya governments the world over are suddenly terrified of the net.

Re:They are busting it again. (1)

OeLeWaPpErKe (412765) | more than 3 years ago | (#35388450)

The problem is (some) users are idiots, easily tricked into revealing their encryption keys, and OpenPGP is no protection on a virus-infested pc (of course palladium, or "trusted execution" could solve that).

Re:They are busting it again. (0)

Anonymous Coward | more than 3 years ago | (#35388468)

* There will be a central place to map identities to Real Life users (check)

Well, of course. The main point of De-Mail is to be able to do legally binding communication between businesses or state authorities (eg tax payer - tax office). Anonymity is not at all a point of this system, it is rather "confirmed identity". For secure, anonymous communication you should use other means.

Cooperation (1)

Kwesadilo (942453) | more than 3 years ago | (#35388354)

This sounds like completely run-of-the-mill encrypted email that you also have to pay per message and identify yourself for. The one significant advantage that I can see is that you might be able to convince other people to actually use it.

Re:Cooperation (0)

Anonymous Coward | more than 3 years ago | (#35388364)

I believe part of the idea here is to be able to digitally communicate with the government.

I could see a reason to pay for that if it cost less than a conventionally signed snail mail letter, which I'd have to send otherwise.

Re:Cooperation (0)

Anonymous Coward | more than 3 years ago | (#35388380)

Except its not encrypted, see first post ja?!

Why a per-mail charge? (0)

Anonymous Coward | more than 3 years ago | (#35388358)

The article says providers will charge a sum of money per e-mail sent, and that sounds wrong if this is supposed to be a government service rather than some private industry ploy to rip off customers.
 
Shouldn't only the (re-)registration of a key (associated with an real identity) cost a little bit of money to cover for the amount of work needed to identify a person?
 
Issuing such a key is close to the equivalent to issuing an ID card or a passport, and in this case no one will even call into the government office to get some confirmation over a telephone line or another costly thing like that...

Re:Why a per-mail charge? (0)

Anonymous Coward | more than 3 years ago | (#35388756)

The article says providers will charge a sum of money per e-mail sent, and that sounds wrong if this is supposed to be a government service rather than some private industry ploy to rip off customers.

The government only defined the set of standards, to have this standardized, legally accepted means for communication. The servers are run by private companies, and the service can of course also be used by and between companies and private citizens (eg instead of sending signed sheets of papers around). It's not supposed to be a government service, although the government will of course use it, too, just like good old regular mail.

Issuing such a key is close to the equivalent to issuing an ID card or a passport, and in this case no one will even call into the government office to get some confirmation over a telephone line or another costly thing like that...

I don't really see the connection. You want to send a document from A to B, with a legally binding signature. An accepted standard is to send a signed sheet of paper. That costs money (a stamp) for the service. De-Mail is an alternative, email-like service. It also costs a fee (but less).

Verifying the identity of someone who is present in person is a completely different problem. You don't need the service provider for the trusted communication. Which is what you are paying for in the above two examples.

Um, Germany didn't create anything... (0)

Anonymous Coward | more than 3 years ago | (#35388360)

German citizens may have created these 'encrypted identity confirmed emails', but Germany didn't ... It's a country: a plot of land for chrizakes!

No End-To-End Encryption (0)

Anonymous Coward | more than 3 years ago | (#35388368)

De-Mail does not provide End-To-End encryption. Messages can be (and are) decrypted on the server to scan them for malware and spam. Who would send malware and spam through an identity-controlled channel on which each message is charged roughly 0,30 € is a mystery to me though.

Re:No End-To-End Encryption (1)

lennier1 (264730) | more than 3 years ago | (#35388446)

Once the encryption on the end can be faked so someone else will end up with the costs and even have the cops knock down their door?

Looks like my Aunt was right... (3, Funny)

fortfive (1582005) | more than 3 years ago | (#35388376)

...when she sent me an forward claiming the government was going to start charging for email!

OpenPGP (0)

Anonymous Coward | more than 3 years ago | (#35388378)

Couldn't you just use OpenPGP?

