Shouldn't Teams, Zoom, Slack all interoperate securely for the Feds? Wyden is asking

For large organizations, S/MIME probably makes more sense than PGP. PGP has a lot of issues and it really, really does not address PKI in a way that works for anyone who's not nerd-spec. While PGP remains popular for some applications (e.g. signing OSS tarballs, vulnerability reports from outside researchers), it's not a great choice for rolling out to millions of ordinary email users.

S/MIME is far from perfect too — for one thing, it's built on MIME, which was the worst mistake in the history of email. And it also involves failure modes that will baffle non-expert users, like how MUAs handle expired non-timestamped signatures. Yes, some people save email messages and read them some time later (my own collection of work email goes back to 1997). But on the whole it generally works better than PGP. And support is built into Outlook, which is an advantage if only because so many people already use Outlook.

One is to add a new type of record alongside the MX record...

Um, DMARC (SPF and DKIM), DANE, MTA-STS... if anything, we've already over-engineered the solution(s) to this one. We don't need yet more "email security mechanism in DNS" standards. Implement S/MIME and SPF, then DNSSEC, then DANE (which requires DNSSEC), then DKIM, then DMARC, and finally MTA-STS if you want; that's how you get improved email security. Trying to fix PGP key distribution would only muddy the waters further.

Re: Interoperability

Already happening, thanks to the EU : https://engineering.fb.com/2024/03/06/security/whatsapp-messenger-messaging-interoperability-eu/

Re: Interoperability

No that's forcing them to the lowest common denominator.

People choose Signal for a reason. If they use it but the person on the other end uses WhatsApp, the security guarantees they get (for the purpose of this argument assume they are 100% true) disappear because the other end is something else.

If Apple wants to add features to iMessage like when they added support for sending Apple Cash payments to people I guess they'd be SOL, because it wouldn't be part of the standard and the other side wouldn't support it. They could propose it, but once everyone else gets their fingers in it and adds the kitchen sink then they have to waste time implementing a lot of irrelevant crap that Facebook wants like maybe micropayments or something that lets companies whose pages you follow send you ads and you get paid for viewing them.

What's wrong with Microsoft having their own collaboration software and Zoom having theirs? What's the point of investing in R&D to develop this stuff, it will make no difference when it is the same as anyone else's so just slap on the open source version and be done with it. Now no one is investing in ideas to make it better, because there's no money in it. They'll pursue AI instead - until someone like you comes along and decrees that OpenAI has to be compatible with Grok, and Apple can't do on-device AI because the standard says the model has to be a certain size that's too big to run on a phone.

Nothing stops IETF from making a conferencing standard, people writing an open source version, etc. Let the best product win in the market, not by government decree.

Re: Interoperability

Everyone?

I don't use any of those. I have Signal installed, but no one's ever actually sent me a Signal message. I have no interest in using WhatsApp, iMessage (not an option anyway as I won't use Apple OSes), Telegram, etc.

If people want to send me a message, I have email, and I have SMS. Or, if security is a concern, Signal. If they want to use anything else, they can talk to someone else.

> end-to-end encrypted

Came here to say much the same. I though E2E was the great evil?

This is Wyden. He is the one legislator who consistently pushes against such things and tries to get privacy respected. He's not the hypocrite here. This is probably not a good thing for the likelihood of this bill being passed, though, as his fellows have been ignoring his suggestions for decades.

The problem is they want to force companies to only create products that work according to these standards, rather than letting them create whatever they want and if consumers refuse to use it because it doesn't interoperate, it will fail. Nobody is forcing the government to use these products, or for one department to use one and another department to use another, nobody is forcing individual users or businesses to use them, and if they want to be able to communicate with others they can all use the same product, or one or the other can switch, OR they can convince the two product creators to make them communicate with each other, and stop paying for it if it doesn't happen. Forcing interoperation though means users get the worst of both worlds. When talking to someone on a different product, they get only the shared features, rather than all the features that they wanted by choosing the product they chose.

Six standards were five too many

Can you imagine TV and radio broadcasts without standards? I remember stereo AM's idea was to let the free market decide. At least six known standards appeared. AM stereo never had a chance.

Re: Better Headline:

I'm about as hardcore on the right as it gets, and I'm a fan of Wyden in this arena. In fact, I'm planning on complaining to his office, bypassing my own congresscritters about the latest IRS initiative.

Seriously, give the devil his due--even if he's wearing a "D" (today).

Re: Contradictory statements?

Why are those contradictory? The solution seems simple: encrypted backups. If you have the keys and access to the disks, you can play them. If you intercepted the communication, you can't. Ideally, the backups would be stored by the user so the encrypted versions can't be obtained by the provider. It would also work if the provider stored the backups but not the keys, because they would have access to the files but not the ability to read them.

That's used by all sorts of protocols. My messages are end-to-end encrypted in transit, but nothing stops me from keeping them on my device once I have them and copying them onto another system for backup.