IETF Logo Mail Archive

Re: Proposed Proposed Statement on e-mail encryption at the IETF

Hector Santos <hsantos@isdg.net> Tue, 02 June 2015 14:41 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83AAA1ACD28 for <ietf@ietfa.amsl.com>; Tue, 2 Jun 2015 07:41:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.002
X-Spam-Level:
X-Spam-Status: No, score=-102.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C9U1S9HErZvP for <ietf@ietfa.amsl.com>; Tue, 2 Jun 2015 07:41:16 -0700 (PDT)
Received: from winserver.com (ntbbs.winserver.com [208.247.131.9]) by ietfa.amsl.com (Postfix) with ESMTP id 44DD21ACD13 for <ietf@ietf.org>; Tue, 2 Jun 2015 07:41:06 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=2371; t=1433256056; atps=ietf.org; atpsh=sha1; h=Received:Received:Message-Id:From:Subject:Date:To:Organization: List-ID; bh=2JYr1Mk5YsjJmtSjZ7OQTYwppeU=; b=w2YpDFeei0U9d3dr+u4E NibZ56WLB2CyrE98scjgTv4d1i2/0Tq/qP+L3SgMiknuKRcRLenZ5Vm3Uc5qPCD1 ySGZkGSsybvtL6YGsy9uvAtvhbgwf/RwXL4tGLj59wqJZSWRS2HZAb/efA4vBtcw nkjB/pP3gggGkk30oGiQBRg=
Received: by winserver.com (Wildcat! SMTP Router v7.0.454.4) for ietf@ietf.org; Tue, 02 Jun 2015 10:40:56 -0400
Received: from [192.168.1.220] (99-3-146-30.lightspeed.miamfl.sbcglobal.net [99.3.146.30]) by winserver.com (Wildcat! SMTP v7.0.454.4) with ESMTP id 2671056399.7660.4364; Tue, 02 Jun 2015 10:40:56 -0400
References: <DD88F4E4-6BBA-4610-BB49-3158A26DF55B@hopcount.ca>
Mime-Version: 1.0 (1.0)
In-Reply-To: <DD88F4E4-6BBA-4610-BB49-3158A26DF55B@hopcount.ca>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id: <87BBE966-F1B4-4ACE-81B2-57A1A2545523@isdg.net>
X-Mailer: iPad Mail (12B435)
From: Hector Santos <hsantos@isdg.net>
Subject: Re: Proposed Proposed Statement on e-mail encryption at the IETF
Date: Tue, 02 Jun 2015 10:40:55 -0400
To: Joe Abley <jabley@hopcount.ca>
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/edpLtV3iIkmX35EIiconDjEaArY>
Cc: IETF Discussion Mailing List <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jun 2015 14:41:18 -0000


> On Jun 2, 2015, at 9:44 AM, Joe Abley <jabley@hopcount.ca> wrote:
> 
> Hi all,
> 
> All this "HTTPS everywhere" mail collided for me this morning with a similar avalanche of press about Facebook's freshly-announced use of PGP:
> 
> https://www.facebook.com/notes/protecting-the-graph/securing-email-communications-from-facebook/1611941762379302
> 
> Mail to public mailing lists can already be signed (like this one is). It'd be nice if mailman didn't MITM the signed content, so that the signature can be validated. (Perhaps it will; I will find out after I hit send.) There's lots of other mail from individuals to closed groups like the IAB and the IESG and from IETF robots to individuals that *could* be encrypted, or at least signed. There is work here that *could* be done.

You should see the convolution being developed with DKIM V1/V2 Dual Signatures;  V1 strong on the first path leg (submission), a new V2 weaker derivative on the second path (mailing list distribution).  Why?  Mail folks wanting to avoid the DNS folks (requirements) for the most part. 

Rhetorically , Whats the point about worrying about anything security related when we break our own protocols and seem more interested in fast tracking less quality work, albeit pertinent  to some market leader but not as a IETF community whole work?  


> 
> If the argument that we should use HTTPS everywhere (which I do not disagree with) is reasonable, it feels like an argument about sending encrypted e-mail whenever possible ought to be similarly reasonable. Given that so much of the work of the IETF happens over e-mail, a focus on HTTP seems a bit weird.

It does seems weird.  if you in a market where it is required, i.e. PCI,  some applications do need it to be out of the box.  But not all applications and data exchanges need this overhead and there remains many legacy markets, mission critical too, that are not able to implement it, especially on the client side. It's a market niche for my company.


> Note that this is not an attempt to start a conversation about whether PGP is usable, or whether S/MIME is better. I will fall off my chair in surprise if it doesn't turn into one, though.
> 


Thanks for the laugh. 

--
Hector Santos
http://www.santronics.comi

v2.23.0 | Report a Bug | By Email