1. Field
This invention relates to electronic communications and messaging systems. In particular, embodiments of the present invention relate to secure messaging systems, such as encrypted and authenticated messaging systems, and procedures for encouraging the use of secure messaging.
2. Description of the Related Art
Today, networks like the Internet and mobile networks allow for wide access to communications and messaging, such as e-mail, text messages, instant messages, and the like. Surprisingly, however, most of this communications and messaging traffic is not secured or protected. For example, the overwhelming majority of e-mail messages are sent unencrypted and unsigned, so that any eavesdropper on a communications session over the Internet can read and alter such e-mail while in transit or in storage.
Sending and receiving encrypted and signed (e.g., authenticated) messages is a capability well-known in the art. In a typical system, a user may obtain a certificate for free or for a fee from a certificate authority (CA). The CA verifies the user's identity and e-mail address. The user can then navigate to CA's website and completes a series of actions, such as filling out forms, on the website. This typically entails the user entering personal data, including an e-mail address. A public-private key pair is then generated for the user. The user submits a certificate request containing his or her public key along with the rest of the aforementioned information during the course of submitting data to the website. The private key is stored on the user's computer. The CA's website then verifies the user's identity by sending a confirmation, for example, via an e-mail to the user. In the confirmation, a link is included, and when the user manually follows the link, the CA's website causes an issued certificate to be installed into the user's web browser and united with the related private key.
Unfortunately, the use of these security mechanisms is not widespread. For example, despite the existence of well-established CAs and public key infrastructure (PKI), the use of technologies such as S/MIME and PGP is not very widespread. One reason for the lack acceptance is the process of establishing these security mechanisms requires considerable user interaction. For example, the known systems and processes for obtaining a digital certificate and private key will typically entail at least 20 manual steps by the user.
In addition, other obstacles have slowed the acceptance of securing online communications. For example, many e-mail clients and software cannot handle S/MIME messages. Webmail clients are particularly known for not supporting S/MIME. S/MIME is currently considered ill-suited for use via webmail clients by those skilled in the art. One reason is that some security practices require the private key to be kept accessible to the user, but inaccessible from the webmail server. This complicates a key webmail advantage of providing ubiquitous accessibility. This issue with S/MIME and webmail is not unique. Therefore, for these and other reasons, the vast majority of messaging remains relatively unsecured.