ietf
[Top] [All Lists]

Proposed Proposed Statement on e-mail encryption at the IETF

2015-06-02 08:45:18
Hi all,

All this "HTTPS everywhere" mail collided for me this morning with a similar 
avalanche of press about Facebook's freshly-announced use of PGP:

https://www.facebook.com/notes/protecting-the-graph/securing-email-communications-from-facebook/1611941762379302

Mail to public mailing lists can already be signed (like this one is). It'd be 
nice if mailman didn't MITM the signed content, so that the signature can be 
validated. (Perhaps it will; I will find out after I hit send.) There's lots of 
other mail from individuals to closed groups like the IAB and the IESG and from 
IETF robots to individuals that *could* be encrypted, or at least signed. There 
is work here that *could* be done.

If the argument that we should use HTTPS everywhere (which I do not disagree 
with) is reasonable, it feels like an argument about sending encrypted e-mail 
whenever possible ought to be similarly reasonable. Given that so much of the 
work of the IETF happens over e-mail, a focus on HTTP seems a bit weird.

Note that this is not an attempt to start a conversation about whether PGP is 
usable, or whether S/MIME is better. I will fall off my chair in surprise if it 
doesn't turn into one, though.


Joe

Attachment: signature.asc
Description: OpenPGP digital signature