ietf
[Top] [All Lists]

Re: Proposed Proposed Statement on e-mail encryption at the IETF

2015-06-02 09:41:35


On Jun 2, 2015, at 9:44 AM, Joe Abley <jabley(_at_)hopcount(_dot_)ca> wrote:

Hi all,

All this "HTTPS everywhere" mail collided for me this morning with a similar 
avalanche of press about Facebook's freshly-announced use of PGP:

https://www.facebook.com/notes/protecting-the-graph/securing-email-communications-from-facebook/1611941762379302

Mail to public mailing lists can already be signed (like this one is). It'd 
be nice if mailman didn't MITM the signed content, so that the signature can 
be validated. (Perhaps it will; I will find out after I hit send.) There's 
lots of other mail from individuals to closed groups like the IAB and the 
IESG and from IETF robots to individuals that *could* be encrypted, or at 
least signed. There is work here that *could* be done.

You should see the convolution being developed with DKIM V1/V2 Dual Signatures; 
 V1 strong on the first path leg (submission), a new V2 weaker derivative on 
the second path (mailing list distribution).  Why?  Mail folks wanting to avoid 
the DNS folks (requirements) for the most part. 

Rhetorically , Whats the point about worrying about anything security related 
when we break our own protocols and seem more interested in fast tracking less 
quality work, albeit pertinent  to some market leader but not as a IETF 
community whole work?  



If the argument that we should use HTTPS everywhere (which I do not disagree 
with) is reasonable, it feels like an argument about sending encrypted e-mail 
whenever possible ought to be similarly reasonable. Given that so much of the 
work of the IETF happens over e-mail, a focus on HTTP seems a bit weird.

It does seems weird.  if you in a market where it is required, i.e. PCI,  some 
applications do need it to be out of the box.  But not all applications and 
data exchanges need this overhead and there remains many legacy markets, 
mission critical too, that are not able to implement it, especially on the 
client side. It's a market niche for my company.


Note that this is not an attempt to start a conversation about whether PGP is 
usable, or whether S/MIME is better. I will fall off my chair in surprise if 
it doesn't turn into one, though.



Thanks for the laugh. 

--
Hector Santos
http://www.santronics.comi

<Prev in Thread] Current Thread [Next in Thread>