On 2/21/19 6:07 AM, Alissa Cooper wrote: > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > I support Benjamin's first three DISCUSS points. > > I feel like there are some fairly significant UI implications of adding this > option to the mix of other tools for transport-level encryption support, given > that this is supposed to operate on a message-by-message basis. Can you > explain > how this is expected to work? I have this concern generally but also in > relation to this: > > "REQUIRETLS users SHOULD be made aware > of this limitation so that they use caution when sending to mailing > lists and do not assume that REQUIRETLS applies to messages from the > list operator to list members." > > I can't figure out how this requirement is expected to be met in practice. > With respect to the UI implications, there are several ways that I can picture REQUIRETLS being invoked. The most likely is that the MUA would have a ruleset of domains or addresses for which REQUIRETLS should be specified when submitting the message. These would be domains that the user has some reason to expect REQUIRETLS to work. For example, a traveling reporter or dissident might want REQUIRETLS when sending messages to their own organization, so that their mail would not be subject to MITM if they're in a place where that is done (Tunisia seems to be the classic example). Another way to do this might be to add a button to the UI to cause the message to be sent with REQUIRETLS, but this of course increases complexity and requires that the user understand the difference between end-to-end message body encryption and per-hop transport encryption.
Ben Campbell also pointed out the sentence regarding mailing lists. This awareness should be achieved through education (people need some explanation to understand how to use REQUIRETLS). The normative SHOULD probably should be in lowercase. _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
