IETF Logo Mail Archive

Re: [Endymail] Another view of the problem and what the IETF could do

Leo Vegoda <leo@vegoda.org> Tue, 02 September 2014 16:02 UTC

Return-Path: <leo@vegoda.org>
X-Original-To: endymail@ietfa.amsl.com
Delivered-To: endymail@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44F6E1A06EE for <endymail@ietfa.amsl.com>; Tue, 2 Sep 2014 09:02:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZIdeQnwlAYyI for <endymail@ietfa.amsl.com>; Tue, 2 Sep 2014 09:02:18 -0700 (PDT)
Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AEB21A064F for <endymail@ietf.org>; Tue, 2 Sep 2014 09:02:18 -0700 (PDT)
Received: by mail-wg0-f50.google.com with SMTP id x12so7017573wgg.21 for <endymail@ietf.org>; Tue, 02 Sep 2014 09:02:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-type:content-disposition:in-reply-to :user-agent; bh=gPMSe/mPtKrGxSHdLQIeqDGK1hpdLQ+GWd6+GFQHLeI=; b=D3o5nJvO8ibMtE/Fx8el4JyM9wWLboLpyd6hDIEuMZSHxBpU9CV7B4VUu4TmWoK6TR W23DeTPOmTpRNvSR1ErS4mtPUQ79TVs4Eya5rvAgQxg+eyVc/BrXZXKBLgQM3QeyRN64 QQLtW/lYQ/xHf1leUwY0lhLxvqimoc4+UXprTzaqp88r0N1OSVa47JALHL8Dl4AZVYoH zX8tE+JnukYevry2BIzXbL9blvKhNuIp0xLUxmQHyeY/PwiDXbLC+/N8V9qdP11ChHLm rGyvmJIExdV9XsI2ovOwpMpp+PcgTXxxTXnpZa0/OqtCoU7n484SxXQ6IzKuvnVsGdwe kM4w==
X-Gm-Message-State: ALoCoQkdpscZLLg44MJCqxIIIfK85u/NpbLOXfuvQAhfGs3FIBmN2qZcQsLVpXsl6Y8t1JnzyCRH
X-Received: by 10.180.149.244 with SMTP id ud20mr29162077wib.55.1409673736674; Tue, 02 Sep 2014 09:02:16 -0700 (PDT)
Received: from vegoda.org (v6only.vegoda.org. [2a00:1098:0:86:1000:26:0:1]) by mx.google.com with ESMTPSA id ky3sm10320060wjb.39.2014.09.02.09.02.15 for <multiple recipients> (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Tue, 02 Sep 2014 09:02:15 -0700 (PDT)
Date: Tue, 2 Sep 2014 17:02:06 +0100
From: Leo Vegoda <leo@vegoda.org>
To: Steffen Nurpmeso <sdaoden@yandex.com>
Message-ID: <20140902160206.GA7900@vegoda.org>
References: <CAHBU6iuxfqs9RszSaJLaTV_obKBCJ9Pzii+t9XANN3q+bJm-3Q@mail.gmail.com> <878um3prio.fsf@vigenere.g10code.de> <cddbc815-a98a-48e5-8dea-c3d8a68ca4d9@gulbrandsen.priv.no> <87y4u2laqh.fsf@vigenere.g10code.de> <20140902114217.lp_a_yD8%sdaoden@yandex.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20140902114217.lp_a_yD8%sdaoden@yandex.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/endymail/zBuoiV_AFbX_tdkaMlzG2xhvI-Y
Cc: Werner Koch <wk@gnupg.org>, Arnt Gulbrandsen <arnt@gulbrandsen.priv.no>, endymail@ietf.org
Subject: Re: [Endymail] Another view of the problem and what the IETF could do
X-BeenThere: endymail@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <endymail.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/endymail>, <mailto:endymail-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/endymail/>
List-Post: <mailto:endymail@ietf.org>
List-Help: <mailto:endymail-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/endymail>, <mailto:endymail-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Sep 2014 16:02:20 -0000

On Tue, Sep 02, 2014 at 12:42:17PM +0200, Steffen Nurpmeso wrote:

[...]

> If with introduction of the new german passport every receiver had
> also obtained a set of usable PGP and OpenSSL S/MIME keys and/or
> certificates -- at best with a small info flyer which would have
> shown how to import those into the tools of the most widespread
> operating systems -- the situation would surely be better in
> Germany.

I think it is much easier to impersonate someone by e-mail when you
have the private key to their identity than when you steal a
passport. The picture in the passport means that most men cannot use
a stolen woman's passport, and most kids cannot use an older
person's passport, and so on. But with the private key to an
identity someone can be impersonated over e-mail by almost anyone.

For these reasons, I do not think that handing out cryptographic
identities would be responsible unless there was a suitable key
management framework for people to use and they knew how to use it.

[...]

> Providers could include a free certificate with each account,
> which would enable their users to choose security by themselves
> (on a per-provider basis).

Do you mean providers of e-mail services? 

Handing out cryptographic identity certificates or similar to people
who do not understand the risks or benefits and do not have a
suitable key management framework doesn't seem a great idea to me.

I think it makes more sense to start with the fundamentals rather
than hoping they'll come along some time after widespread
deployment.

v2.8.7 | Report a Bug | By Email