Pros and cons of PGP/MIME for outgoing e-mail?

[Ingo Klöcker]

On Sunday 23 November 2014 18:05:03 Bjarni Rúnar Einarsson wrote:
> Hi Samir,
> 
> Samir Nassar <samir at samirnassar.com> wrote:
> > I would care more about the arguments if you were able to re-state them
> > while dropping references to legacy email clients. I don't think new mail
> > clients  have an obligation to be backwards compatible.
> > 
> > If you, and others, think the PGP/MIME RFC is incomplete or invalid,
> > then  that's a conversation I want to hear.
> 
> Oh, I absolutely do. I think it's fundamentally lacking. Key points:
> 
> 1) It tightly couples MIME parsing and PGP processing, making it hard to
> compose "does one thing well" type tools and requiring quite invasive
> plugin APIs in order for people to be able implement PGP/MIME from a
> plugin.

Why? All it takes is one API call which takes a MIMETree and returns another 
MIMETree.


> 2) It is hard to implement correctly. The white-space handling
> particularly hairy.

I don't understand what you mean. Do you refer to the removal of trailing 
white-space? What's hairy about that?


> Flaws 1) and 2) are why we still keep seeing new mail applications
> written that do not support PGP/MIME, and still see PGP email projects
> that can't do it either. See Mailvelope, APG/K9, more. The developers of
> these projects are not lazy, the standard is just a pain in the ass to
> implement. I know, I've done it.

So you've come to realize that writing an email client isn't all fun? Welcome 
to the real world.


> Flaw 3) is one of the reasons why big
> chunks of the security community write off PGP and e-mail as a lost
> cause.

The key of this statement is that they write off "e-mail as a lost cause" 
because this is unfixable in SMTP. The only solution is not to use SMTP.


> I am disappointed that you think it's okay to just ignore real world
> compatibility and dismiss all the mail clients that don't implement
> PGP/MIME as "legacy". That's a very lonely ivory tower, and with that
> attitude our community will never help the masses communicate securely.

I'm sorry to disappoint you, but you won't help the masses communicate 
securely by writing yet another mail client. The masses won't use your mail 
client (or any other niche mail client). The public masses use Google mail, 
the corporate masses use Outlook/Exchange, and the smartphone masses use 
whatever mail client comes with their smartphone.

If you want an achievable goal, then don't aim for the masses but for those 
people who really need means for secure communication. I expect those people 
to use PGP/MIME-capable mail clients (or no e-mail at all) and not some other 
mail clients with non-standard, homebrew encryption.


Regards,
Ingo