Re: [Endymail] Off we go...
Adam Caudill <adam@adamcaudill.com> Tue, 02 September 2014 18:14 UTC
Return-Path: <adam@adamcaudill.com>
X-Original-To: endymail@ietfa.amsl.com
Delivered-To: endymail@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 576981A0537
for <endymail@ietfa.amsl.com>; Tue, 2 Sep 2014 11:14:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id dp5PPzgi_YX7 for <endymail@ietfa.amsl.com>;
Tue, 2 Sep 2014 11:14:12 -0700 (PDT)
Received: from mail-yh0-x230.google.com (mail-yh0-x230.google.com
[IPv6:2607:f8b0:4002:c01::230])
(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 95F401A04BC
for <endymail@ietf.org>; Tue, 2 Sep 2014 11:14:12 -0700 (PDT)
Received: by mail-yh0-f48.google.com with SMTP id b6so4483020yha.35
for <endymail@ietf.org>; Tue, 02 Sep 2014 11:14:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=adamcaudill.com; s=google;
h=content-type:mime-version:subject:from:in-reply-to:date:cc
:message-id:references:to;
bh=Xf8oVzvFmq1PssBU94zoYtko2/euZZAQZLly6FeJg+o=;
b=RgrfeXsszX4eMMc95ocyaKPAoqpJPH8ogCLOWqsC/3V7TPyuNaSk0rZEEbcPAGqCtU
U4awel+U2RirgLeoJ60FHRwJpB1NiJhsxsjpKrnlF/LNmFWgvGyJ3D7Fjk1bDDB5YZlu
f3V3cOL4Y/TW/SU1V8zsUbx8b281xw9qXXMIQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:content-type:mime-version:subject:from
:in-reply-to:date:cc:message-id:references:to;
bh=Xf8oVzvFmq1PssBU94zoYtko2/euZZAQZLly6FeJg+o=;
b=AFx3UEBx2WflRSYEc17WWT6/zLSsgIxXt0kfGhhlv23+v6gQ4nb6uSMmFx3i2P/bP1
ndX90zKu80ETHCC3y14XYDYR5pWETWFJlfQSh6QU+aR8N4Ndsp37wCY0KO5HFvGskeZt
yx5RUme401Tsuxh0gYHnD0e/GkxJui/IHBNwb53TbbIl6RdkoIZ1F/pNKjYQIqZtLFKs
UdOiE6X1d7byRCK4rQ4aicuvGcipRY+3oPQfPzaTZNBtcoejIm85sm3CNSNPdTUTAzCA
OEIUZ63Fzz2jdGbXHNFNIaT58hXQiTEIzPcqm+8OhRxBvxzA1m86LP3IHxDT0v4721ak
6vVw==
X-Gm-Message-State: ALoCoQmE5ZbF5MfpJEkumyUP1RGQG/jGq1ssjulcXwUvoqanuQsIxYnAIwopk2KX/pN6GCzOEw1a
X-Received: by 10.236.148.209 with SMTP id v57mr3506916yhj.140.1409681651708;
Tue, 02 Sep 2014 11:14:11 -0700 (PDT)
Received: from [10.0.0.4] (c-50-142-69-73.hsd1.tn.comcast.net. [50.142.69.73])
by mx.google.com with ESMTPSA id
d32sm672563yhq.29.2014.09.02.11.14.10 for <multiple recipients>
(version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
Tue, 02 Sep 2014 11:14:10 -0700 (PDT)
Content-Type: multipart/signed;
boundary="Apple-Mail=_69F2E095-B7C5-41F6-97A0-2310DDC71227";
protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Adam Caudill <adam@adamcaudill.com>
In-Reply-To: <53FD0B7D.8070705@qti.qualcomm.com>
Date: Tue, 2 Sep 2014 14:14:08 -0400
Message-Id: <B39B5E75-9C18-42E7-B96C-4EA479A068B0@adamcaudill.com>
References: <53FD0B7D.8070705@qti.qualcomm.com>
To: endymail@ietf.org
X-Mailer: Apple Mail (2.1878.2)
Archived-At: http://mailarchive.ietf.org/arch/msg/endymail/9q5IgDmDKeeYVR-4pwgSZxp6aUU
Cc: Pete Resnick <presnick@qti.qualcomm.com>
Subject: Re: [Endymail] Off we go...
