The word ``secure'' has three important connotations in the context of this study. Email is secure, for our purpose, if it is adequately private, adequately authenticated and has an adequate assurance of integrity. We use the word ``adequate'' deliberately: any security mechanism can be circumvented if sufficient effort is applied. We are assuming that protection against the determined efforts of a major government intelligence agency is not possible with the resources that the majority of the members of the UK academic community has available and at the level of inconvenience which it is prepared to tolerate. We do require, however, that it be possible for the community to be reasonably satisfied that privacy, authenticity and integrity are protected against other members of the community (including systems staff), against plausible threats from service providers, against commercial organizations (such as customer database providers) and against most illicit monitors of network traffic (compare the ``internet sniffer'' attacks against host/account/password triples).
In this context, ``privacy'' means that information is intelligible only to its rightful recipients. Although third parties may be able to read (a copy of) the message sent, they must not be able to make sense of it.
``Authenticated'' means that the recipient may reasonably be certain that a message was truly created by its purported author, and has not been forged by some other party. Implicit in this definition is the assumption that the true author has taken care to prevent misuse of its identity by unauthorized entities and that if forgery has taken place, it is without the collusion of the author. The related concept of ``non-repudiation'' implies that it is infeasible for the purported author to collude in this manner.
A message has its ``integrity'' protected if it is infeasible for its contents to be changed in transit without any such changes being instantly obvious to the recipient.
Note that any particular message need not have all three of these characteristics. In particular, a public announcement by someone in authority should probably not be private, but it very probably ought to be extremely difficult for anyone to change it indetectably; neither should anyone else be able to create a counterfeit announcement supposedly from an authoritative source. Conversely, a whistle-blower may not want to give incontrovertible proof of authorship, but would want sensitive information to remain private. Another situation may apply if the message is a program: an assurance that the code has not been modified (to install a Trojan Horse, for example) is valuable but the privacy or authorship of public-domain software may be unimportant.
An additional desirable characteristic of a robust email system is
assured delivery or guaranteed notification of non-delivery.
We are not concerned with this aspect in our study.