--On Monday, August 13, 2012 11:11 +0200 Alessandro Vesely <vesely@xxxxxxx> wrote: >... > FWIW, I'd like to recall that several governments endorse IETF > protocols by establishing Internet based procedures for > official communications with the relevant PA, possibly giving > them legal standing. Francesco Gennai presented a brief > review of such procedures[*] at the APPSAWG meeting in Paris. > At the time, John Klensin suggested that, while a more > in-depth review of existing practices would be appreciated, > the ITU is a more suitable body for the standardization of a > unified, compatible protocol for certified email, because of > those governmental involvements. > > [*] > http://www.ietf.org/proceedings/83/slides/slides-83-appsawg-1.pdf Alessandro, Please be a little careful about context, as your sequence of comments above could easily be misleading. For the very specific case of email certified by third parties, especially where there is a requirement for worldwide recognition (the topic of the talk and slides you cited), the biggest problem has, historically, been an administrative and policy one, not a technical standards issue. We know how to digitally sign email in several different ways -- there is actually no shortage of standards. While additional standards are certainly possible, more options in the absence of compelling need almost always reduces practical interoperability. Perhaps the key question in the certified mail matter is who does the certifying and why anyone else should pay attention. The thing that makes that question complicated was famously described by Jeff Schiller (I believe while he was still IETF Security AD) when he suggested that someone would need to be insane to issue general-purpose certificates that actually certified identity unless they were an entity able to invoke sovereign immunity, i.e., a government. For certified email (or certified postal mail), your ability to rely on the certification in, e.g., legal matters ultimately depends on your government being willing to say something to you like "if you rely on this in the following ways, we will protect you from bad consequences if it wasn't reliable or accurate". If you want the same relationship with "foreign" mail, you still have to rely on your government's assertions since a foreign government can't do a thing for you if you get into trouble. That, in turn, requires treaties or some sort of bilateral agreements between the governments (for postal mail, some of that is built into the postal treaties). International organizations, particularly UN-based ones, can serve an important role in arranging such agreements and possibly even in being the repository organization for the treaties. In the particular case of certified email, the ITU could reasonably play that role (although it seems to me that a very strong case could be made for having the UPU do it instead by building on existing foundations). But that has nothing to do with the development of technical protocol standards. Historical experience with development of technical standards by governmental/legislative bodies that then try to mandate their use has been almost universally poor and has often included ludicrous results. A similar example arises with the spam problem. There are many technical approaches to protecting the end user from spam (especially malicious spam) and for facilitating the efforts of mail delivery service providers and devices to apply those protective mechanisms. Some of them justify technical standards that should be worked out in open forums that make their decisions on open and technical bases. But, if one wants to prevent spam from imposing costs on intended recipients or third parties, that becomes largely a law-making and law enforcement problem, not a technical one. If countries decide that they want to prevent spam from being sent, or to punish the senders, a certain amount of international cooperation (bilateral or multilaterial) is obviously going to be necessary. As with the UPU and email certification, there might be better agencies or forums for discussion than the ITU or there might not. But it isn't a technical protocol problem that the IETF is going to be able to solve or should even try to address, at least without a clear and actionable problem statement from those bodies. I do believe that the ITU can, and should, serve a useful role in the modern world. The discussion above (and some of the work of the Development and Radio Sectors) are good illustrations. But those cases have, as far as I can tell, nothing to do with the proposed statement, which is about the development and deployment of technical protocol standards. regards, john