How should xmail be fixed?

[Richard Outerbridge]

In setting up a BSD 4.2 system an acquaintance had some trouble getting
the XMAIL package working (enroll, xsend, xget).  The directory that
is used by the package is /usr/spool/secretmail; it is owned by root and
was set to 744.  The problem was that none of the programs could write in
this directory and all of them needed to.  Chmod'ing to 777 gets everything
working, but ALSO -
	1) allows anyone to delete anyone's pending xmail;
	2) allows anyone to muck about with the public keys.

Xsend will warn you if it suspects that the recipient's key has been
mucked about with, but that's really pretty feeble.  Obviously the
recipient can figure out when his key has been corrupted.  Running this
way the scheme can be sabatoged at will (never mind being vulnerable
to traffic analysis).

[OK, OK, xmail uses *knapsacks* and knapsacks can be broken overnight
with an Apple ][ and some fancy integer programming.  I welcome some
discussion about the insecurity of xmail knapsacks vs. the insecurity
of crypt(1) rotors, canvassed here recently by Henry Spencer.]

So: Quare? Any suggestions about how to get this working and secure?
	What (if any) implications for system security would the fix have?
-- 
Richard Outerbridge	<outer at utcsrgv.UUCP>	416 961-4757
Payload Deliveries:	N 41 39'36", W 79 23'42", Elev. 106.47m.