IETF Logo Mail Archive

Re: Proposed Proposed Statement on e-mail encryption at the IETF

Warren Kumari <warren@kumari.net> Wed, 03 June 2015 13:41 UTC

Return-Path: <warren@kumari.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B5D21A87C7 for <ietf@ietfa.amsl.com>; Wed, 3 Jun 2015 06:41:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6ZB7CvDGXMOl for <ietf@ietfa.amsl.com>; Wed, 3 Jun 2015 06:41:49 -0700 (PDT)
Received: from mail-oi0-f43.google.com (mail-oi0-f43.google.com [209.85.218.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEB361A8761 for <ietf@ietf.org>; Wed, 3 Jun 2015 06:41:48 -0700 (PDT)
Received: by oifu123 with SMTP id u123so7330827oif.1 for <ietf@ietf.org>; Wed, 03 Jun 2015 06:41:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=5wA/VS+/u1+21sH19IsfX+m5QwVsy7HHOV+S+ZM8q0A=; b=A3d9PJarwH/0LBd3vYdqSCZSHsIBoYcPZ4t8hV3byTIKq/GpI0aAx6baisXzEL+J5z LgxI+x3RLWE1BZGkv+OQnBwKwYAoalYOscgQgKw1GITtoaYV0i1BbYCEPxgaCsyvK1bQ SH7A1rlTb0jM9PwA9/78MZfMqz73irBDC8F9jpWIZQD/m0ADFuiuKtZX3ywhjuE7lDOz M955AiZnO4wD9Sds+e9t2z+0tSUhDAkw+Q+76ElujV/srSTu3kMZ0BrElQyA4rKo38Se YgGD8hsi20zCIp1XIZDdIbkGWtGbwWPuYWwxOgfWC0bV8vauvb4pmdJY/wIOUyhTGeCA qxGg==
X-Gm-Message-State: ALoCoQmh0o0uuO+WbEDEXmwSaBohi+yow9KEjF5Ux2+RyclwgP3TPiro/FhjFwzJx1yACw+WigiP
MIME-Version: 1.0
X-Received: by 10.202.137.78 with SMTP id l75mr7450464oid.110.1433338908184; Wed, 03 Jun 2015 06:41:48 -0700 (PDT)
Received: by 10.202.196.75 with HTTP; Wed, 3 Jun 2015 06:41:48 -0700 (PDT)
In-Reply-To: <20150602175906.GO17122@localhost>
References: <DD88F4E4-6BBA-4610-BB49-3158A26DF55B@hopcount.ca> <2DA10E34-02DA-4245-9031-8C0F2749461D@vpnc.org> <20150602175906.GO17122@localhost>
Date: Wed, 03 Jun 2015 09:41:48 -0400
Message-ID: <CAHw9_iJYj+5rCftN6_OGfbfvq88Uu2D0NEMXhPqky_BAE4ZPmA@mail.gmail.com>
Subject: Re: Proposed Proposed Statement on e-mail encryption at the IETF
From: Warren Kumari <warren@kumari.net>
To: Nico Williams <nico@cryptonector.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/0CIp6UROWULpIhVE9llFwgd2BFM>
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, IETF Discussion Mailing List <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jun 2015 13:41:50 -0000

On Tue, Jun 2, 2015 at 1:59 PM, Nico Williams <nico@cryptonector.com> wrote:
> On Tue, Jun 02, 2015 at 10:15:54AM -0700, Paul Hoffman wrote:
>> On Jun 2, 2015, at 6:44 AM, Joe Abley <jabley@hopcount.ca> wrote:
>> > If the argument that we should use HTTPS everywhere (which I do not
>> > disagree with) is reasonable, it feels like an argument about
>> > sending encrypted e-mail whenever possible ought to be similarly
>> > reasonable. Given that so much of the work of the IETF happens over
>> > e-mail, a focus on HTTP seems a bit weird.
>
> There is no point to PGP encryption when posting to *public* mailing
> lists, not even if done by the list processor (which is the only way
> that makes sense).
>
> SMTP, however, should use TLS, opportunistically or with DANE, as they
> don't know whether a destination of a message they are transmitting is
> a public list.
>
> MUAs really must use TLS for SUBMIT as well.
>
>> This is a terrible idea. If the IETF mailer thinks it knows my PGP
>> encryption key, and I don't because I have lost it or invalidated it,
>> [...]
>
> Yes, but if we limit this to just SMTP, of course the ietf.org MTAs
> should support TLS, and they should have TLSA RRs for DANE.

The ietf.org MTA does support TLS:
wkumari$ dig +short MX ietf.org
0 mail.ietf.org.
wkumari$ echo -e 'EHLO example.com\nquit' | nc mail.ietf.org 25 | grep START
250-STARTTLS

There also is a DANE record:

wkumari$ dig +short TLSA _25._tcp.mail.ietf.org
3 1 1 0C72AC70B745AC19998811B131D662C9AC69DBDBE7CB23E5B514B566 64C5D3D6

(thanks to Glen and Matt for having set this up, and Viktor for all of
his work helping with the TLSA record and getting DANE support into
Postfix)

W

>
> Nico
> --
>



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.23.0 | Report a Bug | By Email