Although having read some of the DANE discussions that took place ~1 year ago,
being PGP illiterate, a little less about SMTP, certificates, ... i don't
understand this:
Cryptography (at least "in the beginning") was created for E2E communication,
independently of your network's layers or the hops/people it goes through.
PK allowed something Caeser (or Dönitz, or other Enigma's users, or...) hadn't:
the ability to avoid the 2 E2Es having to meet in order to set new keys.
I guess (maybe wrongly) certificates handle something the internet brought,
formerly inexistent: the answer to "is this person that sent me her/his public
key REALLY the person she/he says to be, with whom i want to talk to?" In other
words, some means of trust/signature, once "we can't see" with whom we
speak/write.
So, can someone point me to some
URL/documentation/https://mailarchive.ietf.org/arch/msg/ietf/xyz explaining the
point on having keys/cryptography somewhere in between these 2 end points? (And
thus i guess i'm saying i don't understand cryptography's point on scenarios
other than what i think people have called on these threads "E2E".)
Some time ago a friend of mine told me her company changed the old
firewall/proxy into zscaler. When the browser presented her new certificates
asking her trust, she asked network support why didn't they explain people the
implications: often on lunch breaks people use the network for private purposes
like going to the bank, f.i. Network support pointed her to corporation network
support which said it was that corporation's company own decision. She asked
her director, that told her "we'll talk about it in the afternoon", an
afternoon ~2 years ago. This makes me wonder whether people that have to take
these decisions understand the implications.
Most people think "https" means they're talking directly to the other end via a
secure channel, know nothing about "man in the middle" or similar concepts. Why
give them false confidence on scenarios other than E2E?
King Regards,
Rui