Re: On email and web security
Doug Barton <dougb@dougbarton.us> Wed, 13 January 2016 06:33 UTC
Return-Path: <dougb@dougbarton.us>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C9661A1DBE for <ietf@ietfa.amsl.com>; Tue, 12 Jan 2016 22:33:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.003
X-Spam-Level:
X-Spam-Status: No, score=-2.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YvrZovepbAxG for <ietf@ietfa.amsl.com>; Tue, 12 Jan 2016 22:33:40 -0800 (PST)
Received: from dougbarton.us (dougbarton.us [IPv6:2607:f2f8:ab14::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFEBC1A1DBC for <ietf@ietf.org>; Tue, 12 Jan 2016 22:33:40 -0800 (PST)
Received: from [IPv6:2001:4830:1a00:8056:c81f:f662:7a0c:c015] (unknown [IPv6:2001:4830:1a00:8056:c81f:f662:7a0c:c015]) by dougbarton.us (Postfix) with ESMTPSA id 137EC39D07; Wed, 13 Jan 2016 06:33:39 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dougbarton.us; s=dkim; t=1452666820; bh=v//dNsAB2Kf4p0xSyJ8Oyg3qVunnsiLNj5WB9qgtNNQ=; h=Subject:To:References:Cc:From:Date:In-Reply-To; b=LZ7/cZoUKlbZXjoV4u+3ehzeqLYJRZ1JYZOqeZ391skIBhHWy/XiKRau8cy+B1Pzr CaW5e3UWzTVNzUUQ9qJS4VNh+8hMlm3iamDJ5VH+W6JP3Ysvvd4HOS6ExtsU33JYXK YWOwPr4EiX+kwOaoh6MV/t1IZ4Y0bJ0sMwixd0q8=
Subject: Re: On email and web security
To: Phillip Hallam-Baker <phill@hallambaker.com>
References: <304F200F-CF0B-4C23-91F9-BFC06C41BDA8@cisco.com> <5686E386.70008@gmail.com> <CAMm+LwhExTXC6xWDbR0Q5owi45UfBAgR+Z96p4BJWi-_5Q5tXA@mail.gmail.com> <DB4PR06MB4571A77D35C4B525CE73398ADF00@DB4PR06MB457.eurprd06.prod.outlook.com> <CAMm+Lwh_6EP4d4tW8CgKZm36De7rO3VCbrBwa+1PGp9M2F4KLQ@mail.gmail.com> <5695A941.1010501@dougbarton.us> <CAMm+LwiJi+ecYU9edkTJ30rTWtRcarUD2BBYfyvRedRvVzcV5Q@mail.gmail.com>
From: Doug Barton <dougb@dougbarton.us>
Openpgp: id=E3520E149D053533C33A67DB5CC686F11A1ABC84
X-Enigmail-Draft-Status: N1110
Message-ID: <5695EFC1.7070708@dougbarton.us>
Date: Tue, 12 Jan 2016 22:33:37 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <CAMm+LwiJi+ecYU9edkTJ30rTWtRcarUD2BBYfyvRedRvVzcV5Q@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/jA6c6Wa22a6mqqwVXFVlHfyt9Ko>
Cc: IETF Discussion Mailing List <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2016 06:33:42 -0000
On 01/12/2016 06:27 PM, Phillip Hallam-Baker wrote: > On Tue, Jan 12, 2016 at 8:32 PM, Doug Barton <dougb@dougbarton.us> wrote: >> On 01/02/2016 09:13 AM, Phillip Hallam-Baker wrote: >>> >>> On Sat, Jan 2, 2016 at 2:25 AM, <l.wood@surrey.ac.uk> wrote: >>>> >>>> >>>> "If Alice wants to encrypt the message for a group of people, she has to >>>> encrypt the message for every member of the group." >>>> >>>> really? not encrypt the message to a random key, then encrypt that key >>>> separately to each member? much less processing... >>> >>> >>> That is how it is done under the covers, yes. But that is the sort of >>> optimization that I assume everyone knows. >>> >>> >>> With standard S/MIME or PGP, the final message has a decryption blob >>> for every recipient. So if you are sending to the IETF list, there are >>> three consequences: >>> >>> 1) The sender has to know the entire recipient list >>> 2) Every message sent reveals the entire recipient list >> >> >> Not necessarily ... there are ways to encrypt a message without revealing >> the encryption keys that it was encrypted to. They are slightly messier for >> each list member to decrypt if they have multiple keys, but for users who >> only have single keys they are actually quite painless. > > Not without modifying the specs and the apps you can't. If you are > going to do that then proxy recryption does exactly what you want. It's in GnuPG for years now: --throw-keyids Do not put the recipient key IDs into encrypted messages. This helps to hide the receivers of the message and is a limited countermeasure against traffic analysis. ([Using a little social engineering anyone who is able to decrypt the message can check whether one of the other recipients is the one he suspects.]) On