1. If you are a citizen or a resident, you get an ID card to use for every public service. It's just a smart card with a government PKI.
2. The public services provide an email account that can only be used within the e-government services. The card is used for accessing those services.
3. The email service accepts either identity number or registry number of the recipient. So the recipient can be a legal entity.
4. You can and almost always do provide a forwarding address, so that you don't need to check.
5. You can't use it for other purposes. No RFC defined email address is shared with you. And it's just an internal system for official issues.
I've heard some countries issue mailboxes for citizens but I am not aware of the general use of these. Also, email services were designed to be decentralized but evolved into centralized systems, a current and unsolved problem. I am not sure about the privacy and security of government provided email services.
If you read about the history of the institution, this is really what was intended in its constitutional incorporation. It really wasn't about physical mail per se, and you can't hold the founders accountable to something that was outside the realm of imagination at the time.
There's all sorts of information-structural things that are in the bounds of the USPS per the intent of its creation.
Many services would want to use your PKI token as identification, we would likely give up a lot of privacy because of its existence/ease-of-use.
It’s going to be an uphill battle or impossible as PKIs are too obscure for the average citizen to understand the benefits and any whiff of a federal ID card will be treated like the mark of the communist coup beast.
We also get state issued ID card with PKI. We can access tons of services. Last I read I can buy a house, fully remotely. Including notary services via video call + all parties need to sign stuff with our ID card.
We get health results via email as an encrypted pdf, where password is given at the time when I submit samples.
Many business also use ID card to sign contracts between parties.
Bank transactions involve Smart-ID, 2FA app that I have to authorize via ID card for remote setup for any new device. (It involves generating new certificates) Smart-ID is developed by Estonia and is very convenient, secure way to authorize payments.
As of communication, no state issued email. However we usually get email notifications, for example from state tax service, that we should log in and read whatever we have to.
What works for a tiny state isn't always appropriate for a big state.
1. An ID card you can use to access some services (carta di identità digitale)
2. Another card you can use to access healthcare related services and some other services (carta nazionale servizi)
3. SPID: your digital ID to access yet some other services, and also some of the above services. It is not released by the government but by other authorized entities such as banks, the national mail service and others. You need to pay a small fee for the verification, and sometimes an annual fee. There are different SPID levels but no one actually knows the difference between them.
4. PEC (posta elettronica certificata): a digitally signed email box you can use to send/receive documents, invoices, etc. or simply messages. Those are legally attributed to you and you can use it to talk to government agencies instead of sending registered paper mail. As SPID it is issued by an authorized third party.
We also have some smartphone apps that work as a combination of the above, and need some of the above to work.
As you can see it is a mess, a waste of tax money and we will need to waste more money in the future to make this mess work.
Nice :)
Edit: and by the way when you need something really important all the above are useless: you either need to start hopping from a public office to another (we have a lot of them) and/or go to a notary (a kind of medieval bureaucrat you pay a lot of money to sign and stamp sheets of paper)
Btw, a nice insight into email is also that it is one of the very few systems that decouples protocol from provider (Matrix and xmpp do that too, not widely adopted sadly) AND also has critical adoption (which Whatsapp also has in my country, sadly we are stuck with Meta there). We should never give up email because we will likely never get an open and free system like that back without some kind of government intervention. (Even though we all know email is a sub-optimal pile of hacks.)
The notifications you can set up to a normal email address invariably only say that institution X sent you a message, but never specify the topic. That means you have to login to see if it is actually important and actionable or just something you already knew or a confirmation of something you submitted.
Even worse is this common scenario:
* Get notification that X sent something to Berichtenbox
* Login to Berichtenbox (first get mobile phone for required 2FA)
* Message says new information is available in X's web portal
* Login to X's web portal (mijn.somethingsomething.nl)
* Read totally pointless message that could even have been sent in plain email
Compare this to the postal flow:
* Get letter, read it
I think these days you can deactivate Berichtenbox and receive important information via post again, but this was not an option in the first year or so, so even experimenting with it was risky.
1. You can an email in your regular email stating that there is a new message in your Berichteninbox. (No clickable link, presumably to avoid phishing.)
