On Fri, Sep 25, 2015 at 8:47 AM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote:
> Eric Mill <e...@konklone.com> writes: > > >can anyone lay out what the steps to doing that would look like so the > S/MIME > >community can react in more concrete ways? > > Well, first you'll have to tell the S/MIME community what it is you want > them > to do... > Would people be interested in the suggestion I have? If we are going to get anywhere with end to end secure email, we need to 1) End the silly OpenPGP / S/MIME standards war 2) Adopt a design for end to end secure messaging that is as easy to use as regular mail. 3) Design any infrastructure so there is a compelling adoption incentive for users when market penetration is less than 5% [currently we have about 2 million users of S/MIME and the same of OpenPGP or about 0.1% of total Internet users] 4) Support the fact that users now need to be able to read their mail on a wide range of platforms. I have code running in the lab that I think meets these needs. And I think that there is a compelling reason for every necessary stakeholder to participate: *Users*: The ability to sent E2E mail to 0.1% of mail users is not a compelling adoption incentive. A really good password manager that allows the user all the benefits of a cloud based password manager without relying on the cloud service for security is probably enough to get to critical mass. *S/MIME & OpenPGP Community*: Yes, I get that neither of you wants to admit defeat. But S/MIME has deployment ubiquity and OpenPGP has mindshare. You need each other. Fortunately we are at a technology inflection point. The transition to ECC is going to make everyone want to throw their existing schemes away and replace them. Not because of the ECC change but because of Matt Blaze's work on proxy re-encryption which does not fit well with RSA but fits marvelously with ECDHE. *Thunderbird*: Right now it takes me 20 minutes to configure Thunderbird to do S/MIME. I can do the same thing for Windows Live Mail with the click of one button. Not because of what Microsoft has done but because I took the instructions for applying for a cert and converted them into code. In general any set of user instructions that does not involve any user choice can be eliminated and replaced by code. There is also a big opportunity. Remember what originally made Mozilla the browser to use? It wasn't being open source, it was having tabbed browsing. I think there is a similar opportunity here. One of the things I have noticed with the Internet and Web is that many ideas are tried before their time has come. I saw dozens of Facebook-like schemes before that particular one took off. Part of that is execution but another part is that people take time to adapt to the new technology and be ready for another dose. We had blogs back in 1994. They only took off in the Fall of 2000. Right now Thunderbird isn't useful for much more than reading mail. It can in theory be used for RSS feeds and for NNTP news. But those are withering. Back when the Web began there was a product called Lotus Notes that did a lot of very interesting things. That was the application that many of the Internet mail standards were originally developed to support. I think we now have most of the pieces in place that make a different type of mail client possible, one that is a message based workflow system. The critical piece that is missing is a usable model for security. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy