Team for Research in
Ubiquitous Secure Technology

Johnny 2: A User Test of Key Continuity Management with S/MIME and Outlook ExpressPPT
Simson Garfinkle

Citation
Simson Garfinkle. " Johnny 2: A User Test of Key Continuity Management with S/MIME and Outlook ExpressPPT". Talk or presentation, 9, September, 2005.

Abstract
After more than 20 years of research, cryptographically-protected email is still a rarity on the Internet today. Usability failings are commonly blamed for the current state of affairs: programs like PGP and GPG must be specially obtained, installed, and are generally considered hard to use. And while support for the S/MIME mail encryption standard is widely available, procedures for obtaining S/ MIME certificates are onerous because of the necessity of verifying one's identity to a Certification Authority. Key Continuity Management (KCM) has been proposed as a way around this conundrum. Under this model, individuals would create their own, uncertified S/MIME certificates, use these certificates to sign their outgoing mail, and attach those certificates to outgoing messages. Correspondents who wish to send mail that is sealed with encryption are able to do so because they possess the sender's certificate. Mail clients (e.g. Outlook Express, Eudora) alert users when a correspondent's certificate changed. We conducted a user test of KCM with 44 email users who had no previous experience or knowledge of cryptography and email security. Using a scenario similar to that of Whitten and Tygar's Why Johnny Can't Encrypt study, we show that while naive subjects generally understand the gist of digitally signed mail and that a changed key represents a potential attack, they are less equipped to handle the circumstance when a new email address is presented simultaneously with a new digital certificate. We conclude that KCM is a workable model that can be used today to improve email security for naive users, but that work is needed to develop effective interfaces to alert those users to a particular subset of attacks.

Electronic downloads

Citation formats  
  • HTML
    Simson Garfinkle. <a
    href="http://www.truststc.org/pubs/5.html"
    ><i> Johnny 2: A User Test of Key Continuity
    Management with S/MIME and Outlook
    ExpressPPT</i></a>, Talk or presentation,  9,
    September, 2005.
  • Plain text
    Simson Garfinkle. " Johnny 2: A User Test of Key
    Continuity Management with S/MIME and Outlook
    ExpressPPT". Talk or presentation,  9, September, 2005.
  • BibTeX
    @presentation{Garfinkle05_Johnny2UserTestOfKeyContinuityManagementWithSMIMEOutlook,
        author = {Simson Garfinkle},
        title = { Johnny 2: A User Test of Key Continuity
                  Management with S/MIME and Outlook ExpressPPT},
        day = {9},
        month = {September},
        year = {2005},
        abstract = {After more than 20 years of research,
                  cryptographically-protected email is still a
                  rarity on the Internet today. Usability failings
                  are commonly blamed for the current state of
                  affairs: programs like PGP and GPG must be
                  specially obtained, installed, and are generally
                  considered hard to use. And while support for the
                  S/MIME mail encryption standard is widely
                  available, procedures for obtaining S/ MIME
                  certificates are onerous because of the necessity
                  of verifying one's identity to a Certification
                  Authority. Key Continuity Management (KCM) has
                  been proposed as a way around this conundrum.
                  Under this model, individuals would create their
                  own, uncertified S/MIME certificates, use these
                  certificates to sign their outgoing mail, and
                  attach those certificates to outgoing messages.
                  Correspondents who wish to send mail that is
                  sealed with encryption are able to do so because
                  they possess the sender's certificate. Mail
                  clients (e.g. Outlook Express, Eudora) alert users
                  when a correspondent's certificate changed. We
                  conducted a user test of KCM with 44 email users
                  who had no previous experience or knowledge of
                  cryptography and email security. Using a scenario
                  similar to that of Whitten and Tygar's Why Johnny
                  Can't Encrypt study, we show that while naive
                  subjects generally understand the gist of
                  digitally signed mail and that a changed key
                  represents a potential attack, they are less
                  equipped to handle the circumstance when a new
                  email address is presented simultaneously with a
                  new digital certificate. We conclude that KCM is a
                  workable model that can be used today to improve
                  email security for naive users, but that work is
                  needed to develop effective interfaces to alert
                  those users to a particular subset of attacks. },
        URL = {http://www.truststc.org/pubs/5.html}
    }
    

Posted by Christopher Brooks on 20 Sep 2005.
Groups: trustseminar
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.