> They are also proposing a HTTPS web interface, I guess this relies on > trusting the certificate authority?
This has a critical chicken-and-egg problem. Let's say I want to send you an encrypted email. I send it to the OwnMail box, and it in turn sends to you, in cleartext, an HTTPS link to the OwnMail box. But Eve, who's listening in on communications between us, who is the adversary I want to foil ... well, she gets the HTTPS link, too, and she's able to use it to view my message to you. End result: Eve is not foiled. Okay, so let's say the HTTPS link goes to a page protected by some kind of authentication, some kind of login method. How do I communicate to you the credentials to login? Eve gets to eavesdrop on those, too. End result: Eve is not foiled. So let's say that you create a username/pw on someone else's OwnMail box early on, before Eve starts listening in. Now you can go fetch those HTTPS-secured pages securely. Eve is foiled. *But*, you have to set up the username/PW ahead-of-time, before Eve comes into play. And now you have to keep track of yet another username/PW. End result: Eve is foiled but it's a usability nightmare because you're stuck tracking 25 different OwnMail username/PWs for 25 different OwnMail users. Further, they're not doing *anything* that we haven't already been able to do for 20+ years. Seriously. Every mail administrator on the planet has been able to do this sort of thing for 20+ years. They don't. We rarely if ever see OwnMail-like setups. It's worth asking the question, "Why?" My initial thoughts after reviewing the page: I'm not optimistic. I might be wrong! But I'm definitely not optimistic. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
