Johnny 2: A User Test of Key Continuity Management with S/MIME and Outlook ExpressPPT

Johnny 2: A User Test of Key Continuity Management with S/MIME and Outlook ExpressPPT
Simson Garfinkle

Citation
Simson Garfinkle. " Johnny 2: A User Test of Key Continuity Management with S/MIME and Outlook ExpressPPT". Talk or presentation, 9, September, 2005.

Abstract
After more than 20 years of research, cryptographically-protected email is still a rarity on the Internet today. Usability failings are commonly blamed for the current state of affairs: programs like PGP and GPG must be specially obtained, installed, and are generally considered hard to use. And while support for the S/MIME mail encryption standard is widely available, procedures for obtaining S/ MIME certificates are onerous because of the necessity of verifying one's identity to a Certification Authority. Key Continuity Management (KCM) has been proposed as a way around this conundrum. Under this model, individuals would create their own, uncertified S/MIME certificates, use these certificates to sign their outgoing mail, and attach those certificates to outgoing messages. Correspondents who wish to send mail that is sealed with encryption are able to do so because they possess the sender's certificate. Mail clients (e.g. Outlook Express, Eudora) alert users when a correspondent's certificate changed. We conducted a user test of KCM with 44 email users who had no previous experience or knowledge of cryptography and email security. Using a scenario similar to that of Whitten and Tygar's Why Johnny Can't Encrypt study, we show that while naive subjects generally understand the gist of digitally signed mail and that a changed key represents a potential attack, they are less equipped to handle the circumstance when a new email address is presented simultaneously with a new digital certificate. We conclude that KCM is a workable model that can be used today to improve email security for naive users, but that work is needed to develop effective interfaces to alert those users to a particular subset of attacks.

Electronic downloads

johnny2_talk.pdf · application/pdf · 4643 kbytes

Citation formats

HTML

Simson Garfinkle. <a
href="http://www.truststc.org/pubs/5.html"
><i> Johnny 2: A User Test of Key Continuity
Management with S/MIME and Outlook
ExpressPPT</i></a>, Talk or presentation,  9,
September, 2005.

Plain text

Simson Garfinkle. " Johnny 2: A User Test of Key
Continuity Management with S/MIME and Outlook
ExpressPPT". Talk or presentation,  9, September, 2005.

BibTeX

@presentation{Garfinkle05_Johnny2UserTestOfKeyContinuityManagementWithSMIMEOutlook,
    author = {Simson Garfinkle},
    title = { Johnny 2: A User Test of Key Continuity
              Management with S/MIME and Outlook ExpressPPT},
    day = {9},
    month = {September},
    year = {2005},
    abstract = {After more than 20 years of research,
              cryptographically-protected email is still a
              rarity on the Internet today. Usability failings
              are commonly blamed for the current state of
              affairs: programs like PGP and GPG must be
              specially obtained, installed, and are generally
              considered hard to use. And while support for the
              S/MIME mail encryption standard is widely
              available, procedures for obtaining S/ MIME
              certificates are onerous because of the necessity
              of verifying one's identity to a Certification
              Authority. Key Continuity Management (KCM) has
              been proposed as a way around this conundrum.
              Under this model, individuals would create their
              own, uncertified S/MIME certificates, use these
              certificates to sign their outgoing mail, and
              attach those certificates to outgoing messages.
              Correspondents who wish to send mail that is
              sealed with encryption are able to do so because
              they possess the sender's certificate. Mail
              clients (e.g. Outlook Express, Eudora) alert users
              when a correspondent's certificate changed. We
              conducted a user test of KCM with 44 email users
              who had no previous experience or knowledge of
              cryptography and email security. Using a scenario
              similar to that of Whitten and Tygar's Why Johnny
              Can't Encrypt study, we show that while naive
              subjects generally understand the gist of
              digitally signed mail and that a changed key
              represents a potential attack, they are less
              equipped to handle the circumstance when a new
              email address is presented simultaneously with a
              new digital certificate. We conclude that KCM is a
              workable model that can be used today to improve
              email security for naive users, but that work is
              needed to develop effective interfaces to alert
              those users to a particular subset of attacks. },
    URL = {http://www.truststc.org/pubs/5.html}
}

Posted by Christopher Brooks on 20 Sep 2005.
Groups: trustseminar
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.