On Sep 1, 2014, at 12:49 PM, Eliot Lear <[email protected]> wrote: > On 8/27/14, 6:21 PM, Tim Bray wrote: >> >> 1. Find a public key for the user that the sender’s prepared to trust. >> >> This is a big problem. The PGP Web of Trust has failed, and we’ve all heard >> the griping about the CA biz. Joe Hildebrand mentioned POSH & WebFinger and >> they’re both interesting. I’m also interested in the notion of a key >> directory with associated proofs that you don’t have to trust, for example >> the one from https://keybase.io. In particular see >> https://keybase.io/docs/server_security >> WORK FOR IETF: Get pro-active on key discovery/trust work? Standardize key >> search APIs? > > If the IETF could solve but this problem such that it scales to the size of > the Internet, everything else on your list would I think fall into place. > Unfortunately, key management really wasn't on your list, and that has to be > addressed as well. Also, I suspect that email programs probably need to > evolve a bit to cope with all of this. Case and point: I'm pretty sure I've > lot one or two private keys along the way. And, at least compared to your > average Joe, I'm good at this.
No matter what the path forward is for secure messaging, key discovery (and reasonable key management) will be the cornerstone. If we don’t have solid public key discovery, then I fear we’ll just end up reinventing PGP. For a system to scale to the same level email as we know it has, there needs to be transparent key discovery so that the average user need not be aware it’s even happening. In the design I’ve been working on, it’s the responsibility of the messaging service provider to host a user directory, with signed updates that senders can use to get the proper key for a user (so, example.com would provide the sender with the info they need to send to [email protected]). I really think this needs to be a primary focus, and as Tim pointed out, this is something that makes sense for the IETF to work on. If we can establish a solid solution here, I agree completely with Eliot here, the rest will fall into place - and will open the door to many good options. -- Adam Caudill [email protected] http://adamcaudill.com/
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Endymail mailing list [email protected] https://www.ietf.org/mailman/listinfo/endymail
