On Sat, Apr 18, 2015 at 12:44 AM, Watson Ladd <[email protected]> wrote:
> -Key discovery in email has been kicked around a bunch, but no > reasonable proposals yet. Doesn't seem that hard. > Key discovery, if we limit the scope of the initiative, shouldn't be that hard to achieve, and could lead to a huge amount of progress. Email is so horribly broken, I think the entire system needs to be replaced, but I think it's clear that we aren't at a point where that's going to happen. While I, and I think many of us, would like a solution that addresses the metadata leaking and other major issues, the changes are too radical to work within the current system. So, if we can get to the point that we are encrypting a higher percentage, I think that's a goal worth pursuing. We aren't going to achieve the perfect, certainly not now, and to achieve anything, I think we are going to have to limit our definition of good. While I want to see email as we know it replaced with something that provides strong modern crypto, forward secrecy, minimal metadata leaks, and all messages encrypted by default - at this point I'd be happy if we could get the number of emails using end to end crypto to a non-trivial number. For now, that might be the best we can actually achieve. Email is likely the largest source of exposed information that end users expect to be private, and while much has been done in other areas, email remains wide open. Opportunistic SSL/TLS has become more common, and it does provide some privacy, we all know that it's not real security and how trivial it is for an active attacker to disable. This is an area that desperately needs some progress made. There's been some discussion on the endymail[1] list, but there hasn't been any real progress - I don't believe anything actionable has come out of it so far. [1] https://www.ietf.org/mail-archive/web/endymail/current/maillist.html
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
