ietf-smtp
[Top] [All Lists]

Re: [ietf-smtp] guidance on how to secure against sniffing and paid backdoors

2013-09-14 10:41:09
On Sat, Sep 14, 2013 at 04:24:55PM +0100, Sabahattin Gucukoglu wrote:
On 14 Sep 2013, at 15:45, Arnt Gulbrandsen 
<arnt(_at_)gulbrandsen(_dot_)priv(_dot_)no> wrote:
Name removed to make this a little less flamish:
But really, PGP is the answer you're looking for. :)

I hate to say this, but this is the kind of thing NSA shills say: Point
out some magnificent foobar that certainly will not be deployed, focus
on it, and hope that nothing merely good will get traction.

I have some ideas about why PGP fails so miserably, but that doesn't
really matter. Whatever the reason is, PGP has a twenty-year history of
disuse, so I'm fairly sure that in five years, only a very few people
will use it and its users will not be able to hide in a crowd.

Yes.  Absolutely correct; PGP will remain the clique solution exclusive to 
fumbling Guardian journalists and tinfoil hat-wearing conspiracy nutters.

I don't know that I could confidently say that it is PGP's implicit trust 
model that's FUBAR for ordinary use.  I definitely think, though, that the 
"Defence in depth" strategy of eventual upgrade to TLS has a better chance of 
providing useful results (second place in my mind goes to S/MIME with 
web-based automatic provisioning).

But, and this is the reason I made the comment, PGP right now provides useful 
security.  It's not easy, but it does *EXACTLY* what it proposes to do.  
That's a whole lot better than the uncertainty of anything dependent on 
hop-by-hop message transfers, at least at the moment.

Well STARTTLS does not preclude use pf PGP.  You can just use both.

There are not that many MTA implementations out there so if we can persuade
implementers to provide STARTTLS per default, I see this as a path
with good chances to succeed. We could even advise implementers to generate an 
auto-signed 
certificate. This guidance could be done in an RFC.

best regards
keld
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp

<Prev in Thread] Current Thread [Next in Thread>