Re:OpenPGP (1)

Anonymous Coward | more than 3 years ago | (#35388392)

If you want encrypted mails then yes. If you want to do a legally binding offer or request or or or, then you cannot use OpenPGP, because there are no rules who does what with the keys. (You could create a contract with someone saying that mails signed with a specific OpenPGP key are your mails, but good luck on getting anyone to do so). With something like this, once you sign it, this key is your key. Everything signed with it is as if you had said it in public or written it with a (classical) signed paper.

Re:OpenPGP (1)

Lennie (16154) | more than 3 years ago | (#35388518)

Combine it with DKIM and DNSSEC and your are done.

Re:OpenPGP (2)

Alain Williams (2972) | more than 3 years ago | (#35388500)

This is the way to go, it is what I use when I want to send encrypted email. There are some big problems with PGP/GPG where government could help, these are:

  • not enough people use it. A government push would speed adoption, if government departments use it then others will follow -- that is probably all that they need to do.
  • helping with key management and verification. I would be happy to pay a small charge (say £10 one off) to have my key verified against passport, ...

Once they have done that then the normal commercial forces would kick in: some people would pay for s/ware that works, others would use FLOSS; it doesn't really matter -- it is the standard that is important.

Mail signing -- encryption is a completly different problem from spam prevention, we must not conflate the two.

d-mail ? (1)

advance-software (1770510) | more than 3 years ago | (#35388386)

Isn't that going backwards ?

Shouldn't the next one be f-mail ?

Re:d-mail ? (0)

Anonymous Coward | more than 3 years ago | (#35388542)

Its going in the same direction as grades

Re:d-mail ? (0)

Anonymous Coward | more than 3 years ago | (#35388564)

1. We have to confirm our identity wile sending the message - check
2. Our emails are only as confidential as the extend of the mailman's sense of responsibility - check
3. We have to pay fees per message - check

The name fits perfectly.

Re:d-mail ? (0)

Anonymous Coward | more than 3 years ago | (#35388658)

F-mail, or alternatively, f'ail, is slated to appear in the market next fall.

Re: next one (1)

TaoPhoenix (980487) | more than 3 years ago | (#35388856)

No, the next one after gmail would be HeMail, pronounced

Ahee-Mayal.

Homestarrunner FTW!

http://www.homestarrunner.com/main8.html [homestarrunner.com]
"Email" tab

Why use de-mail when gpg exists? (2)

bl8n8r (649187) | more than 3 years ago | (#35388388)

Why would I volunteer to use a government sponsored program that I may get charged for when I can just use Enigmail in Thunderbird, or gpg the message otherwise?

Second problem: "It will allow service providers to charge for sending messages".

Major fail. It sounded almost good until I read that.

Re:Why use de-mail when gpg exists? (1)

betterunixthanunix (980855) | more than 3 years ago | (#35388396)

I imagine people will use it for the same reason people use Hushmail: ignorance.

Re:Why use de-mail when gpg exists? (1)

peragrin (659227) | more than 3 years ago | (#35388424)

well that and ease of use.

Setting up openPGP is a pain for someone who has never had to deal with it before, and not mention then you have to have the other end using the same encryption.

while it makes sense, people aren't very smart about these techie things and really don't want to think about it.

I don't encrypt my email simply because 99.9999999999999% of end users don't know what it is or how to decrypt it, or even which tools to decrypt it with.

Re:Why use de-mail when gpg exists? (1)

Velex (120469) | more than 3 years ago | (#35388772)

This is the fault of email client developers. I haven't used KMail in quite some time (I've since switched to a GTK/XFCE desktop so Claws-Mail is the client of choice these days), but when I had a KDE 3.x desktop, I remember that I was struck by how seamless KMail made GnuPG, even S/MIME. If all email clients made GnuPG as seamless as KMail, you'd see more use of encryption.

Really, encryption need not be difficult, not much more difficult than typing https or getting redirected to https when you just type foobar.com. It's simple. Your email client should generate a key or detect if you already have one in your OSes security system (GnuPG, etc). Then it should advertise that you have a key by attaching the public half to your messages. When another client sees a public key, it should cache it, and wa-lah! Now that client can send encrypted emails back with no problem.

