David's World

That said, I was wondering whether Ciphire thought of interoperability with existing e-mail solutions that have seen wide-spread implementation. The best-supported e-mail cryptography standard is probably X.509 certificates and S/MIME. Standard e-mail clients such as Outlook, Apple Mail and Thunderbird/Mozilla have it built-in, and it works seamlessly once you have managed to install your certificates.

Ciphire doesn't use X.509 keys and S/MIME. Instead, they install a local mail server that forwards your mail, acting as an encryption proxy. Ciphire's big challenge is to get a critical mass with a system that needs to be installed beside the local user's mail client. I'd say since neither PGP nor S/MIME have really reached what seasoned bullshit bingo players call market penetration, Ciphire will get its chance.

Again, the advantage of S/MIME is that you have a client-to-client encryption, and clients can see whether an e-mail was signed and/or encrypted in their standard mail client (Outlook, Apple Mail, etc.), and they can conveniently select encryption options when composing an e-mail. When I asked the inventors of Ciphire (a European company) about supporting S/MIME, Ciphire's inventors replied that this might come in future versions. So, is the solution insular? Not more than others, they said. Their system, so they say, comes with a better infrastructure that is not so easy to compromise.

Ciphire gets rid of Certification Authorities such as Verisign or their subsidiary Thawte with their annual renewal charges for certificates. However, Ciphire replaces these with their own CA system!

Ciphire uses ASN.1 certificates, which have a number of advantages over standard X.509 certificates. For example, they allow multiple signatures just like PGP keys (instead of only one from a CA) and it is the user who controls renewal and revokation (instead of having a CA charge for these services). Keys are created by the client, so that the secret portion never leaves the computer.

So: It's geat somebody has finally made something that's easy enough for everyone to just use on all three common operating systems, and attractive server-based solutions are to come. Their system, however, suffers from an inheritently non-technical problem. It is vertically integrated (CA, software, interface protocols from one vendor) and closed. No documentation of the underlying mail transfer protocols, and I suspect they also hold patents on their technology. That makes Ciphire a good system for intra-company deployment, but nothing you would like see established as a wide-spread standard that external people (e.g. customers) would have to use. Companies may be reluctant to invest in a system that is proprietary, closed-source and fully vertically integrated and depends on running server infrastructure at Ciphire.

The bottomline: Very interesting product, and friendly company that seems very open in talking to potential customers. I'm sure it is already a viable option for commercial use, for example where e-mails are sent within a company, but across sites. I hope Ciphire will open up their communication protocols and provide backwards-compatibility to S/MIME or PGP. I'll definitely follow up on Ciphire!

(You bet, I did get interested in cryptography - even though I have little to hide these days... This stuff is all pretty new to me, so take my explanations and critique with a grain of salt and sent in your comments!)