Hi, To start with I think it is important to separate "message" from "transport". Then when we have agreed to that distinction (which I claim exists in the IETF) we can discuss securing transport as one thing and securing the message as one thing. And with "securing" I include both signing and encrypting and what not (or choose to do neither). If that is the architecture we (still) use, it is I claim easy to see that we can never ever replace the security of the transport with the security on the message. This at the same time as one can look at implementation of solutions where an end user decides to get the service from someone else to manage the security of the message, and then the communication between the end user and this service should probably be some transport/access which is extraordinary (or rather is some TLS secured transport with some MFA authentication). Anyway, I feel the discussion to some degree mixes the integrity and security of a message with the transport. And I want us to remind ourselves that these are two different things. And many want both... Patrik
Attachment:
signature.asc
Description: OpenPGP digital signature