I think this misses two main arguments for increased use of end to end encryption.<p>1. It reduces the behavioural entropy of people who really need it (journalists, lawyers etc)<p>2. It makes mass surveillance much harder.<p>Yes, if the NSA/FBI are after you, they can access your devices directly. But ubiquitous strong encryption is still a Good Thing.
I think the end-to-end encryption of email is an important problem, but even more important (IMO) is that email is no longer decentralized by any reasonable standard.<p>The reason, if I had to guess, is probably primarily because of spam. But these days, with ubiquity of high quality encryption standards in place in most other realms of the web, why not in the validation of email transmission between servers?<p>Here's an idea. Even if we generally still only have encryption at the protocol level in email, why not incorporate a new header into the email message itself (let's call it signature). Now anyone who deploys their own email server can deploy their public key(s) for email in a TXT record in DNS, and any recipient of email can now (for most practical purposes, without substantial work on the part of the malicious hacker) guarantee that the message was sent by who the sending server says it was sent by.<p>I think a wide-spread open standard as simple as this could help re-decentralize email while not causing additional fear that spam will again make our lives miserable.
I have to admit, I had to look up JMAP. Seems like it's a bit of a one-off solution, though there are promising benefits that I can immediately see over IMAP.<p>I think it should be a data driven call - how much call is there for JMAP support, and how much call is there for Encryption? Multiply each by some factor, say, the inverse of an estimated cost to implement, and you should have a rather reliable answer of which is a higher priority.<p>Perhaps more importantly, don't trust "The overwhelming consensus" when it comes to security - we laymen either don't understand the implications to our society, or feel it's a reasonable tradeoff since they have "nothing to hide". Trust people who specialize in security. Send an email to Schneier, tptacek, and others and see how important they believe it is for the world to have easily accessable end to end encryption for communications.
can someone provide a compelling reason why the SMTP protocol does not have a command to retrieve public key certificate for a given recipient email address? Or a weaker alternative that provides the same cert for all addresses in the domain?