Until a new technology comes along that replaces the need for digital certificates, these problems will always occur.

Here in NZ (as with many other countries), there is no legislation in place to regulate the Certificate Authorities (CA) that issue digital certificates to NZ citizens or businesses (see http://www.bellgully.co.nz/resources/pdfs/E_Commerce_Guide.pdf). Therefore the trust placed in CAs to do a proper due diligence assessment on the applicant is often based entirely on an assumption that they will. However there is no guarantee of this. Unless legislation enforces the transparency of the CA’s due diligence processes, and these are audited, certificates issued will have little, if any, real legal weight in court.

Questions must also be asked about the validity of certificates bought from CAs in other countries as there is even less control over them.

So, the CA can only work with the information presented by the applicant - information that can easily be false. Also once issued, digital certificates can easily be hacked using software downloaded free from the internet.

Additionally, it’s also important to remember that encryption is NOT a security ‘Catchall’. But copies left in ‘public’ view do need to be protected against snooping (public means available from the internet).

Encryption does provide some protection against sniffing technologies  But …. does not stop copies being made and sent to the wrong people  And …. does not prevent copies from being left on the many unknown servers between sender and recipient.  Nor .… does it not stop copies from being read by authorities and determined attackers.

Encryption protection levels are limited by law  Governments demand easy to crack protection so their ‘official’ interception is not too difficult.  Unfortunately this opens up all messages and documents to easy interception and cracking by everyone else.  ‘Brute Force’ encryption breakers (Government, Terrorist or Criminal) need time but ‘standardised’ encryption systems are deliberately designed to be vulnerable.

Encrypting messages and documents eliminates interference from casual thieves and medium level criminals  They are seldom interested in this level of difficulty

Hackers typically crack the encryption then attack the other parts of the protection system  Basing their attacks on the weaknesses caused by the Real Problem (being the anarchic nature of the internet).

Encryption combined with excellent protection technologies, can create a much more powerful shield against unwanted and illegal interference.  But … it is not sufficient in itself

See my note in the General Discussion area called The End Goal.

It seems that people have tried digitial certificates and found them wanting.

My wife was an Archivist for some years, and she shudders to think of the history that will be lost if everything is to be public key encrypted, with the private key destroyed - whether accidentally or deliberately.

It is highly desirable that the functions of government be able to be reviewed in the future and so it is best if we do not move towards PK encryption for other than the most sensitive materials.

The SecMX proposal will be enhanced by a policy around certificate authorities, though X.509 certificates themselves are a poor design, requiring a hierarchical signing and an ultimate trust.

I would dispute your statement that 'digitial certificates can easily be hacked using software downloaded free from the internet', however. Which software? "Hacked" in what way? To the best of my knowledge there is no current publicly known software which will return either a plaintext of a private key in reasonable time, given an encrypted text and a public key with a reasonable keylength.

The SecMX proposal is not about finding a perfect solution. Attempts to achieve perfection are rarely (if ever) successful. SecMX is about encouraging an incremental improvement in the general level of security of e-mail transport.

I'm not about to publicly (or privately) announce what the software is, or where to get it. You can of course do your own internet search using terms like cryptography or encryption. If you can't find anything on one search engine, try another.

There is loads of different hacking/cracking software available. A lot of it is free. The websites for these are there if you care to search hard enough.

The point I was trying to make is that as billions of emails are sent in the clear every day, encrypted versions stand out and are very simple to spot using sniffing tools. As there a many servers and switches between sender and recipients hosted in unknown countries where copies are often kept, you now you have the ability to obtain one. Not only do you have as much time as you need to crack the encryption - you also have loads of clues on how to crack it as the digital certificate is standardised.