I have had a number of chats with service providers who say that users just aren't ready to understand and participate in an encryption-heavy environment (i.e. signed emails, signed commands/instructions, etc) and, although I would love to see it happen, I have to side with them as consumer tools just aren't really ready for this either.
With that being said, I think that internal communication is still something we can start to address and is equally important.
What I would like to see from this discussion is more of the topic on when secure communication is needed, either for reasons of confidentiality or for verification purposes. Can we author a section in the standard that outlines when cryptography in communication must be used (broken down by level if possible)? I suppose that ultimately it may just be a statement of "encrypt your traffic, sign your damn messages" but I think exploring a more specific section is a good experiment as the requirements may fit better within different aspects.
Examples that come to mind are
All discussions regarding the enacting of the Key Compromise Protocol must be done over signed channels
All cold wallet payout requests must be signed by the requesting party/parties prior to the key holders receiving the transaction details
Ad-hoc database access to internal ledgers must be in the form of a statement/request, signed by the requesting party, and provided to the DBA. (potentially out of scope but depends on the organization and system)
I have had a number of chats with service providers who say that users just aren't ready to understand and participate in an encryption-heavy environment (i.e. signed emails, signed commands/instructions, etc) and, although I would love to see it happen, I have to side with them as consumer tools just aren't really ready for this either.
With that being said, I think that internal communication is still something we can start to address and is equally important.
Admittedly, this topic came to mind again today because of this helpful repository: https://github.com/lfit/itpol/blob/master/trusted-team-communication.md
What I would like to see from this discussion is more of the topic on when secure communication is needed, either for reasons of confidentiality or for verification purposes. Can we author a section in the standard that outlines when cryptography in communication must be used (broken down by level if possible)? I suppose that ultimately it may just be a statement of "encrypt your traffic, sign your damn messages" but I think exploring a more specific section is a good experiment as the requirements may fit better within different aspects.
Examples that come to mind are