I'm sure I'm over-simplifying, but the number 1 reason nobody encrypts their emails is because of this: look at who your popular email programs are. There's Outlook, Yahoo, GMail, and HotMail. Do a single one of those support OpenPGP out of the box? Absolutely not. In fact, the only one of those that even supports S/MIME is Outlook, and its support is a pain-in-the-ass at best!

Re:Why use de-mail when gpg exists? (0)

Anonymous Coward | more than 3 years ago | (#35388962)

It is not a pain to set up. Back when I still used Outlook, I only had to install one add-in and generate the keys. It took less than five minutes. The reason people don't use GPG is because it isn't in their e-mail client by default, and since they honestly wouldn't care even if they knew their e-mails are snooped on, which most of them don't, they won't ever install the add-in. Which means that you cannot use GPG either, because this requires cooperation on both ends. If one end isn't using encryption, you're forced to communicate plain text. And don't think that it's possible to convince people, because at present the vast majority of people don't use encryption, and people are much more easily influenced by peer pressure than by arguments, and they will expect the same to hold for you. So you can choose to mail unencrypted, or not at all.

legal binding (1)

sourcerror (1718066) | more than 3 years ago | (#35388406)

The point is that mails sent through De-mail have legal binding, so you can use as proof at court.

Re:legal binding (1)

Anonymous Coward | more than 3 years ago | (#35388510)

Unfortunately that also means you cannot leave your account unchecked for more than a day or two because you might miss a legal deadline. It's your duty by law to regularly check it. Sounds like a hoot.

Re:legal binding (1)

Anonymous Coward | more than 3 years ago | (#35389012)

E-mail with a qualified signature is already legally binding in all of the EU. A more realistic approach would be to set up a state (or preferably EU) run CA, that would be inserted in the CA root lists of all common OSes. As an addition, they should ensure that OS email clients would automatically discard unsigned email coming from the government.

This would actually have a chance to succeed.

Re:Why use de-mail when gpg exists? (1)

mxs (42717) | more than 3 years ago | (#35388830)

Why would I volunteer to use a government sponsored program that I may get charged for when I can just use Enigmail in Thunderbird, or gpg the message otherwise?

Second problem: "It will allow service providers to charge for sending messages".

Major fail. It sounded almost good until I read that.

As a sender, you get to deliver stuff to DE-Mail addresses and they count as legally delivered. This is going to be very good to have for collection agencies or governmental agencies. Senders also get to save a bit compared to paper delivery while legally on the same footing. Senders also get proof of identity for the recipient. Senders get to spout bullshit about using the latest and most secure email standard ever.

Recipients get shafted, in more ways than one.

Czech govt. already did (5, Interesting)

jmak (409787) | more than 3 years ago | (#35388412)

And it's been a failure, for a number of reasons:

- it cost a fortune to deploy
- one message costs an equivalent of about 1 USD, which means no one uses it except for communicating with the government
- it relies on a proprietary (although free as beer) rather obscure application for Windows, fortunately a non-profit foundation later developed a cross-platform library for accessing the mailbox
- once you register into the system, any official letter you get is automatically considered delivered, so you cannot deny receiving it, that's why any sane lawyer will discourage from getting such an account ever unless you are obligated to

Obviously, because so much money already burnt, the mailbox system is here to stay.

Don't want or need it. (0)

Anonymous Coward | more than 3 years ago | (#35388430)

Living in Germany, I don't want my government to put their fingers into my mail business.
They put them into too much stuff already anyway.
And they have shown their technical "expertise" often enough when it comes to computer related
topics (e.g. blocking of internet sites (i.e. HTTP traffic) for pedophile material).
Furthermore, it costs at least 55 Cents to send an email (as much as the cheapest, enveloped paper letter).

For certain uses I see great value (1)

germ!nation (764234) | more than 3 years ago | (#35388432)

If it allows banks, utilities and other real world important billing and information emails to be able to be considered trustworthy then I can see a lot of value.

No value if it won't work - it won't (0)

Anonymous Coward | more than 3 years ago | (#35388578)

Since the encryption is not end to end, the current SSL systems will provide no usable guarantees that such mail has not been intercepted in the middle, save those on the wire. Fact is, the elephant in the room is endpoint malware, and if those wanting a reliable channel can't provide systems that
work in its presence, the channel is largely useless. You need at least end to end encryption (how many low-paid government clerks will have
access to the government systems in the middle? How will anyone know that other systems in the middle haven't been added?) and devices to
do authentication and signing that are not wired into the network (nor virtually wired with WEP and the like) to allow function where malware
can't get. (The devices must be secured but must resist the temptation to add features to them which may open them to cracking.)