2. You go to mijn.overheid.nl to access your Berichteninbox. You sign in with DigID.
3. You open the mentioned message, which says a PDF with the actual letter is attached.
4. You open the PDF.
5. The PDF says you'll be able to file your tax returns a month from now.
Side note: Denmark has a one time pad instead of a smartcard. A smart phone app has since been added, and the one time pad will be discontinued in about a year, sadly.
The PKI thing includes a physical ID card, a software solution called Smart-ID and a mobile solutions called Mobile ID. The software solutions are just authenticator apps that you've matched with your ID.
This is the biggest flaw in the design. Tying the ID card to a single identity.
If you're using it with a bank, it needs to be tied to your bank account. If you're using it for physical access control at your company's building, it needs to be tied to your employee account. These are different things, and should be different things, for security.
You don't want a single system for everything. It makes the incentive to break it stronger, so it gets broken more often. It makes the consequences of it getting broken larger, so the damage when it happens multiplies. And it gets integrated into everything, so the amount of time it takes to roll out fixes increases. It's a security nightmare, and it gets polynomially worse the bigger the country is that tries to do it that way. (For reference, the GDP of Estonia is less than one third the revenue of Costco.)
No, it's solid design. It's a very simple safe primitive. You can build endless infrastructure on top of it. Similar to subkeys.
For example a lot of businesses use Smart-ID on top of that. You need to tie the smartid stuff to your PKI identity. But after that you can just use that as identity.
Banks require your ID whether it's smart or not. But it's not for payment purposes but for authentication. And they are not state bodies, but private commercial entities. They are not part of the PKI ecosystem of the state.
> You can't use it for other purposes. No RFC defined email address is shared with you
This is not entirely true. You get both:
* idcode@eesti.ee can only be used by government senders.
* you also get first.last.uniqueid@eesti.ee which works as a regular email address.
In France, we are not as advanced as Estonia when it comes to e-government services, but we have an official identification system called "France connect", and government services have private messaging systems to communicate with them. And I think many countries have similar systems. The only difference seems to be that it is better integrated in Estonia.
I was heartened (and a little surprised) that Jack Dorsey recently mentioned that the draconian control of the Twitter API was the worst thing Twitter had done [1].
The corporatisation of the Internet, has undone a lot of the great work that had traditionally underpinned the network.
It feels like the slow, laborious and fundamentally equitable nature of standards ratification in the open has been seen to be at odds with the OKRs of tech businesses.
Businesses that sell and work with natural resources are starting to wake up to the idea that a degree of cooperation and inter-market regulation with peer companies can positively impact individual performance. Sustaining business is even more fundamental than making profit.
In the same sense; open protocols can help to develop rich and sustainable markets that benefit the consumer; as well as those businesses that operate in within it.
[1] https://www.revyuh.com/news/software/developers/twitters-fou...
Now private corporations are the primary agents of change, and they are driven by very different incentives. When was the last time you heard of a company based around open protocols being valued at a billion dollars?
And the money involved is just too great. I don't see how anything is going to change.
I saw a need for a safer, better, decentralized protocol for email, so I drafted one (TMTP) and implemented client & server. More at:
https://mnmnotmail.org/ & https://twitter.com/mnmnotmail
Related protocol projects in development include:
I appreciate how the tide turned, but societies appetite changes over time; and the fact is, open protocols are not anti-profit, or anti-business.
At the risk of sounding like I'm trivialising this comment (with which I completely agree), this difference in behaviours has as its root the difference between a long- vs short-term mindset.
Open standards of federated systems could lead to slow sustainable growth with a spot for the original designers and pushers of the protocol. But open standards won't let you fully dominate the market, they don't allow you to leverage all the VC cash, and so they don't pay back on massive investment. Because quite a lot of the benefits are shared.
Moreover, slow growth can't compete with VC cash investment. The VC backed competition will have a better UX, more features, aggressive marketing, and in general be more developed. All because they can develop their product a lot faster because they have more money behind them.
I wasn't, because he didn't do jack shit to change it. We hear this bullshit all the time; big actors sound off about what was wrong at their previous places, but rarely did they do anything to upset the apple cart.
Twitter wasn't his github repo, it was his gazillion dollar company that has to answer to a lot of stakeholders.
