Re: [Endymail] [Cryptography] Secure universal message addressing
John Gilmore <gnu@toad.com> Tue, 05 April 2016 07:17 UTC
Return-Path: <gnu@toad.com>
X-Original-To: endymail@ietfa.amsl.com
Delivered-To: endymail@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B29D512D954 for <endymail@ietfa.amsl.com>; Tue, 5 Apr 2016 00:17:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.585
X-Spam-Level: ***
X-Spam-Status: No, score=3.585 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_PSBL=2.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DzQteGpTSorc for <endymail@ietfa.amsl.com>; Tue, 5 Apr 2016 00:17:17 -0700 (PDT)
Received: from new.toad.com (new.toad.com [209.237.225.253]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (112/168 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFE5712D125 for <endymail@ietf.org>; Tue, 5 Apr 2016 00:17:16 -0700 (PDT)
Received: from new.toad.com (localhost.localdomain [127.0.0.1]) by new.toad.com (8.12.9/8.12.9) with ESMTP id u357HBfc014889; Tue, 5 Apr 2016 00:17:11 -0700
Message-Id: <201604050717.u357HBfc014889@new.toad.com>
To: Natanael <natanael.l@gmail.com>
In-reply-to: <CAAt2M19MWW-4CAoCejwYEZm-YzJ6UUWypeBtfPbWLh0ka=Ta8A@mail.gmail.com>
References: <CAAt2M1-qLf7HF_zTSgWGH4TKmOuYZH6h9iXL=+JzSwdfk1+HqQ@mail.gmail.com> <CAAt2M1-AtpmREOi1Ex+sLjUqZtbcDOUC_zGd4u5Ot1cW+UT5ug@mail.gmail.com> <CAAt2M18W+k_bNL+WV1pa7dnbgzuThFqrqMcwVk5C20M-b_PrTg@mail.gmail.com> <CAAt2M19ThO-J3awEbKfx--mtpssB-Qk+5rHCcoBD57vytucvMw@mail.gmail.com> <CAAt2M19amebwCsdiNAqrBCD6OwGCUJCpKYkU7kvnRSafywTC=w@mail.gmail.com> <CAAt2M1-HOUjWLZOZycfcmGCgD+DkvsAOzjkd4bCuSjhSLVyDgw@mail.gmail.com> <CAAt2M1_C7OJZLZW7AnK1sYAK9ANpRS-FQ1__guKT7_Zacun+BA@mail.gmail.com> <CAAt2M19TiwGMmtsNyAWwaRk5Kup0for_AV0C=AFd--+kmUYcDw@mail.gmail.com> <CAAt2M19MWW-4CAoCejwYEZm-YzJ6UUWypeBtfPbWLh0ka=Ta8A@mail.gmail.com>
Comments: In-reply-to Natanael <natanael.l@gmail.com> message dated "Mon, 04 Apr 2016 16:55:58 +0200."
Date: Tue, 05 Apr 2016 00:17:11 -0700
From: John Gilmore <gnu@toad.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/endymail/iws3pjrDrlqlCUgHDCRRmlby1IE>
X-Mailman-Approved-At: Tue, 05 Apr 2016 04:39:28 -0700
Cc: messaging <messaging@moderncrypto.org>, Cryptographers List <crypto-practicum@lists.sonic.net>, Cryptography Mailing List <cryptography@metzdowd.com>, Crypto List <cryptography@randombit.net>, endymail <endymail@ietf.org>
Subject: Re: [Endymail] [Cryptography] Secure universal message addressing
X-BeenThere: endymail@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <endymail.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/endymail>, <mailto:endymail-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/endymail/>
List-Post: <mailto:endymail@ietf.org>
List-Help: <mailto:endymail-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/endymail>, <mailto:endymail-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Apr 2016 07:17:19 -0000
> The key idea here is that you get to have *one* identifier for yourself > under your control, that you can use everywhere, securely. The key idea here is a bad idea. I don't want everyone I interact with to have the same identifier for me. That's the problem with Social Security Numbers. With a single identifier, all the interactions with me can be cross-correlated to track me everywhere I go. Typically this is done NOT for my benefit, but to give some third party an advantage over me. Every online service that I interact with gets a different identifier for me. Every one gets a different email address for me. If you send email to one, they mostly lead to the same mailbox, though that's not obvious from the addresses, and is under my later control. (Some of the email addresses that websites demand of me lead to places like mailinator.com, which offers free disposable email addresses that will let you read the one email message that "verifies" that this is a "real" email address, and then quietly file and discard all the spam that the websites send there subsequently.) Provider A has no idea that I'm the same guy as Provider B's customer Joe. They don't need to know, and I prefer that they not know. > OpenID essentially died. So did Mozilla's Personas. A bunch of RDF based > protocols too. And many many more. And, from my point of view, this is why they died. I had zero interest in helping third parties keep track of me everywhere, using the same identifier on widely varying sites. It's already hard enough work to keep Google out of my underwear when I don't even have an account with them. If I had the same account everywhere? Let's not go there. "Login with your Facebook account?" No thanks!!! ssh public key authentication has this problem too. Its default is to assume that you want to use your same local identification to identify you to every remote site that you try to access. What a clueless idea. Luckily, ssh has survived despite this. If you avoid its whole public-key-per-user aspect, you can use it reliably with usernames and passwords, different on every site. John
- [Endymail] Secure universal message addressing Natanael
- Re: [Endymail] Secure universal message addressing Sean Leonard
- Re: [Endymail] Secure universal message addressing Natanael
- Re: [Endymail] [Cryptography] Secure universal me… Natanael
- Re: [Endymail] [messaging] Secure universal messa… Harlan Lieberman-Berg
- Re: [Endymail] [Cryptography] Secure universal me… John Gilmore
- Re: [Endymail] [Cryptography] Secure universal me… aestetix
- Re: [Endymail] [Cryptography] Secure universal me… Hugo Maxwell Connery