-----Original Message-----
From: ietf [mailto:ietf-bounces(_at_)ietf(_dot_)org] On Behalf Of Joe Abley
Sent: Tuesday, June 02, 2015 9:45 AM
To: IETF Discussion Mailing List
Subject: Proposed Proposed Statement on e-mail encryption at the IETF
Hi all,
All this "HTTPS everywhere" mail collided for me this morning with a similar
avalanche of press about Facebook's freshly-announced use of PGP:
https://www.facebook.com/notes/protecting-the-graph/securing-email-
communications-from-facebook/1611941762379302
Mail to public mailing lists can already be signed (like this one is). It'd
be nice if
mailman didn't MITM the signed content, so that the signature can be
validated. (Perhaps it will; I will find out after I hit send.) There's lots
of other
mail from individuals to closed groups like the IAB and the IESG and from IETF
robots to individuals that *could* be encrypted, or at least signed. There is
work here that *could* be done.
If the argument that we should use HTTPS everywhere (which I do not
disagree with) is reasonable, it feels like an argument about sending
encrypted e-mail whenever possible ought to be similarly reasonable. Given
that so much of the work of the IETF happens over e-mail, a focus on HTTP
seems a bit weird.
Note that this is not an attempt to start a conversation about whether PGP is
usable, or whether S/MIME is better. I will fall off my chair in surprise if
it
doesn't turn into one, though.
Joe
Are the IETF mail servers configured to use opportunistic TLS? I haven't
checked. To me this would be a good first step down the mail encryption path.
Mike