ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: email standards

2014-09-24 08:12:12
from [Jari Arkko] [Permanent Link] 
Facilitators cannot help resolve differences in religion or paradigms.


FWIW, the facilitator model that I announced will be useful, I think, but it is 
at a different level than resolving fundamental differences about technology 
direction. I think we can improve discussion style at the IETF (and have, I’d 
argue). But while having good, civil, rational, and fair discussions is a great 
thing, it doesn’t remove the situations where, for instance, different groups 
of people have very different goals or use cases in mind.


PGP has a monopoly on mindshare, S/MIME has a monopoly on deployment.

Its like Betamax vs VHS. If we are going to get endymail deployed we
have to get them to move to BluRay.


Like others on this thread, I think the issue has not been so much in the 
differences between two partially deployed solutions. The crux is having 
something that works for a broad range of users, easily. And we are *not* there 
today.


Apple's Mail.app on desktops allows an S/MIME key to bound via
Keychain to a particular correspondent, without placing any trust
in whatever CA may have issued the certificate.  This makes S/MIME
usable with a TOFU trust-model.

So for me the sweet-spot has been S/MIME with direct (leap of faith)
trust.  I am disappointed when I can't use TOFU with S/MIME in some
other MUAs.


Yes - I have a lot of sympathy for this point of view. Taking this slightly 
more towards the end-user view, not sure I care about what bits are underneath, 
as long as I can achieve what I need to achieve. For a lot of users that 
appears to be hierarchical/unconditional trust for their employer’s 
organisation _and_ the ability to TOFU for the authentication with their 
friends, family, and external entities. Perhaps TOFU not just with individuals, 
but also with organisations.

The question is, how much of this is protocol machinery and how much UI design? 
Maybe we need to put the main e-mail app developers into a room and not let 
them out until they have prototypes of usable TOFU *and* hierarchical security 
in their apps :-) I’m joking of course, but it is also true that if the 
industry needs to do something, they have in many cases come together even as 
competing entities, and taken on the challenge. Interops, world v6 launch, etc. 
But I’m not the expert. You guys are - what would help?

Jari

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: facilitators at ietf(_at_)ietf(_dot_)org, IETF Chair
Next by Date:  JOSE -32 and JWT -26 drafts addressing IETF Last Call comments, Mike Jones
Previous by Thread:  Re: email standards, Dave Crocker
Next by Thread:  Re: email standards, Nico Williams
Indexes:  [Date] [Thread] [Top] [All Lists]