On Sat, Sep 14, 2013 at 04:24:55PM +0100, Sabahattin Gucukoglu wrote:
On 14 Sep 2013, at 15:45, Arnt Gulbrandsen
Name removed to make this a little less flamish:
But really, PGP is the answer you're looking for. :)
I hate to say this, but this is the kind of thing NSA shills say: Point
out some magnificent foobar that certainly will not be deployed, focus
on it, and hope that nothing merely good will get traction.
I have some ideas about why PGP fails so miserably, but that doesn't
really matter. Whatever the reason is, PGP has a twenty-year history of
disuse, so I'm fairly sure that in five years, only a very few people
will use it and its users will not be able to hide in a crowd.
Yes. Absolutely correct; PGP will remain the clique solution exclusive to
fumbling Guardian journalists and tinfoil hat-wearing conspiracy nutters.
I don't know that I could confidently say that it is PGP's implicit trust
model that's FUBAR for ordinary use. I definitely think, though, that the
"Defence in depth" strategy of eventual upgrade to TLS has a better chance of
providing useful results (second place in my mind goes to S/MIME with
web-based automatic provisioning).
But, and this is the reason I made the comment, PGP right now provides useful
security. It's not easy, but it does *EXACTLY* what it proposes to do.
That's a whole lot better than the uncertainty of anything dependent on
hop-by-hop message transfers, at least at the moment.
Well STARTTLS does not preclude use pf PGP. You can just use both.
There are not that many MTA implementations out there so if we can persuade
implementers to provide STARTTLS per default, I see this as a path
with good chances to succeed. We could even advise implementers to generate an
certificate. This guidance could be done in an RFC.
ietf-smtp mailing list