Utilities, banks, government, et al have known how to do this for over 10 years (possibly longer) and the necessary hardware cost is a few
dollars, less than the cost of frauds being endured now.

A government run man in the middle system can be pretty well guaranteed to have spies listening in. Scanning for virus/malware in emails
is a poor excuse too: consider how virus writers check their stuff against the 20 or so most common antivirii. Governments do not have
any monopoly expertise in detecting malware that others lack.

I can just imagine the effect of spam on this. Picture malware getting in JQ Public's PC, sending out thousands of spam messages this way, at
some cost per message. Spammer doesn't get the bill: the poor sod whose PC was co-opted does.

If a secure system is wanted, it needs at least end-end encryption (the friendly government can put things in a special mail
agent at the endpoints if they must, and then we get to talk about what's in the agents). It also needs some way to authenticate
mails that may depend on humans entering something they remember plus some one-time device output perhaps (or some
operation done by the operator on one-time output, which will reduce keystrokes needed) where the device is not connected
to anything else. That kind of thing can be used in various ways to authenticate and sign communications. If talking to a single (or
few) points, symmetric crypto will work. For mails, you need other tricks - at least, public/private keys, possibly some fancier
tricks (oblivious transfer?) to avoid having a central router as a single point of failure.

It's harder to do this right for mail than for utilities or banks for this reason, but it can be done right. Thing is, a system done right
won't let the spies in any more than it lets the thieves in. Governments don't seem to realize that. Too convenient to want a peep
show into everyone's business.

Obligatory (5, Insightful)

moonbender (547943) | more than 3 years ago | (#35388438)

Your post^Whuge government engineering proposal advocates a

( ) technical (x) legislative (x) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(x) Huge existing software investment in SMTP
(x) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(x) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
(x) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(x) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
(x) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Can I play too? Re:Obligatory (0)

davidwr (791652) | more than 3 years ago | (#35388812)

Can I play too?

---

Your post^Whuge government engineering proposal advocates a

(x) technical (x) legislative (x) market-based ( ) vigilante

approach to promoting authentication and accountability of email. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws as well.)

(x) Spammers can sign up and gain unwarranted credibility
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from people who don't need the service
( ) Requires immediate total cooperation from everybody at once
(x) Many email users will be pressured to sign up for this "voluntary" service

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
( ) Jurisdictional problems
(x) Unpopularity of weird new user fees
( ) Public reluctance to accept weird new forms of money
(x) Huge existing software investment in SMTP
(x) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(x) Joe jobs and/or identity theft
(x) Technically illiterate politicians
( ) Dishonesty on the part of fraudsters themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
(x) Whitelists suck
(x) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
(x) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatibility with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(x) I don't want the government reading my email

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
(x) As a concept this may have *SOME* merit in limited circumstances but the implementation has flaws and the expectation that it will be widely adopted is foolishness at best.

Re:Obligatory (1)

Yvanhoe (564877) | more than 3 years ago | (#35388850)

Yeah, funny, but done correctly it would be a system parallel to the regular emails, that would be used to send official mails like taxes declaration or agreement of a contract. The governement would not have to be able to read the content of the email. I think this is not about fighting spam, but fighting scams.

Ultimately, the main problem I see with this is that many people will have trouble with keyloggers and rootkits, but having a centralized governement sponsored identity checker for crypto messages is a good thing to have.

Re:Obligatory (0)

Anonymous Coward | more than 3 years ago | (#35389034)

There is a much easier solution, and the banks *SHOULD* implement it. In the backwater which is America, most people don't carry a crypto certificate with them. However, in Europe, with chip&pin, most people do. It *should be* trivial for your bank, which is required to verify your identity to get an account, to publish your public key, and have your private key on your credit card. Then, get everyone to have a card reader attached to their computers. If the US military successfully implemented it, anybody competent can. Then, it's a simple matter of using outlook (I know, evil) or whatever software on your slightly trusted computer, to send encrypted email and securely log on to your bank. It removes the problem of keyloggers for attacking your bank account, and it gives an easy approach to sending encrypted email. Further, it doesn't involve the government, so it's a slightly (the bank has a LOT to lose) more trusted solution that's also international instead of national in scope.

