Re: On email and web security
Phillip Hallam-Baker <phill@hallambaker.com> Fri, 01 January 2016 05:00 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09B2C1A0167 for <ietf@ietfa.amsl.com>; Thu, 31 Dec 2015 21:00:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.423
X-Spam-Level: *
X-Spam-Status: No, score=1.423 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id THUhAkR73ZoE for <ietf@ietfa.amsl.com>; Thu, 31 Dec 2015 21:00:05 -0800 (PST)
Received: from mail-lb0-x22e.google.com (mail-lb0-x22e.google.com [IPv6:2a00:1450:4010:c04::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4D931A0161 for <ietf@ietf.org>; Thu, 31 Dec 2015 21:00:04 -0800 (PST)
Received: by mail-lb0-x22e.google.com with SMTP id sv6so125688979lbb.0 for <ietf@ietf.org>; Thu, 31 Dec 2015 21:00:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type; bh=qJeDt+mEJNvm2cQHN2gwELl3KqWldclW/qdzJaPMfAI=; b=m4Z+VcsRFJRBgxrJMG5vKbzu+GeCzxzR/0x2pf750Q8ALMh4P77h4AGmdZTAChVFgu WPXo3TPbNiriwIlzC22Apdpy4aoZXNTfpHH18EJ483u8qz5v7Br3lBz0BamTS2jIieK3 6nyshGQc1Nm6d5IhvUDZj7YTv+jHus1r4LMGNrDLOwe5x5OsoAYNIZxXJyEOlnFyFyw0 yOp3/ZM2UzB+fLPhFfWEb6RovgfmLtLOmlcc3+7c4F+R/euqW7Dyc3X+9yPBNIiPcR3b wW1osX4N7LtvDgcUA4543DMaRyomFSmZxNHnQy2T0/yiCZfRA4FfA5ytXCxDWOBV0eMu AiUA==
MIME-Version: 1.0
X-Received: by 10.112.64.5 with SMTP id k5mr8107055lbs.133.1451624402888; Thu, 31 Dec 2015 21:00:02 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.1.33 with HTTP; Thu, 31 Dec 2015 21:00:02 -0800 (PST)
In-Reply-To: <13594.1451602033@obiwan.sandelman.ca>
References: <304F200F-CF0B-4C23-91F9-BFC06C41BDA8@cisco.com> <13594.1451602033@obiwan.sandelman.ca>
Date: Fri, 01 Jan 2016 00:00:02 -0500
X-Google-Sender-Auth: 9168owG1TfIgkESLoQ3GdRCNZU4
Message-ID: <CAMm+Lwi7dNvoXy6qit7h81c14iO0LB5y-Qnx8COQ4+_UJKg3xg@mail.gmail.com>
Subject: Re: On email and web security
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: "ietf@ietf.org" <ietf@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c3eeb6e1ad8305283ea4f3"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/AkfLUBGErBGGRul1e32pPW_BZa0>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jan 2016 05:00:07 -0000
The problem of messaging security right now is very similar to the problem we had early on with stopping spam. Whenever someone proposed a solution to problem X, they would be drowned out by a chorus of people saying that the REAL problem is Y and then someone would insist it is Z and then someone would demand that the solution work in zero gravity. There are many problems to be solved with messaging security and I think they are all solvable *in time*. There are problems that can be solved right now and there are problems that we can't address for a couple of years when some critical Intellectual Property is no longer encumbered. And there are problems that can't be solved without completely re-doing the messaging infrastructure. So here is the problem I have been working on recently. At the start of this thread Fred complained that he has a list of people's PGP keys and email addresses but can't send them encrypted mail. I have a PGP key on one of the key servers but I tell people not to use it because I don't have the private key. I installed a plug in, started the program and it uploaded the key to a server without asking me and didn't tell me how to delete it either. And it turns out that isn't possible. We can't get everyone using encrypted mail if we design products for outselves, like Fred pointed out. But another part of the problem is that these days we all have multiple devices and neither OpenPGP nor S/MIME has any mechanism that is suitable for managing that situation. No copying my private key file about is not a solution. A private key that is installed on more than one machine should be rolled over regularly. By which I mean once a month. So using fingerprints of public application keys isn't going to be an answer either. My point here is that the email security apps are not currently usable and there is no way to make them usable without standards support to automate the administrative tasks that are dumped onto the user. Which is what I have been building the Mathematical Mesh (MMM) to address. I have released the code: http://sourceforge.net/projects/mathematicalmesh/ Next week I will be working on some demonstrations. The bottom line is that any time that the user is given a set of instructions to follow, that set of instructions should be given to the computer instead as code. The prototype runs on windows and will configure unmodified Windows Live Mail to use S/MIME without the user needing to do anything other than say which applications they want to secure. The same approach can be applied to OpenPGP. But rather more interestingly, it can be applied to SSH as well and the same tool that simplified management of cryptographic configuration can be used to simplify network configuration as well. PHB
- On email and web security Fred Baker (fred)
- Re: On email and web security Paul Wouters
- Re: On email and web security Kathleen Moriarty
- Re: On email and web security Fernando Gont
- Re: On email and web security IETF Chair
- Re: On email and web security John Levine
- Re: On email and web security Michael Richardson
- Re: On email and web security Phillip Hallam-Baker
- Re: On email and web security Doug Royer
- Re: On email and web security Doug Royer
- Re: On email and web security Phillip Hallam-Baker
- Re: On email and web security Phillip Hallam-Baker
- Re: On email and web security l.wood
- Re: On email and web security Steve Crocker
- Re: On email and web security John Levine
- Re: On email and web security Phillip Hallam-Baker
- Re: On email and web security Phillip Hallam-Baker
- Re: On email and web security Doug Barton
- Re: On email and web security Phillip Hallam-Baker
- Re: On email and web security Doug Barton
- Re: On email and web security Dave Cridland
- Re: On email and web security Phillip Hallam-Baker
- Re: On email and web security Doug Barton
- Re: On email and web security Doug Royer
- Re: On email and web security Matthew Kerwin
- Re: On email and web security Doug Royer
- Re: On email and web security John Levine
- Re: On email and web security Doug Barton
- Re: On email and web security John Levine
- Re: On email and web security Doug Barton
- Re: On email and web security Phillip Hallam-Baker
- Re: On email and web security George Michaelson