Treat model (was: Re: dane-openpgp 2nd LC resolution)

John C Klensin <> Sun, 13 March 2016 15:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7CC1712D5CB for <>; Sun, 13 Mar 2016 08:40:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dXOP_0L2RKBD for <>; Sun, 13 Mar 2016 08:40:46 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B9E0B12D5C2 for <>; Sun, 13 Mar 2016 08:40:46 -0700 (PDT)
Received: from ([] by with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <>) id 1af88K-000AR7-Gu; Sun, 13 Mar 2016 11:40:44 -0400
Date: Sun, 13 Mar 2016 11:40:39 -0400
From: John C Klensin <>
To: Paul Wouters <>, Doug Barton <>
Subject: Treat model (was: Re: dane-openpgp 2nd LC resolution)
Message-ID: <>
In-Reply-To: <>
References: <> <> <> <>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Archived-At: <>
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 13 Mar 2016 15:40:48 -0000

Part 2 of 2 -- see introduction to immediately prior note.

--On Saturday, March 12, 2016 12:15 PM -0800 Doug Barton
<> wrote:

> Given that the DNS RR in question is something the end user
> has to explicitly request, the danger is not immediately
> obvious to me.

--On Saturday, March 12, 2016 4:09 PM -0500 Paul Wouters
<> wrote:

> 2 In an email server has and,
> AND these are different users, then instead of JUST mailing
> the wrong user in plaintext, the wrong user is emailed
> encrypted to that user. This is functionaly still better than
> the current deployment, since only 1 wrong user can see the
> (encrypted) email instead of everyone on the path plus the
> user who can see the never-encrypted email.

That depends entirely on the threat model you are concerned
about.   I (and others) have repeatedly asked that you be
explicit in the I-D about applicable threat models (aka "the
problem you are trying to solve") in more specificity then you
have now and that you see if you can get consensus.   If the
goal is to try to get more email on the Internet encrypted as an
"opportunistic" matter, then certainly your reasoning is
correct, perhaps modulo one other issue.

In our quest for more privacy, language like "everyone on the
path" implies something similar to letters being posted in shop
windows for public viewing before being delivered (or as a means
of delivery).  The reality is the most ISPs, and most operators
of mail servers and relays, take at least some measures (often
strong ones) to ensure that the collection of people who can get
to a message in transit is very restricted and a lot short of
"everyone".  Yes, those measures, and the ISPs and mail
providers themselves, can be subverted or forced to expose
message traffic, but the parties who can do that aren't
"everyone" either.  If one is interested in attacks from them
--either on you or as part of a pervasive surveillance effort--
then the threat model changes quite a bit.

In particular, if a user has a sensitive information to
transmit, information that will not be transmitted at all unless
there is high assurance that it will go encrypted and encrypted
in the key of the right party, then the choice between "one
wrong person sees it" and "everyone sees it" is a not-starter.
With the treat model implied by that sort "must go encrypted"
model for sensitive material, the alternative to "correctly
encrypted" is "don't send" and sending and delivering to the
wrong party, encrypted with that party's key, is a disaster.

In the hope of avoiding a rat hole, the above has nothing to do
with the argument that everything should be encrypted to provide
cover for the sensitive stuff or make life harder for those
involved in pervasive surveillance.  If one believes that
everything should be encrypted, then it may be ok be less
careful about how messages that are less sensitive are encrypted
(keys found, etc.) than for ones containing really sensitive


p.s. See last paragraph of part 1 for comments -- slightly less
applicable here -- about the relationship of this discussion to
the dane-openpgp draft.