On Sat, Sep 14, 2013 at 04:45:44PM +0200, Arnt Gulbrandsen wrote:
Name removed to make this a little less flamish:
But really, PGP is the answer you're looking for. :)
I hate to say this, but this is the kind of thing NSA shills say: Point
out some magnificent foobar that certainly will not be deployed, focus
on it, and hope that nothing merely good will get traction.
I have some ideas about why PGP fails so miserably, but that doesn't
really matter. Whatever the reason is, PGP has a twenty-year history of
disuse, so I'm fairly sure that in five years, only a very few people
will use it and its users will not be able to hide in a crowd.
Yes, PGP has not been thta successful.
Furthermore pgp still leaves metadata in the clear for sniffers.
starttls does not. That is the To: and From: headers are only transmitted
after the TLS handshake has taken place, and thus the metadata is sent
I am thinking of an advice to application developers to always
have TLS on by default, and til service providers to
always have TLS enabled by default. Still they should in my mind
communicate with non-TLS enabled MTAs - and then over some tile everybody
will have migrated to TLS, just like we did with the SMTP -> ESMTP
ietf-smtp mailing list