On 21 Mar 2014, at 13:00, Nicholas Weaver wrote:
> > On Mar 21, 2014, at 4:40 AM, Robin Wilton <[email protected]> wrote: > >> To pick the obvious nit... >> >> Even if an email goes from my browser to Google's servers over https, and >> goes between Google's servers over https, I did not see a commitment to >> encryption of the email when it is at rest, rather than in motion... > > To reply with the obvious: It is IMPOSSIBLE to secure data at rest in the > context of a webmail system: server control can always enable accessing of > all documents when the user logs in to check their webmail. I'd dispute your use of the word "impossible". It might be tricky to design something easy to use, and it would raise the usual end-to-end encryption problems of key exchange and key management, but there's nothing inherent in webmail as a transfer mechanism that means it can't transfer encrypted content. For instance: last time I used the PGP tools, they offered the ability to encrypt whatever's in the clipboard. There's nothing to stop me pasting the result into a webmail and inviting my corespondent to reverse the process. Sending an encrypted file as an attachment to a webmail would also work. R > > > -- > Nicholas Weaver it is a tale, told by an idiot, > [email protected] full of sound and fury, > 510-666-2903 .signifying nothing > PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
