Yo!
Jumpin' in late... [site-admin: please mark the mail archive at
../ietf-open-pgp/mail-archive as dead, or redirect to the real mail
archive. the charter on
http://www.ietf.org/html.charters/openpgp-charter.html still points to
the old location, so I assumed the list was dead. Just being nosy: the
agenda in the charter seems pretty much outdated, too. How does the
current agenda of the wg look like?]
As the one who apparently sparked this particular instance of this
discussion (remember
http://www.imc.org/ietf-openpgp/mail-archive/msg04314.html )
http://www.imc.org/ietf-openpgp/mail-archive/msg04373.html and the fact
that it's always difficult to prove that you have not done something or
that you do not possess some information convinces me that both ESE (or
SES) and my proposed 'intended encryption key' extension will never work
out. It all boils down to the fact that cryptography cannot replace
trust. So: No, I don't want to reopen this discussion.
Other comments to issues raised in this thread:
Something seemed odd throughout the discussion (the one I had on
gnupg-users, as well as the one you had here, which I only just found):
Tools (e.g. software) are made to automate and ease some tasks. The user
employs tools to get something he wants. It's not that tools are just
around until a user comes along and thinks 'oh, my, what may I do with
/that/?' So, if the user's expectations and the current behaviour of the
tool disagree, I'd want the tool fixed, not the user. To me, it seemed
that this got a bit lost in the discussion.
context info in mail, Mail headers: while message/rfc822 encapsulated in
multipart/signed would cover the issue of the headers not being
protected, it would be cumbersome to use with non-gpg users. Why not
copy these headers down into the MIME headers of the first MIME part of
the multipart/signed message? Of course, mailers will have to support
this and indicate clearly which information is signed and which is not
(kmail 1.4 does this nicely with colored boxes (at least for clearsigned
mail), evolution doesn't). encrypted messages can only be read with
gpg-enabled mailers anyway, so rfc822-encapsulation would probably be
easiest (encrypting recipient and sender may make sense, people could
just use usenet groups to make messages intraceable. Of course, normal
e-mail will still have valid To: and From: headers...). This was
probably discussed before - might somebody point me to the relevant
thread?
cheers
-- vbi
--
secure email with gpg avbidder(_at_)fortytwo(_dot_)ch: key id
0x92082481
avbidder(_at_)acter(_dot_)ch: key id
0x5E4B731F
signature.asc
Description: This is a digitally signed message part