From: "Eric D. Williams" <eric(_at_)infobro(_dot_)com>
...
All: A question is the discussion of end-user MUA
technology uses of encryption
something people want to address as a 'spam' control solution?
It's a complete non-starter and waste of time, because it suffers
the threshold problem in the worst way. Early adopters get no
benefit and many hassles. Despite decades of work, the mechanisms
to distribute keys are practically useless. The user interfaces
are coming along, but they're still poor and sometimes just
don't work.
The mechanisms designed to distribute keys are fine. The problem
is the attempts to use X.500 and LDAP for this purpose which are
longstanding abject failures.
The problem with encryption is that encrypting a message says
NOTHING about its authenticity. I can send you an encrypted
message that purports to be from anyone I choose. To get any
statement about authenticity you need a signature.
You can sometimes justify the practical hassles of encryption for
keeping your communications private, but that avoids the threshold
problem. Many of us have used at least PGP for professional reasons,
but that's a whole other world.
Don't project your experiences of PGP onto PKI. PGP has a very
specific design which is fine for its intended purpose but that
is not to provide a PKI.
Encryption, whether signing by senders or decrypting by receivers, is
useless against spam until almost all of your correspondents use it.
It is useless against spam at any time.
Authentication is useful as a means of bypassing spam filters and
avoiding false positives even if relatively few people use it.
Phill
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg