Fwd: It's time for PGP to die.

Aaron Toponce aaron.toponce at gmail.com
Mon Aug 18 18:51:36 CEST 2014


On Mon, Aug 18, 2014 at 12:24:43PM -0400, Mark H. Wood wrote:
> Sure, it does encrypt mail.  My SMTP has mail from me to deliver.  It
> contacts an SMTP that it thinks can get the mail closer to its
> addressee.  My SMTP sends STARTTLS, the receiving SMTP agrees, they
> handshake, and the rest of the session, including MAIL FROM, RCPT TO,
> and my mailgram following the DATA, is encrypted over the wire.

The connection is encrypted, not the mail itelf. SSL/TLS behave like a tunnel.
The end result is the same, but the details are different. Much like on OpenSSH
tunnel, where SSH does not know anything of the data moving through the tunnel,
STARTTLS knows nothing about the data going through its tunnel.

> You mean those webmail thingies that I never use?  There's so much we
> don't know about their security practices that I wasn't even thinking
> about such services.  My remark was focused on the scenario above:
> there is a local MUA, a local MTA and a remote MTA.

No, I mean the POP3S/IMAPS/SMTPS/MAPIS protocols your MUA, and other SMTP MTAs
connects to. Not HTTPS.

-- 
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 502 bytes
Desc: not available
URL: </pipermail/attachments/20140818/7edbba2c/attachment.sig>


More information about the Gnupg-users mailing list