(That being said, no reason to not get on them about it.)
I'm still of the opinion there should be public-option internet services. Everyone deserves an e-mail address that cannot be taken away from them without a court order.
Not even a court order, arguably. Internet access and it's essential services like email, is arguably a human right in developed countries. Almost impossible to find employment without it.
And yet, it can be taken from you with a court order.
Like for phone numbers (at least here you can migrate the whole number, even with ndc)
The state could give out an emailadress like a social security number and you just use that as an alias and can choose whatever provider you want.
And for these emailadresses the providers would be obliged to take you. (Like for mandatory insurances. We have them where I live)
btw, Germany did this a decade ago: giving everyone an email account with the national mail service, as an "official email." I honestly don't know anyone here who uses it.
How common is this if you’ve setup DKIM, SPF, etc.? I’ve only heard about problems in that context where someone hadn’t done the basics or was trying to send from shared IPs and hit some spammer’s past reputation.
There are many decisions that impact the usability and cost of the service. Some people need high volume sending or large mailbox storage. Do you punish people for sending spam? Do you filter spam, if so, how. Do people need public terminals to access the service? Etc.
Do you punish people for sending spam?
Only by making them pay for every mail they send.
Do you filter spam, if so, how.
On the receiving end. A plugin system would let people choose to subscribe to updated blocklists and filtering rules, just like modern adblocking.
Do people need public terminals to access the service?
Same way it is now. The vast majority of people have their own smart devices, and for the ones who don't there's the public library.
SSN-xx-HERE@citizen.gov is a how, which may or may not be a good one. For one, here in France, the SSN isn't as important as it seems to be in the US, so its being public is probably less of an issue. This approach would still be bad for spam or whatever.
Another how could be by using the same kind of naming in use elsewhere, as in name.surname.213@citizen.gov. Except that not anyone would be able to randomly open an account. You'd have to go through some kind of agency that would check your ID. This would allow them to expose a way of changing (in case its overrun by spam) or unlocking (in case of lost password) your account safely.
We have a more or less similar thing in France with bank accounts: you have an "opposable right" (as in, undeniable) to have a basic bank account. Not sure if this is a French law or an EU directive, but I think the same could work for email.
In fact, I can't think of a single market dominated by a handful of large companies hasnt been improved by the introduction of a government competitor.
There's a reason telcos lobby hard against community broadband and that financial institutions dial back the usuriousness of their fees when the post office offers bare bones accounts.
In France at least, many people (mostly the elderly) are having a hard time using computers and such. Some Government agencies have dedicated personnel to help them with filling in the forms and such on dedicated computers. It could probably be easier for them if they also provided email instead of relying on a third party provider. Grandma lost her password? No biggie. If she has her ID, we can reset it for her. Good luck getting any kind of support from Google / Yahoo in such a case.
Of course, I will explicitly say that I would be very much against such a service being compulsory for the people. I just think it should exist.
There is also the issue of data stewardship, (democratic) governments can ensure independent reviews and be held accountable for security breaches and data misuse. They could also be held liable for losses incurred by service defects.
Why?
* applying for jobs
* getting covid tests/vaccines
* buying virtually anything online
* interacting with the government online (I needed to provide an email address to update my driver's license and vehicle registration)
* opening a bank account
* renting an apartment
These are important things, so we might as well have some guaranteed way to access these services. Especially because you need an email to interact with a lot of government services.
Taking away an email address someone has had and is their primary point of contact for years, possibly decades is irreplaceable. Being able to create a new one isn't equal to the old one.
Not sure about elsewhere in the world, but even regular mail isn't that painful in my country. Pay a nominal fee to Australia post and you can have all mail addressed to you forwarded from your old to new address for N months (or years).
... why? What are you basing this on legally/morally other than your own want?
Other than fiddling around the edges with security improvements, spam filtering, and a few other nice-to-haves, there's not really much that need improvement.
Some features of email that are nice:
- It's completely open standard
- I can host it myself if I want, or not.
- It is completely decentralized and roughly point-to-point, subject to email routers.
- Other than getting an email address, no other 'linkage' or prepwork with that person is required.
