On 2 Jun 2015, at 18:15, Paul Hoffman wrote:
On Jun 2, 2015, at 6:44 AM, Joe Abley <jabley@xxxxxxxxxxx> wrote:
If the argument that we should use HTTPS everywhere (which I do not
disagree with) is reasonable, it feels like an argument about sending
encrypted e-mail whenever possible ought to be similarly reasonable.
Given that so much of the work of the IETF happens over e-mail, a
focus on HTTP seems a bit weird.
This is a terrible idea. If the IETF mailer thinks it knows my PGP
encryption key, and I don't because I have lost it or invalidated it,
then I cannot read the mail from the IETF mailer and will thus lose
valuable information.
Right. So let's not do that.
Maybe we can develop some interface that allows a user to specify
their encryption key and remove it at will, but I've never seen such
an interface before and suspect that its design will have all sorts of
pointy edge cases.
I can think of lots of interfaces that let users specify settings for a
particular service. Mailman is surely one of them. Again, I'm not
talking about encrypting public list traffic, but it seems like a fair
bet that anybody who wants to exchange non-public-list traffic with the
IETF has a mailman account already.
And before anybody jumps on that particular idea, it's just an example.
I may be the only one, but I'm actually not trying to design a solution
here, just suggesting that e-mail not be overlooked as we look for ways
to s/mouth/money/ when it comes to privacy.
Proposal: if you actually want this, develop an interface for telling
the server your key first. Get buy-in from others active in the IETF,
if possible. If you can pull this off, it will benefit much more than
the IETF.
I don't think anybody wants *me* to develop anything :-)
But agreed, if the IETF was able to show that its work conducted by
e-mail could incorporate cryptography in such a way that it was a
benefit to all concerned rather than a headache, I think that would be
great.
Joe