> From: Phillip Hallam-Baker <hallam@xxxxxxxxx>
> a security standard must have no impact at all or it won't be used.
While I agree with the conclusion part ("or .. used"), isn't the first part
sort of internally contradictory? Adding security almost always has some
cost, in that people have to set up the security, etc. (I'm thinking in very
broad terms here - e.g one has to lock one's car/house, enter a security code
to use an ATM card, etc, etc.) OK, so HTTPS has basically zero impact on the
average user - is the same level of user inattention really possible with
email security?
But I'm just being nitpicky about a background statement; on your main
point:
> we currently have a big problem in that the IETF has two email security
> standards, not one. ... Neither is a success at anything approaching
> Internet scale.
> ...
> the way forward is pretty straightforward: Take the S/MIME message
> format and graft the PGP web of trust and fingerprint trust models onto
> it.
I agree wholly with your prefatory observation, and like your suggested
solution.
Noel