1. Field
This invention relates to electronic communications and messaging systems. In particular, embodiments of the present invention relate to secure messaging systems, such as encrypted and authenticated messaging systems, and procedures and systems for determining and indicating the trustworthiness of secure messages.
2. Description of the Related Art
Today, networks like the Internet and mobile networks allow for wide access to communications and messaging, such as e-mail, text messages, instant messages, and the like. Surprisingly, however, most of this communications and messaging traffic is not secured or protected. For example, the overwhelming majority of e-mail messages are sent unencrypted and unsigned, so that any eavesdropper on a communications session over the Internet can read and alter such e-mail while in transit or in storage.
Sending and receiving encrypted and signed (e.g., authenticated) messages is a capability well-known in the art. In a typical system, a user may obtain a certificate for free or for a fee from a certification or certification authority (CA). The CA verifies the user's identity and e-mail address. The user can then navigate to CA's website and completes a series of actions, such as filling out forms, on the website. This typically entails the user entering personal data, including an e-mail address. A public-private key pair is then generated for the user. The user submits a certificate request containing his or her public key along with the rest of the aforementioned information during the course of submitting data to the website. The private key is stored on the user's computer. The CA's website then verifies the user's identity by sending a confirmation, for example, via an e-mail to the user. In the confirmation, a link is included, and when the user manually follows the link, the CA's website causes an issued certificate to be installed into the user's web browser and united with the related private key.
Unfortunately, the use of these security mechanisms is not widespread. For example, despite the existence of well-established CAs and public key infrastructure (PKI), the use of technologies such as S/MIME and PGP is not very widespread. One reason for the lack acceptance is even with the use of digital signatures and encrypted content for e-mails, it is difficult for users to know with confidence who is contacting them and who they are contacting.
A problem with many messaging systems is that a message contains information about who the message is from (for example, in the “From” line). But, the typical e-mail systems have no independent way to verify that such messages really came from the sender identified in the From line.
In addition, most users do not understand how computers or messaging services work. Instead, users generally rely upon their software and systems to have sensible defaults in the majority of circumstances. Only when such settings materially affect their computing experiences do users endeavor to change them. For example, as noted, PKI is known in the art. However, almost all users rely on PKI, without understanding how PKI works and without explicitly trusting that PKI works well or in any particular way.
Another known technology is an encrypting gateway server, which receives plaintext messages from users within an organization, examines the message against a complex set of policies, and signs or encrypts the message as it deems appropriate before passing the message onwards, all without the end user seeing the details. Yet, another known technology is to utilize self-made and self-signed certificates that are certified but through their continued use in ongoing relationships rather than by a CA or other third party.
However, the known technologies are still difficult to use and understand. Therefore, for the most part, almost all users simply avoid the known technologies or use them in an incorrect manner.