[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authentication and email

To: "Paul Hoffman / VPNC" <paul.hoffman@vpnc.org>, wgchairs@ietf.org
Subject: Re: Authentication and email
From: Harald Tveit Alvestrand <harald@alvestrand.no>
Date: Tue, 11 Feb 2003 17:54:35 +0100
In-reply-to: <p0521031fba6dd7e4584a@[63.202.92.156]>
References: <3E354398.BF1D5575@lmf.ericsson.se><611987020.1043699189@localhost><3E3674FA.202781D7@lmf.ericsson.se><674756478.1043761959@localhost><3E369EAE.80761DAC@lmf.ericsson.se><p05210219ba5e0c696c00@[165.227.249.18]><3E4547DE.2667AC9E@lmf.ericsson.se><p0521031aba6b0517a4e8@[165.227.249.18]><sjmadh3olo1.fsf@kikki.mit.edu> <p0521031fba6dd7e4584a@[63.202.92.156]>

--On mandag, februar 10, 2003 14:38:10 -0800 "Paul Hoffman / VPNC" <paul.hoffman@vpnc.org> wrote:

At 4:44 PM -0500 2/10/03, Derek Atkins wrote:

Yea, and look how secure our email system is....

Well, yes, let's look. Security is available where the two end-users want
it, and is available where any pair of servers want it. Few people turn
it on in either step, but those who want it use it almost invisibly.

realistically....

in email, security is available whenever two users want it, have mail systems that implement it, and there is no bit-damaging component between them.
at the moment I can't send secure mail between my two mail readers (because I have not upgraded one of them with the optional-to-install security components).

and about 50% of the time I see PGP-signed mail, I get the "I don't trust this" beep, for one reason or another.

  The IESG has already
stated that optional security is bad (because optional security means
no security).  Let's not revisit that rathole.

We fully disagree here. Forcing visible security where none is needed
leads to most people not wanting to use security. If security is free or
very low-cost, it should be required. When it is any more expensive
either in processing time or in user hassle, it should be optional and
easy to implement if used.

the IESG has "always" said that security is mandatory to *implement*.
I think we all know perfectly well that users can't be protected from themselves.... if they don't want it, they won't use it.

Harald

Follow-Ups:
- Re: Authentication and email
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

References:
- Authentication and email
  - From: Gonzalo Camarillo <Gonzalo.Camarillo@lmf.ericsson.se>
- Re: Authentication and email
  - From: Harald Tveit Alvestrand <harald@alvestrand.no>
- Re: Authentication and email
  - From: Gonzalo Camarillo <Gonzalo.Camarillo@lmf.ericsson.se>
- Re: Authentication and email
  - From: Harald Tveit Alvestrand <harald@alvestrand.no>
- Re: Authentication and email
  - From: Gonzalo Camarillo <Gonzalo.Camarillo@lmf.ericsson.se>
- Re: Authentication and email
  - From: Paul Hoffman / IMC <phoffman@imc.org>
- Re: Authentication and email
  - From: Gonzalo Camarillo <Gonzalo.Camarillo@lmf.ericsson.se>
- Re: Authentication and email
  - From: Paul Hoffman / IMC <phoffman@imc.org>
- Re: Authentication and email
  - From: Derek Atkins <derek@ihtfp.com>
- Re: Authentication and email
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

Prev by Date: Re: draft-aboba-radius-iana-00.txt
Next by Date: Re: automating the network: the big picture...
Previous by thread: Re: Authentication and email
Next by thread: Re: Authentication and email
Index(es):
- Date
- Thread