Dear all, Let's back up from spam. If we look at E2E encryption, S/MIME is widely supported and deployed. It's way more heavyweight than it needs to be. PGP same story, but add in completely weird crypto. (I don't actually know what S/MIME does cryptographically: my tolerance for ASN.1 is only so high) Both are unnecessarily complicated. So why aren't they used more? I can think of a few issues.
The first issue is UI: nothing much we can do about it here. But if we reduce the complexity of the protocols by subsetting them, the UI doesn't need to expose so much, and so conceivably be simpler. The second issue is multidevice usage. Here we have questions about transporting keys, removing keys from devices (hard), but the core protocols will work. The third issue is webmail: I'm part of the problem here, but I think browser extensions (ugh) can solve it: I don't think we need new protocols. The fourth issue is key discovery. For S/MIME I don't know how this works. For PGP the keyservers work, but the control ensuring you get the right key is the WoT, which is very hard to use, and most people don't do it. In practice the keys get put on websites served over TLS, or tweeted. We should really think about the merits of the Public File: it's very close to what we have with PGP, and would resolve a lot of concerns about CA subversion. Sincerely, Watson Ladd _______________________________________________ Endymail mailing list [email protected] https://www.ietf.org/mailman/listinfo/endymail
