Re: email standards (was: Re: facilitators at ietf@ietf.org)
Scott Kitterman <scott@kitterman.com> Tue, 23 September 2014 21:17 UTC
Return-Path: <scott@kitterman.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1BEF1A1BE5 for <ietf@ietfa.amsl.com>; Tue, 23 Sep 2014 14:17:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K-Vws4rvmCYS for <ietf@ietfa.amsl.com>; Tue, 23 Sep 2014 14:17:54 -0700 (PDT)
Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [208.43.65.50]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D00C41A1BDA for <ietf@ietf.org>; Tue, 23 Sep 2014 14:17:53 -0700 (PDT)
Received: from mailout03.controlledmail.com (localhost [127.0.0.1]) by mailout03.controlledmail.com (Postfix) with ESMTP id C3D1ED04642; Tue, 23 Sep 2014 17:17:51 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=2014-01; t=1411507071; bh=aGofigX00kbvPWinbbSgzxm88gP/XnAdzkoyCk4wXgk=; h=From:To:Subject:Date:In-Reply-To:References:From; b=HdZw0ZFpc+XM5GbUpk67VpEum71ApnMAhdv+Zn2v+j9oNmQwfJaOUfTepAAL5MyEq dASmhaoO9PXcGxTNoMKmUBFfy9VYyM3rg7xgEcTcC1awy+by6pw0b4elKLSQPIIsk+ unbTeGth8u2RZ78ATSnIptpYb9caAHyj03e+xwxg=
Received: from scott-latitude-e6320.localnet (static-72-81-252-21.bltmmd.fios.verizon.net [72.81.252.21]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 87EA4D04592; Tue, 23 Sep 2014 17:17:51 -0400 (EDT)
From: Scott Kitterman <scott@kitterman.com>
To: IETF <ietf@ietf.org>
Subject: Re: email standards (was: Re: facilitators at ietf@ietf.org)
Date: Tue, 23 Sep 2014 17:17:49 -0400
Message-ID: <1454468.3R9eHDD3Io@scott-latitude-e6320>
User-Agent: KMail/4.13.3 (Linux/3.13.0-35-generic; KDE/4.13.3; x86_64; ; )
In-Reply-To: <A94EB0C46B51C2E2AD3A3BAA@JcK-HP8200.jck.com>
References: <E6D4B18F-9533-4EE1-A794-526094893D3C@ietf.org> <CAMm+LwjxOiFsWcCZoGcaqaF3fv6XBOK8LhQdzWJsigYvQQ4-kg@mail.gmail.com> <A94EB0C46B51C2E2AD3A3BAA@JcK-HP8200.jck.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
X-AV-Checked: ClamAV using ClamSMTP
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/fOlHivsPKbkfFW9iuugUwEHtgVA
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Sep 2014 21:17:55 -0000
On Tuesday, September 23, 2014 16:48:29 John C Klensin wrote: > --On Tuesday, September 23, 2014 16:08 -0400 Phillip > > Hallam-Baker <phill@hallambaker.com> wrote: > >> Surely PHB isn't saying that SMTP and the email format docs > >> are incompatible? That would be a nonsensical assertion, > >> since they are separate layers (the one is used to transport > >> the other). Perhaps there are two different email standards > >> that perform the same functions but are incompatible? > >> Perhaps S/MIME and PGP? Or perhaps two different security > >> related email specs? > > > > I meant two secure email standards. Empirically we have two > > right now, S/MIME and PGP. > > > > Since I was talking about security, I thought it was obvious > > from the context. > > Nothing about your note made that clear -- it didn't mention > security generally and you said "email standards". Be that as > it may, I think you are overlooking a key aspect of the PGP > versus S/MIME problem. Suppose we actually did have two sets > of email standards, one using SMTP transport with 822-style > "field-name: value-string" headers (as we have today) and other > other of which used SMTP (to avoid making this completely > unrealistic) with ASN.1-like coded X.400-like inner envelope > header structure. There would certainly be a reasonable > complaint that we had specified two different ways to do the > same thing with only subtle differences in capabilities between > them. > > But it seems to me that S/MIME and PGP represent two > fundamentally different trust models. The first is based on a > certificate hierarchy model, one that would have very good > international scaling properties had we actually figured out how > to make a global single-purpose PKI work and be trusted. Worse, > absent that type of PKI, it was very hard to think about how to > bootstrap the system, at least without pushing decisions about > which certification authorities to trust back to end users who > had absolutely no basis on which to make those choices. The > second is based on a web of trust arrangement that most of us > knew at the time wouldn't scale well internationally nor be > usable among parties who didn't have at least a second, or > possibly third, "degree" of connection but that was far easier > to bootstrap than something that assumed a global PKI. > > Now it is certainly possible to imagine a message format that > would have more commonalities than we ended up with. We > actually had standards-track specifications for such a format, > in the form of RFC 1421ff and the earlier RFC1113ff. I think > it is reasonable to summarize PEM by saying it went nowhere > except that we might have learned a bit from it in building > S/MIME and/or OpenPGP. > > So, we are now at a point at which neither OpenPGP nor S/MIME > has achieved wide adoption and use. We have learned such things > we (at least some of us) didn't anticipate. In S/MIME's case, > that notably includes issues of trust in CAs and the > effectively-dictatorial (or oligarchic) authority of browser > vendors to determine CA usability. In OpenPGP's case, we have > demonstrated some of the scaling and key management issues that > some people anticipated all along. > > You seem to believe that more commonality of formats would have > left us in better shape today. Because I think the problem is > the irreconcilable difference in trust model and relationships, > I believe it would have made almost no difference at all (even > if it were a good idea). You could be right but, if you want to > make that case, please try to do so in a way that the rest of us > can understand rather than, e.g., making broad assertions about > causes and implications of the IETF's failure to generate a > single standard for secure/encrypted email or email more > generally. +1. I use both OpenPGP and S/MIME on a regular basis and in no case where I use one would the other be suitable primarily because of the differences in trust models you describe. While they both sign/encrypt email their use cases are disjoint in my experience. Scott K
- facilitators at ietf@ietf.org IETF Chair
- Re: facilitators at ietf@ietf.org Phillip Hallam-Baker
- email standards (was: Re: facilitators at ietf@ie… John C Klensin
- Re: email standards (was: Re: facilitators at iet… Randall Gellens
- Re: email standards (was: Re: facilitators at iet… Michael Richardson
- Re: email standards (was: Re: facilitators at iet… Phillip Hallam-Baker
- Re: email standards Dave Crocker
- Re: email standards (was: Re: facilitators at iet… John C Klensin
- Re: email standards John C Klensin
- Re: email standards (was: Re: facilitators at iet… Scott Kitterman
- Re: email standards (was: Re: facilitators at iet… Viktor Dukhovni
- Re: email standards (was: Re: facilitators at iet… Phillip Hallam-Baker
- Re: email standards Phillip Hallam-Baker
- Re: email standards George Michaelson
- Re: email standards Dave Crocker
- Re: facilitators at ietf@ietf.org IETF Chair
- Re: email standards Jari Arkko
- Re: email standards Nico Williams