
The Pentagon Says It Will Start Encrypting Soldiers' Emails Next Year - IsaakTech
https://motherboard.vice.com/en_us/article/bjxjxv/the-pentagon-says-it-will-start-encrypting-soldiers-emails-next-year
======
drdaeman
Oh.

When I saw the title, I thought they would start to use GnuPG or PEP or maybe
switching from SMTP and MIME to something else.

And then it seems that they're still where the rest of the world was a almost
decade ago, and starting implementing TLS.

~~~
willstrafach
I'm curious what GnuPG would offer beyond what they can already do using
S/MIME via CAC?

~~~
drdaeman
Not much. But, possibly, Ed25519?

But, yeah, I just forgot about S/MIME while I was writing that comment. It's
probably a better fit, especially in terms of revocation (OCSP, etc).

------
YCode
Title is misleading; it should say something like encrypting ALL emails.

They have of course been able to encrypt individual emails for at least a
decade with their CAC/PKI by checking a box in their email client.

After re-reading the article they never make any mention of existing crypto
practices... Seems like purposely misleading or sloppy journalism.

However in the origin article they link to there is a useful gem:

> "STARTTLS is an extension for the Post Office Protocol 3 and Internet
> Message Access protocols, which rely on username and password for system
> access," the spokesperson wrote. "To remain compliant with DOD PKI policy,
> DEE does not support the use of username and password to grant access, and
> does not leverage either protocol."

I'm not versed in those protocols, but if that statement was true at the time
it makes sense to me that the military wouldn't take a step back to using
passwords when they already implemented physical tokens (CAC+pin) DoD-wide.

------
valine
This makes the US military look pretty bad. They should be leading the world
in cryptography, not planning to encrypt emails with 2002 tech in 2018. It
just goes to show how meaningless the term "military grade encryption" really
is.

~~~
uiri
"military grade encryption" \- so strong, the military doesn't use it for
soldiers' emails.

------
Simulacra
Wait. Next year?! They're not encrypted already!?

~~~
whatnotests
They need to install backdoors first, duh.

~~~
koolba
Why bother with backdoors when you're running the infrastructure? They can
have a barn sized front door.

~~~
willstrafach
I'm assuming this is a reference to key escrow, which they do indeed have
already (Audit purposes + ability to make sure older e-mails can be decrypted
upon key rotation).

------
dkhenry
The title of this is pretty misleading. They are not encrypting emails, they
are encrypting email traffic. The E-mails will still be plain text _unless_
the user decides to encrypt them, which is functionality that has been around
since the mid 2000's.

------
crb002
Isn't that about two decades late?

