Hiya, On 02/06/15 14:44, Joe Abley wrote: > Hi all, > > All this "HTTPS everywhere" mail collided for me this morning with a > similar avalanche of press about Facebook's freshly-announced use of > PGP: > > https://www.facebook.com/notes/protecting-the-graph/securing-email-communications-from-facebook/1611941762379302 > > Mail to public mailing lists can already be signed (like this one > is). It'd be nice if mailman didn't MITM the signed content, so that > the signature can be validated. (Perhaps it will; I will find out > after I hit send.) A lot of signatures do survive our lists. I think most bad PGP signatures I see on IETF mail happen when someone forwards or quotes and my MUA tries to be a bit too clever. Most s/mime signatures seem to show as bad, I suspect because they chain up to an enterprise CA, but I've not checked. Someone with interest could do a study about that that'd be interesting and informative. (Hint for anyone with cycles and interest:-) One could even imagine creating a useful database of public keys used by IETFers and automating the refresh of that. If there were such a thing that fed into engimail/gpg or the s/mime support in common MUAs that'd be excellent. > There's lots of other mail from individuals to > closed groups like the IAB and the IESG and from IETF robots to > individuals that *could* be encrypted, or at least signed. There is > work here that *could* be done. > > If the argument that we should use HTTPS everywhere (which I do not > disagree with) is reasonable, it feels like an argument about sending > encrypted e-mail whenever possible ought to be similarly reasonable. I think that's not unreasonable but has additional barriers to being tractable. In particular, in my case, I'd need to ensure I could decrypt email on multiple devices (I currently just do that on one) and I'd want (but probably not have) a way to mirror information I store on public keys across those devices too. I think that's all doable for me, but it'd be a bit of work. I doubt I'm alone in either of those respects. I'd also wonder if MUAs would be up to handling all the kinds of forwarding we do, but that's something it'd be useful to find out. > Given that so much of the work of the IETF happens over e-mail, a > focus on HTTP seems a bit weird. Well, putting the initial focus on HTTP(S) is probably correct given that we can more easily do more there, but if you read the proposed statement it does say that it applies across the board (modulo pragmatism of course). > > Note that this is not an attempt to start a conversation about > whether PGP is usable, or whether S/MIME is better. I will fall off > my chair in surprise if it doesn't turn into one, though. We have a list for such discussion [1] if folks feel the need. And I know PHB has an interesting idea to try to merge the two in terms of message formats. I'm not sure that's feasible but discuss on [1] if you feel the need. And please don't have that discussion here unless there's a reason for it to be here and not there:-) Cheers, S. [1] https://www.ietf.org/mailman/listinfo/endymail > > > Joe >
Attachment:
0x805F8DA2.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature