--On Friday, November 1, 2024 16:42 +0000 Barry Leiba <barryleiba@xxxxxxxxxxxx> wrote: > I'm not speaking to whether we should or shouldn't change 5321bis, > but just addressing one argument below: > >> However, the reality is that most of the email traffic in the world >> is innocuous. As SM essentially pointed out, the combination of a >> large distribution list and public archives would make keeping this >> message secret somewhere between "hopeless" and "laughable" no >> matter how well encrypted the transmission channels. Similarly, >> if you and I had an email conversation about the relative weather >> characteristics in the Northeast US, the North Island of New >> Zealand, and parts of the UK, I can't imagine either of us losing >> any sleep over some government bureaucrat or spy reading those >> messages. > > This misses the point that one effect of encrypting everything, > rather than just the "stuff that needs to be secret" is that doing > the latter tells people what they need to concentrate on. If > everything is encrypted, then taking the effort to decrypt all the > encrypted stuff isn't effective. That actually turns your argument > into one that says we *should* be encrypting all of it, if the goal > is to foil entities that are snooping in-transit stuff on the wire. Actually, Barry, I said that although probably not clearly enough, when I wrote: "If they spent a lot of time searching the messages for hidden meanings, we might even rejoice that they were wasting their time that way rather than digging into messages that might, from their standpoint but not ours, be problematic. The analogy between that story and one of the arguments for pervasive encryption should be clear -- works both ways." So, yes, sure, encrypt everything or as close to everything as possible, just avoid (i) deluding ourselves or ordinary users into believing that encrypting mail only while it is in transit means that it is safe from prying eyes end to end and (ii) getting ourselves into a position where our "requirements" discourage fallbacks to cleartext or cause un-encrypted mail to be rejected or dropped when encryption is not possible. > Other threat models, other goals, and other arguments apply here, > though, of course. yep. john
