SoK: Securing Email—A Stakeholder-Based Analysis Jeremy Clark1, Paul C. van Oorschot2, Scott Ruoti3, Kent Seamons4, and Daniel Zappala4 1 Concordia University, Canada
[email protected] 2 Carleton University, Canada
[email protected] 3 University of Tennessee
[email protected] 4 Brigham Young University
[email protected] [email protected] Abstract. While email is the most ubiquitous and interoperable form of online communication today, it was not conceived with strong security guarantees, and the ensuing security enhancements are, by contrast, lacking in both ubiquity and interoperability. This situation motivates our research. We begin by identifying a variety of stakeholders who have an interest in the current email system and in efforts to provide secure solutions. We then use the tussle among stakeholders to explain the evolution of fragmented secure email solutions undertaken by industry, academia, and independent developers, and to draw the conclusion that a one-size- fits-all solution is unlikely. We highlight that vulnerable users are not well served by current solutions. We also account for the failure of PGP, and argue secure messaging, well complimentary, is not a fully substitutable technology. 1 Introduction Email has been called “probably the most valuable service on the Internet” [14]. It has evolved over its 50-year history to become a pillar of seamless interoperability—if you know someone’s email address, you can send email to them [111] across a diverse range of desktop, mobile, and web client software. As an indication of its near-universal acceptance, an email address is often required to create online accounts and to make online purchases.