On Mon, 24 Feb 2014, Wietse Venema wrote:
The absence of observed variation does not mean nothing of relevance has changed, and the presence of benign observed changes drowns out the malicious ones, assuming that the malicious party is stupid enough to reveal itself.
Well, if the only output of the software is what it is now, the bad guys don't actually need to do anything to hide.
So what's bad about requesting that the checks which are required for more secure connections are also executed for the less secure ones and positive results are reported? That's all I request.
This is not a sound basis for automatic policy enforcement or claims about "email security level" except at perhaps trivial scales.
Well, we have plain unencrypted SMTP for now. So yes, we are on a trivial scale. Larger providers here in Germany did a lot marketing that they now use TLS at all. So it's a long way to go.
DNSSEC is like building a fortress. Current SMTP is like leaving the door open. Until the fortress stage is reached there are many steps like closing the door, using a key, ...
Why it's in the internet world usually an all or nothing. There ARE steps in between. Maybe small ones, but most people choose the open door when the other option is to build a fortress.
E.G. Refering to the other mail: I wont change my domain provider to enable a functionality which allows me to do extreme secure communication with only a handful of mail servers I never contacted before.
Ciao -- http://www.dstoecker.eu/ (PGP key available)