the receiving side, it may slow down the decryption process because all available secret keys must be tried. There is another option as well that works similarly, but for single recipients. >>> 3) The recipient list cannot be expanded after the message is sent >> >> >> That's no worse than current mailing list software. >> >>> Using the recryption approach, the sender only encrypts the message >>> once, to the key corresponding to the group (or security label if you >>> want to think of it that way). So messages don't disclose anything >>> about the other list members. >>> >>> This isn't just better security, it is a lot easier to implement >>> because senders don't need extraneous information. It is also more >>> manageable because a member added to the list after the fact can read >>> all the messages in the archive. >> >> >> Doesn't this require each member to have the group's private key so that >> they can decrypt the messages? > > No, each user has their own private key. It is supplied by the group > admin when they subscribed or it is encrypted under their public key > and sent out with each message. So they have *a* private key for the list, just not necessarily *the* private key. I suppose that might make it easier to revoke someone's read access after they've been removed from the list ... it also means they can't read anything from before they joined, unless the archives get re-encrypted. >> I thought (but have not verified) that such >> systems decrypt the message with the group's private key, then re-encrypt it >> to the public keys of the list members at that point in time. > > That is what my understanding of how it is done today by the systems > out there. What I am saying is that twenty years ago Matt Blaze showed > us a better scheme and nobody seemed to notice the importance at the > time. > > >> That would mean of course that you would only be able to decrypt messages >> from the time period where you were a member of the list. > > If you use the old technology, that is one of the problems. Well, yeah. :) Did I miss a proposal for new tech? > The other > is that you have to find someone you trust to run the mailing list or > the jabber contact service or whatever. Well that's a given no matter what solution you choose. If you're relying on someone else to do encryption on your behalf, you have to trust them. But that's a marginal increase in trust compared to running a non-encrypted list in the first place. Doug
- On email and web security Fred Baker (fred)
- Re: On email and web security Paul Wouters
- Re: On email and web security Kathleen Moriarty
- Re: On email and web security Fernando Gont
- Re: On email and web security IETF Chair
- Re: On email and web security John Levine
- Re: On email and web security Michael Richardson
- Re: On email and web security Phillip Hallam-Baker
- Re: On email and web security Doug Royer
- Re: On email and web security Doug Royer
- Re: On email and web security Phillip Hallam-Baker
- Re: On email and web security Phillip Hallam-Baker
- Re: On email and web security l.wood
- Re: On email and web security Steve Crocker
- Re: On email and web security John Levine
- Re: On email and web security Phillip Hallam-Baker
- Re: On email and web security Phillip Hallam-Baker
- Re: On email and web security Doug Barton
- Re: On email and web security Phillip Hallam-Baker
- Re: On email and web security Doug Barton
- Re: On email and web security Dave Cridland
- Re: On email and web security Phillip Hallam-Baker
- Re: On email and web security Doug Barton
- Re: On email and web security Doug Royer
- Re: On email and web security Matthew Kerwin
- Re: On email and web security Doug Royer
- Re: On email and web security John Levine
- Re: On email and web security Doug Barton
- Re: On email and web security John Levine
- Re: On email and web security Doug Barton
- Re: On email and web security Phillip Hallam-Baker
- Re: On email and web security George Michaelson