- My address is not tied to any other service, like a phone number. (in contrast to e.g. WhatsApp)
- It supports unsolicited communication from unsolicited sources (e.g. marketing)
- It's easy to ignore communication I don't care about. (e.g. marketing)
- Non-people are supported, like group emails/aliases (support@...)
- I can trivially attach files, subject to some practical constraints
- Email can be handled by the recipient in a wide variety of ways using different client mechanisms.
- I can front-end my email in a variety of ways, such as with a contact form.
Those are just the few I can think of off the top of my head. I'm sure there are others.
The key part of course is that it is completely open and standardized. Nobody owns it. That is a lesson that we should learn, but is every time forgotten.
No proprietary walled garden can ever come close to the usefulness of email precisely because email is open and standard. With proprietary systems it is inevitable users are subject to the whim of the owner. Might not be able to get accounts, or be arbitrarily banned, or have the app only available on limited platforms, etc.
I've been using email since the late 80s and more importantly I've had the exact same email address since the mid 90s. It's been hosted by multiple providers and the last decade I've been hosting it myself. But always the same domain and address.
No proprietary system can ever compete.
https://en.wikipedia.org/wiki/Lindy_effect
Any replacement will have to keep the above in mind because there's no test like the test of time.
And it has the security improvements and others as well (see features of e.g. Discord or WhatsApp).
Anyways, I don't think I still use email for its intended purpose anyways. It mainly became something to tie accounts to and to 2fa
- It is designed well for medium-length content, say a few paragraphs or so per message.
- It works well, and is mostly understood to be used for asynchronous communication.
- Easily and usefully searchable.
- Captures state/context well.
- Threaded
That's why I find Delta Chat piggybacking on Push-IMAP such an interesting concept: https://delta.chat
Here's my ASK HN: https://news.ycombinator.com/item?id=22854641
In theory, email is a service that is simple enough for anyone to run themselves. Most Linux distros come with sendmail, so theoretically it should be as easy as reading the manual and exposing some ports. Spam is performed server side both at the origin and at the destination to mitigate bad actors, and because email is simple, there should be no shortage of clients to choose from.
In reality, 1/4 of all email users globally are on Gmail. Apple Mail is the most popular mail client followed by Outlook, then Gmail. SMTP and IMAP are theoretically simple, but the bellwether providers use APIs on top of these protocols that have added some functionality at the expense of restricting the proliferation of email clients. Many large companies that used to run their own email (through Exchange, Zimbra, etc) are moving to hosted Office 365 or Google Workspace. One major AWS-scale outage in Gmail or Azure will incite (and has caused) serious panic and disruption (which is great for SREs like me since we’ll continue to get paid serious money to keep all this stuff running while maintaining a healthy work-life balance, but I digress).
Furthermore, one doesn’t simply “stand up” their own email server unless they don’t care about landing in people’s spam folders.
Additionally, many companies outside of the US _do_ use WhatsApp (Facebook) for official communication. I’d posit that this trend is only accelerating.
I agree that email is fundamental technology, but I can see a future where it disappears in favor of something like federated Slack (or, worse, instant messaging centralized and controlled by the FAANG cabal with insurmountable cost-of-entry). Given the suppression of “free speech” on Twitter et al during peak COVID/peak insurrection (for valid reasons), this is slightly worrying.
Apart from that, email is not going anywhere (not going away) anytime soon as the standard medium for B2B communication. And in B2C communication as well, an email address is the one baseline you can count on everyone having. I don't see that being replaced by anything proprietary either.
I don't have whatsapp, or discord for that matter. I have slack for work but I don't use it externally. I will probably never have those systems for my personal communication which means that if a company wants to communicate to me they are going to have to use email, full stop. I think there is a large barrier to email ever going away. Removing it from the market would require coordination that most companies and providers will probably never want to engage in. It's a lowest common denominator that all of them will want to support to avoid their users getting silo'd into a system that is not theirs.
"perfect is the enemy of good"
What is old is new again.
When modems became fast enough to handle a TCP/IP connection it was ~1994 and by then Internet was already (relatively) cheap and available.
Just like HTTP/1.1 can't be deprecated because too much infrastructure depends on it.
These protocols are simple and as complexity fails we all need to go back to them!