CAcert.org (0)

Anonymous Coward | more than 3 years ago | (#35388466)

the identity service at http://www.cacert.org/ is a better alternative. It enables you to have a strong gpg/pgp where the trust lies in the amount of peers who you have met in the real world and have validated your identity.

babys welcome league of smelly infants as allies (-1)

Anonymous Coward | more than 3 years ago | (#35388488)

all are in agreement on re-posting of intentions by request. thank you. see you at one of the million baby play-dates?

1. DEWEAPONIZATION (not a real word, but they like it) almost nothing else good happens until some progress here, 'they' say.

2. ALL BABYS CREATED/TO BE TREATED, EQUALLY. (a rough interpretation (probably cost us. seems like a no-brainer but they expressed that we fail on that one too(:)->) 'we do not need any 300$ 'strollers', or even to ride in your smelly cars/planes etc..., until such time as ALL of the creators' innocents have at least food, shelter, & some loving folks nearby.' again, this is a deal breaker, so pay attention, that's cheap enough, & could lead to our survival?

3. THOU SHALT NOT VACCINATE IRRESPONSIBLY. this appears to be a stop-gap intention.

the genuine feelings expressed included; in addition to the lack of acknowledgment of the advances/evolution of our tiny bodies/dna (including consciousness & intellect), almost nobody knows anymore what's in those things (vaccines) (or they'd tell us), & there's rumor much of it is less than good (possibly fatal) for ANY of us. if it were good for us we'd be gravitating towards it, instead of it being shoved in our little veins, wrecking them, & adversely affecting our improving immune systems/dna/development? at rite-aid, they give the mommies 100$ if they let them stick their babys with whoknowswhat? i can see why they're (the little ones) extremely suspicious? many, oddly? have fading inclinations to want to be reporters of nefarious life threatening processes, ie. 'conspiracies', as they sincerely believe that's 'stuff that REALLY matters', but they KNOW that things are going to be out in the open soon, so they intend to put their ever increasing consciousness, intellect, acute/astute senses & information gathering abilities, to the care & feeding of their fellow humans. no secrets to cover up with that goal.

4. AN END TO MANUFACTURED 'WEATHER'.

sortie like a no-(aerosol tankers)-fly zone being imposed over the whole planet. the thinking is, the planet will continue to repair itself, even if we stop pretending that it's ok/northing's happening. after the weather manipulation is stopped (& it will be) it could get extremely warm/cold/blustery some days. many of us will be moving inland..., but we'll (most of us anyway) be ok, so long as we keep our heads up. conversely, the manufactured 'weather' puts us in a state of 'theater' that allows US to think that we needn't modify our megaslothian heritage of excessiveness/disregard for ourselves, others, what's left of our environment etc...? all research indicates that spraying chemicals in the sky is 100% detrimental to our/planet's well being (or they'd talk to US about it?). as for weather 'extremes', we certainly appear to be in a bleeding rash of same, as well as all that bogus seismic activity, which throws our advanced tiny baby magnets & chromosomes into crisis/escape mode, so that's working? we're a group whose senses are more available to us (like monkeys?) partly because we're not yet totally distracted by the foibles of man'kind'. the other 'part' is truly amazing. we saw nuclear war being touted on PBS as an environmental repair tool (?depopulation? (makes the babys' 'accountants' see dark red:-(-? yikes. so what gives? thanks for your patience & understanding while we learn to express our intentions. everybody has some. let us know. come to some of our million baby play-dates. no big hurry? catch your breath. we'll wait a bit more. thanks.

do the math. check out YOUR dna/intention potential. thanks again.

So! When was Hitler (0)

Anonymous Coward | more than 3 years ago | (#35388494)

revived and re-elected again? I wish the best of luck for his bb-mail! (bb as in big brother)

'hitler' mentality (psycho) still exists HERE? (0)

Anonymous Coward | more than 3 years ago | (#35388734)

don't even think it's not. the murder&mayhem club is winding up for their final pitch(es). trouble is, they've positioned themselves to be both the pitcher & the batter, in this last series of shock&awe strikeouts (overwhelming the 'fans'). see you on the other side of it? hitlers' 'dream' is far from dead yet.

