Jacob Appelbaum wrote this message on Sat, Oct 26, 2013 at 09:24 +0000:
> Paul Wouters:
> > On Thu, 24 Oct 2013, Noel Torres wrote:
> >
> >> The promised rough draft:
> >
> >> Initial Draft about OpenPGP Server-side Signed E-mail (OPSS e-mail)
> >
> > I don't understand how this adds anything to STARTTLS with TLSA/DNSSEC,
> > apart from being able to get a remote server key from a HKP server,
> > which in itself is completely untrusted without web-of-trust
> > verification by a human.
> >
> > In fact, TLS with DHE would be more secure agaisnt a pervasive monitor
> > that obtains access to a mailserver's private openpgp key.
> >
> > What would doing openpgp encryption within TLS add security wise?
> >
>
> Defense in depth. If the StartTLS server uses RC4, for example, I'd want
> a different layer for actual protection.
If the admin spent the time to configure OPSS, why not configure TLS
properly in the first place?
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
