Re: On email and web security

Doug Barton <dougb@dougbarton.us> Wed, 13 January 2016 01:32 UTC

Return-Path: <dougb@dougbarton.us>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41F6A1B2B6D for <ietf@ietfa.amsl.com>; Tue, 12 Jan 2016 17:32:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.603
X-Spam-Level:
X-Spam-Status: No, score=-0.603 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PWTEB1KQssW1 for <ietf@ietfa.amsl.com>; Tue, 12 Jan 2016 17:32:52 -0800 (PST)
Received: from dougbarton.us (dougbarton.us [208.79.90.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 014021B2AA8 for <ietf@ietf.org>; Tue, 12 Jan 2016 17:32:52 -0800 (PST)
Received: from [IPv6:2001:4830:1a00:8056:c81f:f662:7a0c:c015] (unknown [IPv6:2001:4830:1a00:8056:c81f:f662:7a0c:c015]) by dougbarton.us (Postfix) with ESMTPSA id 4082B39D07 for <ietf@ietf.org>; Wed, 13 Jan 2016 01:32:51 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dougbarton.us; s=dkim; t=1452648771; bh=mKaNmtilHNdL3TvuaFnro4uSxZzCxOIEIdVHV7my4sE=; h=Subject:To:References:From:Date:In-Reply-To; b=eL22r5NVIUhhBl56i9+H+8w6oW0mIbny0GxQ38kzvLNhPxe8GTlB9/TBgkyzmAcfm MgBMraUNTwmoWO3ZT17QhyPei3MFF8ohSHo3mjnoDzcLJFNyB6g5kEsRt6MUY3K653 J7zgo+PDs8zPRGMfjYjq5LwoaZux3oRJKt7eOOhA=
Subject: Re: On email and web security
To: ietf@ietf.org
References: <304F200F-CF0B-4C23-91F9-BFC06C41BDA8@cisco.com> <5686E386.70008@gmail.com> <CAMm+LwhExTXC6xWDbR0Q5owi45UfBAgR+Z96p4BJWi-_5Q5tXA@mail.gmail.com> <DB4PR06MB4571A77D35C4B525CE73398ADF00@DB4PR06MB457.eurprd06.prod.outlook.com> <CAMm+Lwh_6EP4d4tW8CgKZm36De7rO3VCbrBwa+1PGp9M2F4KLQ@mail.gmail.com>
From: Doug Barton <dougb@dougbarton.us>
Openpgp: id=E3520E149D053533C33A67DB5CC686F11A1ABC84
X-Enigmail-Draft-Status: N1110
Message-ID: <5695A941.1010501@dougbarton.us>
Date: Tue, 12 Jan 2016 17:32:49 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <CAMm+Lwh_6EP4d4tW8CgKZm36De7rO3VCbrBwa+1PGp9M2F4KLQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/faCJ8m8CuoCigg_SRF6tUaI50_M>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2016 01:32:53 -0000

On 01/02/2016 09:13 AM, Phillip Hallam-Baker wrote:
> On Sat, Jan 2, 2016 at 2:25 AM,  <l.wood@surrey.ac.uk> wrote:
>>
>> "If Alice wants to encrypt the message for a group of people, she has to encrypt the message for every member of the group."
>>
>> really? not encrypt the message to a random key, then encrypt that key separately to each member? much less processing...
>
> That is how it is done under the covers, yes. But that is the sort of
> optimization that I assume everyone knows.
>
>
> With standard S/MIME or PGP, the final message has a decryption blob
> for every recipient. So if you are sending to the IETF list, there are
> three consequences:
>
> 1) The sender has to know the entire recipient list
> 2) Every message sent reveals the entire recipient list

Not necessarily ... there are ways to encrypt a message without 
revealing the encryption keys that it was encrypted to. They are 
slightly messier for each list member to decrypt if they have multiple 
keys, but for users who only have single keys they are actually quite 
painless.

> 3) The recipient list cannot be expanded after the message is sent

That's no worse than current mailing list software.

> Using the recryption approach, the sender only encrypts the message
> once, to the key corresponding to the group (or security label if you
> want to think of it that way). So messages don't disclose anything
> about the other list members.
>
> This isn't just better security, it is a lot easier to implement
> because senders don't need extraneous information. It is also more
> manageable because a member added to the list after the fact can read
> all the messages in the archive.

Doesn't this require each member to have the group's private key so that 
they can decrypt the messages? I thought (but have not verified) that 
such systems decrypt the message with the group's private key, then 
re-encrypt it to the public keys of the list members at that point in time.

That would mean of course that you would only be able to decrypt 
messages from the time period where you were a member of the list.

Doug