Hi Trevor, On 06/04/11 20:33, Trevor Freeman wrote: > Stephen Farrell asked why not use Web portal mail? Why do we need to > develop plasma? > > I don’t think we concisely answered that question in the BoF and it is > an important data point.
Thanks for trying now. > The web portal mail products are used where there is no way to securely > deliver sensitive mail to a recipient outside the sender’s organization. > The message is held within the sender’s organization and a notification > email is sent to the recipient. The notification email contains a HTTPS > URI to the original message with the sensitive content. Right. > This model work Ok if it is bilateral communication e.g. doctor-patient > where you want to reply to the sender. This has been deployed with my > healthcare provider and we can exchange messages. Well, its also works fine for announcements, i.e. 1:N messages. > However the > notification email are very generic by design so it hard to find > specific messages in your inbox other than by date and time sent. It > also means useful features like inbox search don’t work as you only have > the notification message in your inbox. True. However, does that mean that you'd expect the UA search function to be plasma-aware? If not, then won't the sensitive information be vulnerable in whatever search DB the UA uses? Maybe that's a question of defining the trust boundaries for this, but given that the search may be on an IMAP server its possibly complicated doing that in a secure way. > This model fails totally if it’s multilateral communication where you > want to reply all or forward to messages. Hmm. So that'd imply that forwarding etc. is an important part of the proposed work? It strikes me that that's one of the weakest aspects of generic s/mime (just from personal experience, its not something I've gone out of my way to test). There'd also be some pretty complex policy calculations to make to figure out what can be forwarded to whom, I assume, so this seems like a fairly complex area. > The message never leaves the > originators organization so you cannot originate new message as if it > were from a recipient’s organization. This means for business to > business scenario it would hinder the use of email for collaboration. I don't get that at all. But never mind. > With these limitations I think it’s clear that that plasma offers some > significant benefits over web portal email. Not that clear to me I'm afraid. While you're arguing for plasma on this basis, to judge those arguments people would need some kind of evidence that's a good bit better than just an assertion. But I'm sure you guys are working on that. S. > > > > *Dr Trevor Freeman* Senior Security Strategist > > *End to End Trust Team* > <http://www.microsoft.com/mscorp/twc/endtoendtrust/default.mspx>** > > *Microsoft Trustworthy > Computing*<http://www.microsoft.com/mscorp/twc/default.mspx> > > > > > > _______________________________________________ > plasma mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/plasma _______________________________________________ plasma mailing list [email protected] https://www.ietf.org/mailman/listinfo/plasma
