IETF Logo Mail Archive

Re: Why are mail servers not also key servers?

Phillip Hallam-Baker <phill@hallambaker.com> Mon, 24 April 2017 12:28 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28725129584 for <ietf@ietfa.amsl.com>; Mon, 24 Apr 2017 05:28:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XZn35iKQ5NFO for <ietf@ietfa.amsl.com>; Mon, 24 Apr 2017 05:28:43 -0700 (PDT)
Received: from mail-it0-x229.google.com (mail-it0-x229.google.com [IPv6:2607:f8b0:4001:c0b::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C7081314F9 for <ietf@ietf.org>; Mon, 24 Apr 2017 05:28:41 -0700 (PDT)
Received: by mail-it0-x229.google.com with SMTP id 70so55744107ita.0 for <ietf@ietf.org>; Mon, 24 Apr 2017 05:28:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=2t6ZcEzUQRy9J7ksUnpLE9VvcKxAqn9xaCjmCb8JmM8=; b=XRrdft5rxAJ3DpGNrdp4Kqs1vwIAcnoJ+bNcVwr7XNsY8iZCfJTRMkmGmpqdARADz0 IHBoSM3RJuEijzjkbwFewVqJgQ8tfxJ6FXUFqgy5GiRL5NwNeDUdUkWzkf6omjWVeptF CORGnse+09r/aWcTrfHvfIz6g0yJiVZUwB/1s7UiiLwOcVclzK/ekhmgLV+sKj5J53wf DKSbvWzTQctwOR+8E1mDH6zmOLAG9g4MeRqt2XlT51lZanpnDsheDc3WqfBDBiJ7KcIK R3PnxLSZi+yvkaDCbEuE5c/4jgYAJAnezI3PO+py/WQfdtSEJD14Y8W4YdrdWkhCDdXZ n/3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=2t6ZcEzUQRy9J7ksUnpLE9VvcKxAqn9xaCjmCb8JmM8=; b=ecokxi+vKPWV40AEwBWUVQepGbuLwpnFBecRlHszDAkiBYCadVfXzVQgoRYkeCaqH7 zKbJIyg3rRMIMH+SllEpuVMwSONHvcx+oKpw04U2xWUd/xdFHMGFHiin7L7RPFOiXtaU Bb2ytMZj1o6en43vaBkDig9xMhpNySoNk0W4NppmvUYEZBaf9q67pMoDmHLYLJOpHtct fgPgss89OR7Yl9FHKrGgkYNQWOvbqSYApWpsPGxUHL8Q3h/TUjbUpuoT+ugOqjEQQAuJ dqTRuzyUvkwizpzNWtN/Ar1/bw2w7w8NAvgaCyD5ie7h/qBj0N7J2IQ8Pp5wYCAquGWZ EM0w==
X-Gm-Message-State: AN3rC/4lfW26AN2qtbwvKkA+xYgHHChrvUd98SkhFhE7lBLywf3E1KQv 5l+QjcGPEdqS0CFaN9f3kW45aIr6+g==
X-Received: by 10.202.81.83 with SMTP id f80mr13685864oib.9.1493036920889; Mon, 24 Apr 2017 05:28:40 -0700 (PDT)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.157.22.175 with HTTP; Mon, 24 Apr 2017 05:28:40 -0700 (PDT)
In-Reply-To: <CABkgnnUeoLOm=r1fBXw+r5FZobqHXLSbdQ9q=6i=PYkTEOrdfg@mail.gmail.com>
References: <CABkgnnVmJf66ZJLToFm9_o34P3FswezVRFguuFrgMJeQv_TMgg@mail.gmail.com> <20170421143112.28055.qmail@ary.lan> <CABkgnnUeoLOm=r1fBXw+r5FZobqHXLSbdQ9q=6i=PYkTEOrdfg@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Mon, 24 Apr 2017 08:28:40 -0400
X-Google-Sender-Auth: 45QqI2jNYQh3jUAyU4hX8TAjfSA
Message-ID: <CAMm+Lwh80TnDmw90zyATyMy3gmK_wE==fZFW1u8qVc0OoLEJ6Q@mail.gmail.com>
Subject: Re: Why are mail servers not also key servers?
To: Martin Thomson <martin.thomson@gmail.com>
Cc: John Levine <johnl@taugh.com>, "ietf@ietf.org" <ietf@ietf.org>
Content-Type: multipart/alternative; boundary="001a113b06c44e6564054de8bf75"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/a150OQQF_YFX9nuTSzVx6GXUqdk>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Apr 2017 12:28:45 -0000

On Sun, Apr 23, 2017 at 7:31 PM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> On 22 April 2017 at 00:31, John Levine <johnl@taugh.com> wrote:
> >>> If a recipient is cooperative, and sends you back a message signed
> >>> with the same key to which you encrypted the message, that tells you
> >>> he got it, but that's not a very interesting case.
> >>
> >>It's also abuse of the cryptographic primitives, I hope that this
> >>isn't really how it works and you are eliding certain key details.
> >
> > It doesn't use the same session key, it uses the same public key.  It's
> > not obvious to me why that would be wrong.
>
> https://tools.ietf.org/html/rfc8017#section-6
>
> If you are using ECDSA/ECDH, then you can also commit the same abuses.
> Historically, keys were saved with an "EC" type, and can be used for
> either interchangeably (the library I work on commits this sin).  In
> the case of EC, there isn't a known path from use of ECDSA to abuse of
> ECDH and vice versa, but it isn't known to be safe either.
>
> This is much harder, if not possible with the X25519/Ed25519 pair,
> because no library will support you in this.
>
>
​That isn't actually true. My library supports encryption on the Ed25519
curve and it does it for a very specific reason.

The Montgomery curves are only designed to support scalar multiplication,
they don't expose a primitive for point addition because you don't need
that for operations using EC keys. You do need EC addition for operations
on keys however and that is what a lot of my code does.​

v2.23.0 | Report a Bug | By Email