[Top] [All Lists]

Re: [ietf-smtp] Two recent Internet-Drafts about using TLS with email protocols

2013-10-25 00:52:38
On 10/24/2013 12:50 PM, Wei Chuang wrote:

    To me it seems that a comprehensive approach to encrypting email
    traffic actually needs to cover three separate cases: (1) mail
    relaying, (2) MUA-MSP interactions, and (3) end-to-end
    encryption.   Cases (1) and (2) are similar in goal - protect
    emails being transmitted over the network from eavesdroppers and
    active attacks - but subtly different in implementation.   Case
    (3) protects emails from being disclosed to servers which are
    operated by third parties and which might be compromised.   None
    of these is sufficient by itself, because (1) and (2) by
    themselves don't protect the messages while they're stored on
    third-party servers, and (3) doesn't protect against traffic
    analysis - which when dealing with mass surveillance seems to be
    as important as protecting the actual contents of the messages.

    Of these, the most difficult problem seems to be (3).   Solutions
    for (3) e.g. PGP and S/MIME have been around for a long time, but
    they haven't been widely deployed.    This seems like an area that
    is worth revisiting.

+1  (While I'm one of the authors of a TLS based approach, I'd also
like to see more discussion/ideas of privacy protecting end-to-end

One idea I've wondered about is whether social networks (perhaps with
real-time video conferencing) can be leveraged to assist web-of-trust
style key signing.


ietf-smtp mailing list