One thing that would be helpful is to encourage the use of Diffie-Hellman everywhere. Even without certificates that can be trusted, we can eliminate the ability of casual, dragnet-style surveillance. Sure, an attacker can still do a MITM attack. But (a) people who are more clueful can do certificate pinning/verification, and (b) if the NSA is really putting data taps into tier 1 providers' high speed interconnects, they can only carry out MITM attacks on a bulk scale by placing racks and racks of servers, which will require significant amounts of cooling and power, in places that are much more likely where they would be noticed. It's no longer a data tap hidden away somewhere in a closet near a tier 1's NAP. For too long, I think, we've let the perfect be the enemy of the good. Using TLS with DH to secure SMTP connections is valuable even if it is subject to MITM attacks, and even if the NSA/FBI can hand a National Security Letter to the cloud provider. At least this way they will be forced to go the NSL route (and it will show up in whatever transparency reports that Google or Microsoft or Facebook are allowed to show to the public), or spend $$$ on huge racks of servers in public data centers, which maybe means less money to subvert standards setting activities. Although perfect security is ideal, increasing the cost of casual style dragnet surveillance is still a Good Thing. - Ted