ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Proposed Proposed Statement on e-mail encryption at the IETF

2015-06-02 16:50:25
from [Matt Mathis] [Permanent Link] 
BTW you can see encryption stats here:
https://www.google.com/transparencyreport/saferemail/?hl=en#search=ietf.org
 .

Or for that matter, look up your own favorite domains.   The per region
stats are pretty alarming.

Thanks,
--MM--
The best way to predict the future is to create it.  - Alan Kay

Privacy matters!  We know from recent events that people are using our
services to speak in defiance of unjust governments.   We treat privacy and
security as matters of life and death, because for some users, they are.

On Tue, Jun 2, 2015 at 1:11 PM, Måns Nilsson 
<mansaxel(_at_)besserwisser(_dot_)org>
wrote:


Subject: Re: Proposed Proposed Statement on e-mail encryption at the IETF
Date: Tue, Jun 02, 2015 at 07:08:15PM +0100 Quoting Joe Abley (
jabley(_at_)hopcount(_dot_)ca):


But agreed, if the IETF was able to show that its work conducted by
e-mail could incorporate cryptography in such a way that it was a
benefit to all concerned rather than a headache, I think that would
be great.


I think we have achieved this in one way; we now accept and deliver
e-mail via SMTP using TLS. Everyone should do this, as long as they
don't risk ending up in jail for doing it. (for those cases and for
RFC 854 debugging, we keep the downgrade option. Reluctantly. Building
an interceptor that strips the TLS offers from the SMTP dialogue and
effects a downgrade attack is trivial. More often than not this device is
"the firewall". QED.)

Another way we've dogfooded in this area is by signing email. (And that
might be done via any of the unuseable protocols. I pretend I don't care,
to keep Joe on his chair.)  There are operational, direct advantages
from signing email today.  Everyone who some day might want to send a
sensitive e-mail over any network ought to think very hard about climbing
on the mechanical bull known as "getting PGP to work in my email setup
(and with some security at that)." Signed email is not "au contraire" to
the open nature of IETF lists. It serves as verification and reassurement.

I somewhat keep repeating myself.  But we can do, and actually do,
this, today. Now, getting DANE data for the IETF SMTP TLS certs going,
and perhaps working on fetching that data into the validation process
of some well-known MUAs, that would be a good step.

--
Måns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE                             +46 705 989668
I am a traffic light, and Alan Ginzberg kidnapped my laundry in 1927!
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IESG Statement on surprised authors, Ted Lemon
Next by Date:  Planned update on BCP 101 - draft-bradner-iaoc-terms, Tobias Gondrom
Previous by Thread:  Re: Proposed Proposed Statement on e-mail encryption at the IETF, Måns Nilsson
Next by Thread:  Re: Proposed Proposed Statement on e-mail encryption at the IETF, Paul Wouters
Indexes:  [Date] [Thread] [Top] [All Lists]