Back

I’m not the religious cultist some are over defining #E2EE. When it comes to organisational communications, it seems sensible to me to define the endpoint as the organisation, not the individual recipient. And as one widely-used example, this is how #WhatsApp for Business works

All organisations need mechanisms to give authorised staff access to other staff members’ communications. How else would they cope with staff on sick or holiday leave? Or regulatory record-keeping requirements? Or just basic backup, without complex additional key management? This should be indicated to the sender, but I don’t otherwise see problems here.

Secondly, it’s not clear if #gmail is using this workaround just for message recipients who don’t have their own “digital #X509 certificates” to enable message encryption yet (which would be justifiable) or not (which would be an improvement over the status quo, but not genuine #E2EE.)

Sigh. continues… https://eupolicy.social/@1br0wn/114284422620834599

@1br0wn Has anyone been make out what it means in practice for "recipient to have S/MIME configured" wrt Gmail?

All I can find in Google's current docs are some extremely baroque steps that need to be taken by administrators of _every sending workspace_ to send S/MIME to external recipients.

Also: this sounds like it will revive the battle to have eIDAS issuers as trusted roots. Google's current S/MIME trust list (https://support.google.com/a/answer/7448393?hl=en) is pretty narrow.