> Facilitators cannot help resolve differences in religion or paradigms. FWIW, the facilitator model that I announced will be useful, I think, but it is at a different level than resolving fundamental differences about technology direction. I think we can improve discussion style at the IETF (and have, I’d argue). But while having good, civil, rational, and fair discussions is a great thing, it doesn’t remove the situations where, for instance, different groups of people have very different goals or use cases in mind. > PGP has a monopoly on mindshare, S/MIME has a monopoly on deployment. > > Its like Betamax vs VHS. If we are going to get endymail deployed we > have to get them to move to BluRay. Like others on this thread, I think the issue has not been so much in the differences between two partially deployed solutions. The crux is having something that works for a broad range of users, easily. And we are *not* there today. > Apple's Mail.app on desktops allows an S/MIME key to bound via > Keychain to a particular correspondent, without placing any trust > in whatever CA may have issued the certificate. This makes S/MIME > usable with a TOFU trust-model. > > So for me the sweet-spot has been S/MIME with direct (leap of faith) > trust. I am disappointed when I can't use TOFU with S/MIME in some > other MUAs. Yes - I have a lot of sympathy for this point of view. Taking this slightly more towards the end-user view, not sure I care about what bits are underneath, as long as I can achieve what I need to achieve. For a lot of users that appears to be hierarchical/unconditional trust for their employer’s organisation _and_ the ability to TOFU for the authentication with their friends, family, and external entities. Perhaps TOFU not just with individuals, but also with organisations. The question is, how much of this is protocol machinery and how much UI design? Maybe we need to put the main e-mail app developers into a room and not let them out until they have prototypes of usable TOFU *and* hierarchical security in their apps :-) I’m joking of course, but it is also true that if the industry needs to do something, they have in many cases come together even as competing entities, and taken on the challenge. Interops, world v6 launch, etc. But I’m not the expert. You guys are - what would help? Jari
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail