Re: Why are mail servers not also key servers?

Martin Thomson <martin.thomson@gmail.com> Sun, 23 April 2017 23:31 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C77C3126CF9 for <ietf@ietfa.amsl.com>; Sun, 23 Apr 2017 16:31:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TA2R7u1dTN1X for <ietf@ietfa.amsl.com>; Sun, 23 Apr 2017 16:31:12 -0700 (PDT)
Received: from mail-lf0-x22b.google.com (mail-lf0-x22b.google.com [IPv6:2a00:1450:4010:c07::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1348126C23 for <ietf@ietf.org>; Sun, 23 Apr 2017 16:31:11 -0700 (PDT)
Received: by mail-lf0-x22b.google.com with SMTP id t144so65603051lff.1 for <ietf@ietf.org>; Sun, 23 Apr 2017 16:31:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=6fca8xz5q10xRiwk2LSmsX8GiX8c0y1R8s0H1gl3CGI=; b=O2ZHwXFn7x+AzrIkk4wNwo9hA6Z6PUaw4njANilDluysPMyT3jwdmVUmEnFwrBkY6S w0NLJPg7ehdKyVGTpHge+1/MHD+KGJP1rUhG7X6AHI/uaA0oiKXbaWkHWKJ0EWvfyus0 zBiv5mkggj1WETsI8Eq+5EQU3jheuxAVuT3ECnhcs9NZSb+PXw0yjcpgQrt+Z5MEWCOr WtHWq9PB1K3QHFzjJC/lyxLdOKSeQjztYcSw3RzjjS46Wf5PRBEtu/DrKnxI8xFdj5Xq SuPnNRNXuUwcedYogUE+Ux6/SP+rsWzSYcGjACrR3Vsj3kNif4/VbbgLf5FgnxHq31dd AlSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=6fca8xz5q10xRiwk2LSmsX8GiX8c0y1R8s0H1gl3CGI=; b=p2Qo7h486rjW5Cn5KgPXHLHQabHv8AbkhfPRNiFeC6qHkGy159zaDcHcnQ/lwhRF3B PQFQWJLKEinYPwbeZG93JV3Rj2jD0+dymrWSUKXQ1gvwXzphS+20Ff1+4ycDBmEc6RAX gz4o6dmb1NglmBdfp7G8q9xkS5Mx82+HK3xAmYfCmkUHM+qRhk+rInavZW5t4VD/JrYK RbvbJ74/wPaEnAYNz7x2cBXKUBOy+ToFx+BXNNlL316nbmfPGL/OYhcAE2OUnylLdhsx sf/wD3CHLrbDFED59dlnDtRgxBSAM6EryKXoWSCyayxtZmjtWyZPk7gDPqp+Swx5Fz4s iwXg==
X-Gm-Message-State: AN3rC/5gOK+RplprYDBJN9OLyv6xsbBCv4RMs5lC0uWXASbEXqDWcouT DgTzc1gbxAWX7eQrRfCzpLDwsi8miJpieWU=
X-Received: by 10.46.87.80 with SMTP id r16mr8249973ljd.50.1492990270138; Sun, 23 Apr 2017 16:31:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.46.83.2 with HTTP; Sun, 23 Apr 2017 16:31:09 -0700 (PDT)
In-Reply-To: <20170421143112.28055.qmail@ary.lan>
References: <CABkgnnVmJf66ZJLToFm9_o34P3FswezVRFguuFrgMJeQv_TMgg@mail.gmail.com> <20170421143112.28055.qmail@ary.lan>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 24 Apr 2017 09:31:09 +1000
Message-ID: <CABkgnnUeoLOm=r1fBXw+r5FZobqHXLSbdQ9q=6i=PYkTEOrdfg@mail.gmail.com>
Subject: Re: Why are mail servers not also key servers?
To: John Levine <johnl@taugh.com>
Cc: "ietf@ietf.org" <ietf@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/0ef_0C8jWsnCs9AncTj3X0t7AsM>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Apr 2017 23:31:14 -0000

On 22 April 2017 at 00:31, John Levine <johnl@taugh.com> wrote:
>>> If a recipient is cooperative, and sends you back a message signed
>>> with the same key to which you encrypted the message, that tells you
>>> he got it, but that's not a very interesting case.
>>
>>It's also abuse of the cryptographic primitives, I hope that this
>>isn't really how it works and you are eliding certain key details.
>
> It doesn't use the same session key, it uses the same public key.  It's
> not obvious to me why that would be wrong.

https://tools.ietf.org/html/rfc8017#section-6

If you are using ECDSA/ECDH, then you can also commit the same abuses.
Historically, keys were saved with an "EC" type, and can be used for
either interchangeably (the library I work on commits this sin).  In
the case of EC, there isn't a known path from use of ECDSA to abuse of
ECDH and vice versa, but it isn't known to be safe either.

This is much harder, if not possible with the X25519/Ed25519 pair,
because no library will support you in this.