[Endymail] What are the problems?
Watson Ladd <watsonbladd@gmail.com> Sun, 07 September 2014 17:55 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: endymail@ietfa.amsl.com
Delivered-To: endymail@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6DA91A0491 for <endymail@ietfa.amsl.com>; Sun, 7 Sep 2014 10:55:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lECTW_hmG--x for <endymail@ietfa.amsl.com>; Sun, 7 Sep 2014 10:55:47 -0700 (PDT)
Received: from mail-yh0-x22e.google.com (mail-yh0-x22e.google.com [IPv6:2607:f8b0:4002:c01::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8FD51A048F for <endymail@ietf.org>; Sun, 7 Sep 2014 10:55:47 -0700 (PDT)
Received: by mail-yh0-f46.google.com with SMTP id f73so278155yha.33 for <endymail@ietf.org>; Sun, 07 Sep 2014 10:55:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=YC2rK+0Pnap9UKhkF4FY+PBPk/wRQF2NXHaA390yrjk=; b=h+T/TBKgn0yWGCDtA0+4tQpSsiZyy6k2tU5nAQvH+KCmplE4qn8e51gTblRcpZ4bve ecmxmyRkb6cI9AqNzjiwgLgO/WSG+n2K536hPT5il4MtGddQvBgyv5JAau2UAPabwtM+ 3G/EQKaohIGg28k9b3bsB6RxeeFScx+snif1fE21q7YcvM40gYHA+2NP8mr9EIc5cjc/ BMO7/D4DLl2373a7bs5LpIgyIKk4f2qw7k3l8WlPbUnR0xO8kSJI6QGClxL6qwJdHFls VNgFhxniLlIhFxw3fosBG7Ad7cPSf/afT2rg8bWAJrvFwfZp7jPotuvA5zxfq3XbWHKo 6YRw==
MIME-Version: 1.0
X-Received: by 10.236.85.208 with SMTP id u56mr36731774yhe.48.1410112546982; Sun, 07 Sep 2014 10:55:46 -0700 (PDT)
Received: by 10.170.207.216 with HTTP; Sun, 7 Sep 2014 10:55:46 -0700 (PDT)
Date: Sun, 07 Sep 2014 10:55:46 -0700
Message-ID: <CACsn0cmmpg3VAEdVdLsBRJUkHnnPJ7fAXBaH4oVpRHm1LdK0sw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: endymail <endymail@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/endymail/wp1nGOmG3RvidXgJn3TrFz0OCjw
Subject: [Endymail] What are the problems?
X-BeenThere: endymail@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <endymail.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/endymail>, <mailto:endymail-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/endymail/>
List-Post: <mailto:endymail@ietf.org>
List-Help: <mailto:endymail-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/endymail>, <mailto:endymail-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Sep 2014 17:55:48 -0000
Dear all, Let's back up from spam. If we look at E2E encryption, S/MIME is widely supported and deployed. It's way more heavyweight than it needs to be. PGP same story, but add in completely weird crypto. (I don't actually know what S/MIME does cryptographically: my tolerance for ASN.1 is only so high) Both are unnecessarily complicated. So why aren't they used more? I can think of a few issues. The first issue is UI: nothing much we can do about it here. But if we reduce the complexity of the protocols by subsetting them, the UI doesn't need to expose so much, and so conceivably be simpler. The second issue is multidevice usage. Here we have questions about transporting keys, removing keys from devices (hard), but the core protocols will work. The third issue is webmail: I'm part of the problem here, but I think browser extensions (ugh) can solve it: I don't think we need new protocols. The fourth issue is key discovery. For S/MIME I don't know how this works. For PGP the keyservers work, but the control ensuring you get the right key is the WoT, which is very hard to use, and most people don't do it. In practice the keys get put on websites served over TLS, or tweeted. We should really think about the merits of the Public File: it's very close to what we have with PGP, and would resolve a lot of concerns about CA subversion. Sincerely, Watson Ladd
- [Endymail] What are the problems? Watson Ladd
- Re: [Endymail] What are the problems? Elijah Sparrow
- Re: [Endymail] What are the problems? Phillip Hallam-Baker