On Sat, 29 Mar 2025, Viktor Dukhovni wrote:
Section 7.1 of RFC5321 is fundamentally a *disclaimer* of message content or origin authenticity, and if mention of PGP and S/MIME while omitting DKIM is a problem, my preferred solution would be to drop mention of PGP and S/MIME, I take issue with: ... Real mail security lies only in end-to-end methods involving the message bodies, such as those that use digital signatures (see RFC 1847 [43] and, e.g., Pretty Good Privacy (PGP) in RFC 4880 [44] or Secure/ Multipurpose Internet Mail Extensions (S/MIME) in RFC 3851 [45]). because neither is usable at scale, or well suited to long-term email message retention (search is typically lost, signatures expire, private keys to decrypt old messages lost, ...). These are niche technologies that DO NOT broadly address email security. There is as yet no magic wand that makes end-to-end email security practical.
I was going to say something like that but Viktor said it better. Regards, John Levine, johnl@xxxxxxxxx, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
