Charlie (K.),
I completely agree with you, as most here do, that privacy should be the
primary goal of anything called "Privacy Enhanced Mail". I also agree
that implementations which do only authentication rate a yawn.
So why are authentication, non-repudiation and other less important
features mandatory while privacy is only optional? The RFCs are clear.
Not a single soul here has even tried to say that the spec makes privacy
the first priority, or much of a priority at all.
Some people suggest that privacy without authentication is worthless. But
people use envelopes. No third party structure exists that validates
every return address, much less every signature. Seals such as those used
by notaries and corporations only cost about 10 bucks. They last for many
years. If we cared about authentication we'd all have them.
Less important is that if we name this spec as it is "Privacy" some
people will believe it, and think we already have a standard for privacy
enhanced mail. Others will decide that this kind of thing doesn't do what
they want anyway, and lose interest in any genuinely private mail.
I also personally feel strongly that forcing people to show their papers
before we let them use the messaging infrastructure we're building is
repugnant. It damages both privacy and free speech. The Persona
alternative will be treated as a clown suit, as we've already seen on
this list.
Doug