On Tue, Jun 23, 2015 at 03:05:23PM -0000, John Levine wrote:
> >I see interest in the email hosting market to implement the openpgpkey
> >draft. I know of email service provider that already have deployed the
> >openpgpkey draft, and others are prepared to go online once the draft is
> >stable or published as an RFC.
>
> That's quite surprising. I've talked to the large providers, all of
> whom were extremely unenthusiastic.
I think this reflects a difference in attitudes between Germany
and the USA. In Germany, there's been a noticeable interest in
and uptake of DANE for SMTP, and now some interest in DANE for
end-to-end email security.
In the USA, the large providers have been first and foremost rather
reluctant to implement DNSSEC, which then precludes all manner of
DANE technologies, including PGP.
As and when that changes, it might become more clear whether they
were dragging their feet on DNSSEC in general, or had specific
reservations about the localpart encoding for keys in DNS, or did
not want to vend user keys via DNS at all.
Can you be more specific about the concerns of the providers you
surveyed? Are they planning to move forward with DNSSEC? What
fraction of users do they expect to adopt E2E encrypted email?
Are any of them planning to publish a draft with a concrete proposal
for vending user end-to-end keys?
I would conjecture that at the scale of the USA, large scale changes
tend to be viewed as "turning the Titanic" challenges, and that
the providers are often loathe to tackle DNSSEC adoption. Questions
of whether to then use DNSSEC in some manner for user keys are
rather downstream from that.
Note, I am still on the fence about whether user E2E keys should
be vended via DNS, or some service over TLS, with keys for that
vended via TLSA RRs. As for hash vs. base32, if more providers
are likely to support base32, so be it. The sticking point is
lower-case lookup, not whether the result is hashed or base32
encoded.
Yes, lower-case is a minefield for EAI. And yet Firefox and Chrome
routinely downcase all the Cyrillic domains I've tried before
querying DNS. Try:
ГоДжи-чИа.Рф
I don't know what they do with other scripts.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