X-BeenThere: endymail@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <endymail.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/endymail>,
<mailto:endymail-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/endymail/>
List-Post: <mailto:endymail@ietf.org>
List-Help: <mailto:endymail-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/endymail>,
<mailto:endymail-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Sep 2014 18:14:14 -0000
On Aug 26, 2014, at 6:34 PM, Pete Resnick <presnick@qti.qualcomm.com> wrote: > So off we go... What projects are folks working on, and what should the IETF be doing in this space? > > Cheers, > Pete & Stephen I’ve been working on a project I call SMIMP[0], it’s a completely new design to meet the use cases of email using modern technologies. I gave a short talk[1] about it at the DEFCON CryptoVillage, slides & notes are online. It’s still a work in progress, there are a number of open issues[2] around items that I’m not entirely sure what the best way to handle is (mailing lists are a particularly complex issue). In a nutshell, it’s an end to end encrypted messaging system, encrypted via curve25519 / XSalsa20, signing via Ed25519, transported over HTTPS using a REST-like API. At every step, the goal is to make it secure, and easy to implement, to minimize the risks of developer mistakes. It’s broken up into two major parts, Identity Management, and Messaging (there are a few details left out for brevity; for all of the details see [0]): Identity Management: To get the public key for a user, a sender calls an API that returns the full profile history for the user; when a user makes a change, it’s signed and includes the hash of the prior change, creating a chain from the time the account was created to the most recent. So if Alice wants to send a message to bob@example.com, she would ask the server at example.com for Bob’s profile history, and validate that everything is signed, and that the chain is intact. Alice will save both the oldest and newest public keys for future checks (TOFU). In the future, Alice will ask the server for the most recent public key for Bob, and if it matches what she has, she will proceed to send the message, otherwise she will request the full history to see if it’s been updated with a new key, or if something malicious is going on (profile replaced / truncated). Messaging: Alice will connect to the example.com server, and request an ephemeral public curve25519 key and validate that it was signed by Bob’s Ed25519 private key. Alice will then request parameters to perform a hashcash-like proof of work as an anti-spam measure; this includes a session specific nonce to prevent the POW from being calculated offline. Once the POW is calculated, Alice will encrypt the message using the ephemeral key, including the POW and other values, and send it to the example.com server. The server will perform validations to make sure that it’s signed correctly, the POW is correct, and the message is in the correct format. Once the message is accepted, the server will store the message for later access by Bob. The messaging API also includes basic mailbox management methods. The system supports multiple message types that are handled a bit differently by the server, such as email, short text (MMS like), and application specific message types, so new messaging applications (think WhatsApp or SnapChat) could use this infrastructure, instead of using a custom system. This is a very short overview of the system, I encourage you to look at the full specification if you are interested. [0] https://github.com/smimp/smimp_spec/blob/master/smimp_specification.md [1] https://adamcaudill.com/2014/08/16/smimp-at-the-defcon-cryptovillage/ [2] https://github.com/smimp/smimp_spec/issues -- Adam Caudill adam@adamcaudill.com http://adamcaudill.com/
- [Endymail] Off we go... Pete Resnick
- Re: [Endymail] Off we go... Tom Ritter
- Re: [Endymail] Off we go... Phillip Hallam-Baker
- Re: [Endymail] Off we go... Joe Hildebrand (jhildebr)
- Re: [Endymail] Off we go... Viktor Dukhovni
- Re: [Endymail] Off we go... Michael Kjörling
- Re: [Endymail] Off we go... Cyrus Daboo
- Re: [Endymail] Off we go... Frank Li
- Re: [Endymail] Off we go... Phillip Hallam-Baker
- Re: [Endymail] Off we go... Leo Vegoda
- Re: [Endymail] Off we go... Werner Koch
- Re: [Endymail] Off we go... Adam Caudill