IETF Logo Mail Archive

Proposed Proposed Statement on e-mail encryption at the IETF

"Joe Abley" <jabley@hopcount.ca> Tue, 02 June 2015 13:44 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 085F31A90BC for <ietf@ietfa.amsl.com>; Tue, 2 Jun 2015 06:44:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uG8Rtz2Ydr3p for <ietf@ietfa.amsl.com>; Tue, 2 Jun 2015 06:44:54 -0700 (PDT)
Received: from mail-wi0-x22d.google.com (mail-wi0-x22d.google.com [IPv6:2a00:1450:400c:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E7D71A9093 for <ietf@ietf.org>; Tue, 2 Jun 2015 06:44:54 -0700 (PDT)
Received: by wiwd19 with SMTP id d19so19798054wiw.0 for <ietf@ietf.org>; Tue, 02 Jun 2015 06:44:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=from:to:subject:date:message-id:mime-version:content-type; bh=xVZdCOjvuJDhbrtxxrpmajYx0HClpxmhgGh8Ioi7S7w=; b=SGY8NHiJMTwYvYj6uaJcdM55opkujB3e7i6ywtWHmwmaBVC9yZU/I0AdD3O9cvSTgf /Vsv9SrCubomzdv84uWVMKoG5qgLMMlPfC1jzNOt/mqEuLfPiCeX6vI3bP38ye/TqkBw wscPnVOoZjAFBu6i9U5TqF+LYADzvZ0b0IazY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-type; bh=xVZdCOjvuJDhbrtxxrpmajYx0HClpxmhgGh8Ioi7S7w=; b=K1QYxetRlMk9M19x3nvDIE/tEzrUDMoVtx64nItXNgMVbp/AjwpbGzwSp3TYhbBMdc +WTr6MLicwX3apvb+LA1DdIYEAtaEx/ZDtJlhGc73qp751Tv+z93Q0pz3WTB7V1oGKNz oT3QxYQL590kxncWZYLO5f0jIWI7uX0EN5/HJtdYNwDfIpOVu58TKq4x+qSoKBXF6iKp NNL5hDiLPLQfwuUgFf+nwu0cm2juj4grRrfXR4187nC5rjbx3FFl/umZ1n0jgTUYVFYI Rkb9Vn09VKzMKwHnVKLVdBL/ob4+PCtni+SSHZg7w0iRwy0AQTuyDTmPdptjn8xC9B0d 9UXw==
X-Gm-Message-State: ALoCoQl21z3I1X9zuykslT2rgWOr8FdgI948gI1t//envR09ApFIZ+uzBEuRHwiBjpSJPYyGR0a6
X-Received: by 10.194.77.211 with SMTP id u19mr48606520wjw.19.1433252693148; Tue, 02 Jun 2015 06:44:53 -0700 (PDT)
Received: from [197.4.16.76] ([197.4.16.76]) by mx.google.com with ESMTPSA id ma15sm13196125wic.20.2015.06.02.06.44.50 for <ietf@ietf.org> (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 02 Jun 2015 06:44:51 -0700 (PDT)
From: Joe Abley <jabley@hopcount.ca>
To: IETF Discussion Mailing List <ietf@ietf.org>
Subject: Proposed Proposed Statement on e-mail encryption at the IETF
Date: Tue, 02 Jun 2015 14:44:47 +0100
Message-ID: <DD88F4E4-6BBA-4610-BB49-3158A26DF55B@hopcount.ca>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_4D2C2072-FA5E-4702-8F09-45AABAFFA8DA_="; micalg="pgp-sha1"; protocol="application/pgp-signature"
X-Mailer: MailMate (1.9.1r5084)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/c4mo4nfXtUBbgsZeGZH_qlL27M0>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jun 2015 13:44:58 -0000

Hi all,

All this "HTTPS everywhere" mail collided for me this morning with a similar avalanche of press about Facebook's freshly-announced use of PGP:

https://www.facebook.com/notes/protecting-the-graph/securing-email-communications-from-facebook/1611941762379302

Mail to public mailing lists can already be signed (like this one is). It'd be nice if mailman didn't MITM the signed content, so that the signature can be validated. (Perhaps it will; I will find out after I hit send.) There's lots of other mail from individuals to closed groups like the IAB and the IESG and from IETF robots to individuals that *could* be encrypted, or at least signed. There is work here that *could* be done.

If the argument that we should use HTTPS everywhere (which I do not disagree with) is reasonable, it feels like an argument about sending encrypted e-mail whenever possible ought to be similarly reasonable. Given that so much of the work of the IETF happens over e-mail, a focus on HTTP seems a bit weird.

Note that this is not an attempt to start a conversation about whether PGP is usable, or whether S/MIME is better. I will fall off my chair in surprise if it doesn't turn into one, though.


Joe

v2.23.0 | Report a Bug | By Email