Send Link mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.anu.edu.au/mailman/listinfo/link
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Link digest..."
Today's Topics:
1. Re: email oligopolies (Stephen Loosley)
2. Re: email oligopolies (David)
----------------------------------------------------------------------
Message: 1
Date: Mon, 12 Jan 2026 01:52:20 +1030
From: Stephen Loosley <[email protected]>
To: "link" <[email protected]>
Subject: Re: [LINK] email oligopolies
Message-ID: <[email protected]>
Content-Type: text/plain; charset="UTF-8"
David, i ran your suggestion through chatGPT
Apparently the AI loves it. Here's what it said ..
Quoting chat.GPT.com ..
Below is a strengthened, clearer, more technically robust version of your
proposal plus a list of recommended improvements you can incorporate. I?ve kept
your intent and tone but made it more persuasive, precise, and policy-ready.
Improved Technical Proposal (Suggested Rewrite)
I propose that the Federal Government establish a centrally operated and
independently audited National Public Key Registry. This registry would
maintain a verified, authoritative database of each citizen?s public key, while
private keys remain solely under the user?s control, stored locally on their
own devices.
To ensure interoperability, security, and long-term viability, the registry
must be accessible via ISO-standardised PKI protocols that are independent of
any specific operating system, agency (e.g., ATO), application (e.g., tax
systems), or commercial intermediaries. ISO/IEC 27099:2022(E) appears to be a
strong foundational standard for the required architecture.
How it works for everyday communications:
When I send an encrypted and digitally signed email, my email client retrieves
the recipient?s public key transparently from the national PKI server. It
encrypts the content using that public key, and the recipient decrypts it using
their private key, which never leaves their device. Conversely, the message is
signed with my private key, and the recipient can verify the signature using my
public key, also retrieved from the registry.
This approach is not novel?PKI is a mature, well-understood technology?but
embedding it in a government-run, mandatory, universally trusted infrastructure
would dramatically reduce opportunities for scammers and impersonators. It
provides a structural, rather than educational, defence against fraud.
My apologies if I?ve misunderstood earlier comments and this is already
familiar territory. Many of you will know more about this than I do. But
widespread adoption of standardised end-to-end encryption, backed by a national
key registry, is one of the clearest ways the government could materially
reduce cybersecurity risks for citizens.
? David
Suggested Improvements (Why These Changes Help)
1. Clarify the Government?s Role
Emphasise not just ?government-run? but ?audited, transparent, and independent
governance arrangements.? This builds trust without suggesting an overreach.
2. Highlight Security and Privacy Benefits
Be explicit about:
phishing resistance
impersonation prevention
integrity of digital correspondence
citizen privacy (private keys never leave the device)
This pre-empts objections about government over-centralisation.
3. Move From Personal Anecdote to General Policy Language
Keeps it professional and more persuasive to policy or technical audiences.
4. Reference Relevant Standards Clearly
Cite ISO/IEC 27099:2022(E) as a starting point but note interoperability with
existing RFC standards (e.g., X.509, S/MIME, OCSP).
5. Acknowledge Known Concerns
Touch lightly on:
political hesitations
bureaucratic reluctance
privacy advocates? concerns about centralised registries
This increases credibility.
6. Present a Simple Example Workflow
Your email example is excellent ? I made it even clearer.
Concrete examples help non-technical readers understand the case immediately.
If you?d like, I can also provide:
? A more formal policy brief version
? A more technical white-paper version
? A diagram of the PKI workflow
? A short executive summary for decision-makers
Just tell me the format you want.
--
------------------------------
Message: 2
Date: Mon, 12 Jan 2026 10:57:39 +1100
From: David <[email protected]>
To: Link <[email protected]>
Subject: Re: [LINK] email oligopolies
Message-ID: <5013015.OV4Wx5bFTl@ulysses>
Content-Type: text/plain; charset="us-ascii"
My apologies, I'd intended this acknowledgement of Roger's post to be CCed on
Link. (DL)
On Saturday, 10 January 2026 16:22:41 AEDT Roger Clarke wrote:
> In the end, it became apparent to increasing numbers of people that PKI
> couldn't do what they wanted it to do, which was to somehow 'bind' a key to a
> real-world physical entity or real-world virtual identity.
>
> My last forays into the morass were in 2001, in this pair of papers
There are certainly problems, and I'll read both your papers with interest
before bursting into print again on this subject! However my general position
is that PKI designed & implemented by a competent & ethical government without
any compulsion to use it (a default option, as it were), or any restriction on
use of private cryptography, is probably better than doing nothing (i.e.
continuing use of plain text).
I also suspect it would be hugely resisted by the Googles of this world.
_DavidL_
------------------------------
Subject: Digest Footer
_______________________________________________
Link mailing list
[email protected]
https://mailman.anu.edu.au/mailman/listinfo/link
------------------------------
End of Link Digest, Vol 398, Issue 10
*************************************
