A.3 Considerations for Secure Email

Secure email provides a number of advantages to both senders and recipients. These advantages were shown in the beginning of this appendix. However, there are some downsides to using secure email. You must consider a number of factors when deciding whether to use secure email in your company or between trusted parties across an untrusted network. Some of these considerations may not have an impact on your decision, but in all likelihood you'll need to address them all to make secure email work.

The considerations for using secure email include:

  • Digitally signed messages require that the recipient trust the digital certificate used by the sender. That may require the recipient to accept a new certificate publisher to trust. Some recipients' computers may be configured so that only an administrator can add a new trusted publisher; unless the administrator trusts the sender's certificate (and the publisher of that certificate), digital signatures are useless.

  • Encryption makes email messages (and their attachments) larger, depending on the algorithm, requiring more network bandwidth to transmit them, storage space to retain them, and processing power to decrypt them. Recipients with older computers may not be able to read encrypted messages because their computers may lack power or the more modern cryptographic algorithms.

  • Encryption requires that you obtain a public encryption key for your recipient. If your recipient doesn't have a public key, or if their public key is issued by a private certification authority that you don't have access to, then encryption is impossible.

  • Both signatures and encryption require both the sender and the recipient to have email software that supports secure email. While most new email applications provide such support, users with older software will be unable to participate. Also, many text-based email programs do not support cryptographic operations and will be unable to correctly process the receipt of a signed or encrypted message.

Once you've reviewed these considerations and addressed them in your overall secure email strategy, you're ready to move on to implementation of your system.