IETF Logo Mail Archive

Re: Why are mail servers not also key servers?

Doug Royer <douglasroyer@gmail.com> Fri, 21 April 2017 13:53 UTC

Return-Path: <douglasroyer@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52D35120227 for <ietf@ietfa.amsl.com>; Fri, 21 Apr 2017 06:53:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KZB99B0ZmOHF for <ietf@ietfa.amsl.com>; Fri, 21 Apr 2017 06:53:15 -0700 (PDT)
Received: from mail-oi0-x232.google.com (mail-oi0-x232.google.com [IPv6:2607:f8b0:4003:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61D2D127444 for <ietf@ietf.org>; Fri, 21 Apr 2017 06:53:15 -0700 (PDT)
Received: by mail-oi0-x232.google.com with SMTP id y11so63877683oie.0 for <ietf@ietf.org>; Fri, 21 Apr 2017 06:53:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:organization:message-id:date:user-agent :mime-version:in-reply-to; bh=awFhWEsQd5uRobC2/+qzE/F/RH/t/ApxWlHoXxnDLac=; b=YLQvlOylv4Gti5XrCjpFkJ3yno+4+TMK0UuE6G2BSCcuoCKYIzTFR26WuOEvXQifKy VyzEqrtCBqEAy+dqwOqGUwpBdT9jNWDn4UtxEG0qJDLX1KXeEMHBPkLhzQOOfXvaHe9v Kor+r+UmdX3H6sELYzXzG4YRGoGZ659zsrOsmJePD2bsAcqFwDuhngNBhnGGnDTaOg0h Kh88U0xnJ4hoR2QdjrXDL65MtPZG97FQzJyq702mMRbwPaLlwzHdGo/5E/X/d7RQYiLm GQOv7yQN8WgZjVZbJMUncZ0Upm/sbZclkIa/+OUG0jwAJiNBHr5wkYMUJUT3SzQd8J+X 7hpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:organization :message-id:date:user-agent:mime-version:in-reply-to; bh=awFhWEsQd5uRobC2/+qzE/F/RH/t/ApxWlHoXxnDLac=; b=tnOXQlhNkDwSpDQhjSi4hN3KrNXJT/6q8MFle2digywXa26FjOCDmZNkNZI47ltz27 dlejlz31WKwZx/bdHQlTznNbk06ln2MXBcc4Pwn3acXpB7V9xC49i5IUmdEoo6RxkmWy fNydxN0Tfo0XKEgrdNwiR4PoIOKKtUS/KPaTPSHiqsC5I1XqtMK/h9q/fwfXawCBxnZY uluEd+KmW/ZY+gdt45dpwX+9U0m+3PuUzf5L8TJltuCTzmviNcvnJTcFJy54Now5SWhS y6zy47582Qsv0DhZMosMRvOyyhGTtDgdKXmztMr3dz4onOI2s7VWo0ymsf93nhOcOI9+ o9yg==
X-Gm-Message-State: AN3rC/4CZBLdRCMi9Tsq78thcGmsQOQlpL7z3fSrqVfOVgdPc/PqXJXj 0nUKHfwIhDtwiZ5tDV4=
X-Received: by 10.157.51.87 with SMTP id u23mr7528629otd.191.1492782794378; Fri, 21 Apr 2017 06:53:14 -0700 (PDT)
Received: from ?IPv6:2602:ae:1b37:7300::2? ([2602:ae:1b37:7300::2]) by smtp.googlemail.com with ESMTPSA id c5sm4034917otb.40.2017.04.21.06.53.12 for <ietf@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 21 Apr 2017 06:53:13 -0700 (PDT)
Subject: Re: Why are mail servers not also key servers?
To: ietf@ietf.org
References: <849511c0-6526-ecbe-2b56-7b459eaf010b@hawaii.edu> <B897A3A3-4A47-4C74-B79F-4F93C86A338C@gmail.com> <82ab9e4d-05ba-bc39-c7d1-bda6ee8d9be5@hawaii.edu> <32b6bba4-cd4b-167f-b3d1-36733d1504c2@gmail.com> <20170421133535.GA21229@gsp.org>
From: Doug Royer <douglasroyer@gmail.com>
Organization: http://SoftwareAndServices.NET
Message-ID: <9440cd43-d8d9-8950-cdc7-bbf9fd2d7a91@gmail.com>
Date: Fri, 21 Apr 2017 07:53:11 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.0
MIME-Version: 1.0
In-Reply-To: <20170421133535.GA21229@gsp.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms060504050000080608010500"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/4rJwLW37h3KCCChhPHk2pixQKAM>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Apr 2017 13:53:17 -0000

On 04/21/2017 07:35 AM, Rich Kulawiec wrote:
> On Thu, Apr 20, 2017 at 11:48:04AM -0600, Doug Royer wrote:
>> I would like to see an extension so that the MUA could contact the
>> destination server (perhaps their MX record host) and get a users PUBLIC
>> key. Perhaps (just an idea - no screaming please) a new TXT record type that
>> points to the domains PubKey server.
> 
> How's this going to work when the MUA is:
> 
> 	- running on a host that's not connected to the 'net
> 	- running on a host that can't connect to MX's (because
> 		of local firewall rules)
> 	- running on a host that can't connect to MX's (because
> 		they're unreachable or down)
> 	- running on a host that can't connect to MX's (because
> 		they no longer exist)
> 	- running on a host that can connect to the MX's but can't
> 		get the user's public key because the user is no
> 		longer valid
> 	- and so on
> 
> There are way too many failure modes here that will render messages that
> have already been received either temporarily or permanently unreadable.

Currently, if you need to send an encrypted email to someone, and you 
can not get their public key - same results. No change. It does not 
break anything that is not already broken.

You only need their public key when you want to send them encrypted 
email first, If your happy with first a signed one, then encrypted one, 
then you do not need to look one up.

Automated email might have a hard time performing the signed email 
exchange first, followed by the encrypted email. Humans could do it 
manually and only be slightly annoyed at the extra step.

No matter what kind of public key lookup service is designed, if you can 
not reach it, it is not going to work.

-- 

Doug Royer - (http://DougRoyer.US  http://goo.gl/yrxJTu )
DouglasRoyer@gmail.com
714-989-6135

v2.23.0 | Report a Bug | By Email