> On May 3, 2022, at 7:47 AM, Michael Richardson <mcr+ietf@xxxxxxxxxxxx> wrote: > > > Viktor Dukhovni <ietf-dane@xxxxxxxxxxxx> wrote: >> Until encrypted email is usable (**search**, long-term signature validation, >> personal private key rollover, ...), all the key distribution tech in the >> world won't make it worth adopting. > > But signed email is useable, and having enterprises, banks, and governments > identity roles would be a significant win against phishing, and yet it's > still not happening. Agree about signing. (Related, some people like TruePic are working on signing photos so they can be used for insurance evidence and such. Signing pictures from Ukraine would be good for war crimes prosecution). Also, the MUA can store the email in decrypted form so it is searchable. Some loss of protection, but not horrible. And the MUA might have an encrypted email database. I think another big reason that encrypted email hasn’t taken off is that most services that need high security are put into a web page where the provider of the service has much more control over the security. They don’t send your bank statement as a signed & encrypted email, but rather give you a link to a web site to get your bank statement. They like driving you to the web site because they can 1) offer a much richer UX, 2) control security with time outs and such, 3) log what is happening, 4) up sell you on other services, 5) make money from advertising. LL