I really don’t think this is true, and is defeatist at best. SIP and XMPP both had a good shot at creating a federated Internet-wide communication system, and we are doing our best to build one with Matrix or die trying.
The achievable security is significantly higher for an offline capable medium for example:
* https://articles.59.ca/doku.php?id=em:emailvsim
It is clear to me at least that we are stuck with at least 2 problems here. I have wondered if you could at least generalize the two modes in a way that would allow you to have one client and let the user decide.
My personal focus within the community these days is with improving the ecosystem UX through initiatives like https://docs.modernxmpp.org/
You can follow XMPP development via the community newsletter (email or RSS): https://xmpp.org/newsletter/
If for no other reason, this is why no closed system will never supplant email. Even the biggest walled gardens like GOOG and FB bow to the power of email identities in the end, as the preferred (maybe even only) way to recover an account.
Coming up with yet another way of encoding key-value pairs (or any type of serialization) is not engineering; you have not addressed the concrete problem in any way what so ever other than explaining what the syntax will be.
Like wtf is wrong with you people? How hard is it to call encrypt_message(your_message) and verify_message(their_message) without introducing RCE vulns? There is nothing hard about delimiting different entries in a list (for argv or whatever). This is pre-school stuff. The reason people omit it is becaues UN*X makes the path of least resistance to be insecure shit like system(), but even then it's still easy to work around it time after time if you are above the age of 12.
Federation is also a hare-brained concept. Why in the hell do I want my address to be qualified with some stupid string? Is this so I can make a group and LARP about firing missiles from mydomain.com to yourdomain.com? How is it possible that XMPP was created with the same idiotic concept once we already knew email was garbage? Federation is absolutely and thorougly pointless. The literal only reason it makes any sense is because if it was fully centralized, the service would just be dead once comapny #1 dies.
DAY OF THE SEAL SOON
The reason that large companies struggle or fail to implement systems like slack and teams is not because they are superior to email. Its because these huge corporation treat employees as faceless cogs in a machine. Email fails email delays email sucks everyone knows this and accepts it so it becomes the only way to take a break from the corporate pressure cooker.
I suspect in the future small companies that treat their employees as human and can use better tools effectively will eventually take over sufficient market shares to force large companies (they already are really) reevaluate the dispensibility of its workforce.
The death of email is a social not tech problem.
I actually run Android-x86 VM on a server because of WhatsApp, which I need for work. And it has some problems, for example to allow the browser to access the app, you need to scan a QR code - but I did not find a webcam emulator (think: v4l2-loopback on normal Linux) for Android or a way to emulate a webcam in VirtualBox or Qemu, so I need to copy the VM image to a computer with physical webcam, scan the code by pointing the webcam to the screen, and then copy it back to the server. WTF.
Or am I missing something? How do people without smartphones use WhatsApp (for communicating on a computer)?
Anyone with your email can not only impersonate you, but gain access to many of your online accounts.
Most people in my family and closest friends prefer SMS, even texting large image and video files (not really what the protocol was designed for, right?). Anyway, I tend to use what my people use.
For certain definitions of “reliable”!
(though reliably available at least which can't be said for anything else, no matter how reliable in other senses)
SMTP will prevail and at some point all the messaging will be done over it just like HTTP/1.1...
Actually, that’s snail mail.
I am very concerned how people here are stating how good, simple and reliable it is. They are not wrong but so is IPv4 and the C language. Sentiment has no place in a building a secure and proper future technology.
Not a single messaging app I’ve used comes close to email. And I can’t use one messaging app, I have to have 6! I would be way more willing to move on from email if a solid viable alternative came along. XMPP, for example, is still too ephemeral and barely anyone uses it.
You seem to have missed the point of the article. Email is a necessity - there is no alternative.
But good luck moving people off email
E-mail is grotesquely expensive to manage because of its weaknesses and its use as a vector of attack.
The best replacement solution is an organisational portal that people use to communicate with the organisation and upload/download documents. Some governments and banks have already been handling interactions with external entities and citizens/customers this way for years.
The upload and download tunnel is secure, the receiver can scan the uploaded information (detonate in a sandbox if necessary), and the sender can trust the messages and documents that are downloaded.