Good initiative (0)

Anonymous Coward | more than 3 years ago | (#35388506)

When are these mails encrypted and decrypted? At the users computer, or at the service providers computer?
If it is encrypted and decrypted on the users' computers, I think that de-mail is a very good initiative, in that it solves a lot of the problems with email, while not really having any disadvantages (aside from costing money of course).
A problem they forgot to mention in TFA, is that as reported earlier at slashdot (can't remember where), few people trust their own computers with sensitive information. This could potentially limit the usage for bank statements and the like. OTOH, the natural tendency of people to be lazy might be stronger than the paranoia

Re:Good initiative (0)

Anonymous Coward | more than 3 years ago | (#35388572)

When are these mails encrypted and decrypted? At the users computer, or at the service providers computer?

The sender's provider encrypts it, the receiver's provider decrypts it. So in that regard it's really not any safer than two regular mail servers moving mails via encrypted SMTP using TLS or SSL.

There's really are no explanations for this law apart from malice and/or incompetence. Malice, since it's a cheap and easy way to log many mails German authorities would like to have access to. Incompetence, since it's utter nonsense from a technical viewpoint.

if it's anything like Deutsche Post's E-Postbrief (2)

itsme1234 (199680) | more than 3 years ago | (#35388530)

... they better forget it.
It costs from 55 eurocents to send one "email" (to multiple euros if you want confirmation, even if there is no snail-mail/paper involved). The interface is arcane with no 3rd party integration, of course there's no end-to-end encryption (and the "mails" are way less legally protected than normal post) and there are some really nasty conditions attached:
- you have to check your mail EVERY WORKING DAY (that includes Saturdays, not that it matters)
- you can't delegate this "check mail" duty to anybody (note that there isn't anything wrong in letting your wife/neighbour/etc in charge of your physical mailbox if you trust them).

Re:if it's anything like Deutsche Post's E-Postbri (1)

OFnow (1098151) | more than 3 years ago | (#35388988)

Read every day? So when you go on holiday you get into legal or financial trouble? Cute!

Good Idea, Poor Execution! (0)

Anonymous Coward | more than 3 years ago | (#35388534)

Did Hitler come up with the idea?

Not for me (1)

houghi (78078) | more than 3 years ago | (#35388540)

There is a reason I do not want my online profile linked to my real life person. Or at least as little as possible.

It is also the reason I did not participate in a GPG signing, as I would then have to identify myself with my real life name. Thanks but no thanks. (Could be that other signings are different. No idea.)

If it needs be, I can drop my online alias and create a new one. e.g. if in 20 years people want to kill me because of something I said that is acceptable now. My boss looking for whatever information he thinks he wants, he won't find anything that wasn't screened by me (if he finds the right person, because others with the same name and similar profiles exist and they are in WAY better shape then I am. One even runs marathons.)

So again, thanks but no thanks.

Email should cost one penny per message (1)

cjonslashdot (904508) | more than 3 years ago | (#35388696)

Charge one penny per sent message. That is all we need to do to stop spam. So simple.

If anyone wants security, there is S/MIME, widely available and widely supported.

Re:Email should cost one penny per message (1)

mxs (42717) | more than 3 years ago | (#35388854)

It's beautiful how you came up with that simple idea all of your own, and so elegant ! Implementation is not something to worry about, that's for the people who don't have ideas, they can do that easy work. Go plebs, implement !

I deduct points for not mentioning CompuServe and it not having any spam. I mean come on, that was so easy to reference !

Re:Email should cost one penny per message (0)

Anonymous Coward | more than 3 years ago | (#35388890)

1/100th of a penny would do, given that spammers send messages in the millions.

There's something like that in Italy as well (2)

opus_magnum (1688810) | more than 3 years ago | (#35388928)

named PEC: (http://tools.ietf.org/html/draft-gennai-smime-cnipa-pec-08 [ietf.org] > ) which has the same legal validity as certified mail.
There's also a variant (CEC-PAC) to communicate with government offices only.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?