--On Monday, August 13, 2012 11:11 +0200 Alessandro Vesely
<vesely(_at_)tana(_dot_)it> wrote:
...
FWIW, I'd like to recall that several governments endorse IETF
protocols by establishing Internet based procedures for
official communications with the relevant PA, possibly giving
them legal standing. Francesco Gennai presented a brief
review of such procedures[*] at the APPSAWG meeting in Paris.
At the time, John Klensin suggested that, while a more
in-depth review of existing practices would be appreciated,
the ITU is a more suitable body for the standardization of a
unified, compatible protocol for certified email, because of
those governmental involvements.
[*]
http://www.ietf.org/proceedings/83/slides/slides-83-appsawg-1.pdf
Alessandro,
Please be a little careful about context, as your sequence of
comments above could easily be misleading.
For the very specific case of email certified by third parties,
especially where there is a requirement for worldwide
recognition (the topic of the talk and slides you cited), the
biggest problem has, historically, been an administrative and
policy one, not a technical standards issue. We know how to
digitally sign email in several different ways -- there is
actually no shortage of standards. While additional standards
are certainly possible, more options in the absence of
compelling need almost always reduces practical
interoperability. Perhaps the key question in the certified
mail matter is who does the certifying and why anyone else
should pay attention. The thing that makes that question
complicated was famously described by Jeff Schiller (I believe
while he was still IETF Security AD) when he suggested that
someone would need to be insane to issue general-purpose
certificates that actually certified identity unless they were
an entity able to invoke sovereign immunity, i.e., a government.
For certified email (or certified postal mail), your ability to
rely on the certification in, e.g., legal matters ultimately
depends on your government being willing to say something to you
like "if you rely on this in the following ways, we will protect
you from bad consequences if it wasn't reliable or accurate".
If you want the same relationship with "foreign" mail, you still
have to rely on your government's assertions since a foreign
government can't do a thing for you if you get into trouble.
That, in turn, requires treaties or some sort of bilateral
agreements between the governments (for postal mail, some of
that is built into the postal treaties).
International organizations, particularly UN-based ones, can
serve an important role in arranging such agreements and
possibly even in being the repository organization for the
treaties. In the particular case of certified email, the ITU
could reasonably play that role (although it seems to me that a
very strong case could be made for having the UPU do it instead
by building on existing foundations).
But that has nothing to do with the development of technical
protocol standards. Historical experience with development of
technical standards by governmental/legislative bodies that then
try to mandate their use has been almost universally poor and
has often included ludicrous results.
A similar example arises with the spam problem. There are many
technical approaches to protecting the end user from spam
(especially malicious spam) and for facilitating the efforts of
mail delivery service providers and devices to apply those
protective mechanisms. Some of them justify technical standards
that should be worked out in open forums that make their
decisions on open and technical bases. But, if one wants to
prevent spam from imposing costs on intended recipients or third
parties, that becomes largely a law-making and law enforcement
problem, not a technical one. If countries decide that they
want to prevent spam from being sent, or to punish the senders,
a certain amount of international cooperation (bilateral or
multilaterial) is obviously going to be necessary. As with the
UPU and email certification, there might be better agencies or
forums for discussion than the ITU or there might not. But it
isn't a technical protocol problem that the IETF is going to be
able to solve or should even try to address, at least without a
clear and actionable problem statement from those bodies.
I do believe that the ITU can, and should, serve a useful role
in the modern world. The discussion above (and some of the work
of the Development and Radio Sectors) are good illustrations.
But those cases have, as far as I can tell, nothing to do with
the proposed statement, which is about the development and
deployment of technical protocol standards.
regards,
john