Hi Tim, You've written in narrative a great table of tasks. But...
On 8/27/14, 6:21 PM, Tim Bray wrote: > > 1. Find a public key for the user that the sender’s prepared to trust. > > This is a big problem. The PGP Web of Trust has failed, and we’ve all > heard the griping about the CA biz. Joe Hildebrand mentioned POSH & > WebFinger and they’re both interesting. I’m also interested in the > notion of a key directory with associated proofs that you don’t have > to trust, for example the one from https://keybase.io > <https://keybase.io/>. In particular > see https://keybase.io/docs/server_security > WORK FOR IETF: Get pro-active on key discovery/trust work? Standardize > key search APIs? If the IETF could solve but this problem such that it scales to the size of the Internet, everything else on your list would I think fall into place. Unfortunately, key management really wasn't on your list, and that has to be addressed as well. Also, I suspect that email programs probably need to evolve a bit to cope with all of this. Case and point: I'm pretty sure I've lot one or two private keys along the way. And, at least compared to your average Joe, I'm good at this. BTW, it all has to happen without asking for matching keys. Enigmail does a pretty good job of that already. That's a pretty good model for UI (I hazard a guess), and so stay focused on how to get it to function to scale. It may make sense to use some form of OTR for end-to-end transit. But again I wouldn't want to count on OTR for data at rest. Eliot
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Endymail mailing list [email protected] https://www.ietf.org/mailman/listinfo/endymail
