That said, PGP has been an Internet standard (OpenPGP - RFC 2440) since 1997 and PGP-encrypted email accounts for well over 90% of the current encrypted email traffic on the Internet. So, using PGP will make you compatible with the majority. However, what really counts is the minority that you actually need to communicate with and their needs. Therefore you may find a need for the use of S/MIME if your correspondents like using its 3rd party issued certificates for email communications rather than PGP's trust model. It is useful to know that some email clients, such as Microsoft Outlook, can be configured to use BOTH PGP and S/MIME so that you can correspond securely using whatever method is necessary at the moment.

The other interoperability issue involves "key exchange". Both PGP and S/MIME are public key cryptography systems in which each user has a public and a private key. If you want to send your friend an encrypted message, you first need his/her public key; if your friend wants to prove that you signed a message or that the message that you sent him/her was unaltered, s/he first needs your public key. So there is the necessity of trading public keys before secure communication can ensue. There are various ways of doing this and PGP offers "key servers" from which your correspondents' keys can be downloaded to make the process easier. However, not everyone has their PGP keys listed on a key server, let alone the same key server, and not everyone uses PGP, so the key exchange issue is still an impediment to sending secure messages -- especially if you have to send them quickly.

From your experience, is secure messaging being a part of security policies deployed within companies?


In my experience, more and more companies are using SSL to encrypt communications with their email servers, but few are using PGP or S/MIME for encryption. I see the impediment being that the effort needed to setup, to enforce usage, and to train employees is seen as much larger (or costlier) than the benefit of use. Clearly, the cost savings gained by using secure messaging is in having less information leakage or modification which is very difficult to quantify, especially as most companies assume that they don't (or won't) have significant problems in this arena anyway. These assumptions will be changing.

Fort Lux is your company web based messaging solution. What are its functions and for what type of users it is intended for?

Actually, Fort Lux is a separate web-based secure messaging product offered by Lux Scientiae. We offer a normal WebMail application for our email hosting users; this is completely separate from Fort Lux, but compatible with, Fort Lux.