IETF Logo Mail Archive

Re: Why are mail servers not also key servers?

Doug Royer <douglasroyer@gmail.com> Thu, 27 April 2017 00:28 UTC

Return-Path: <douglasroyer@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE252128959 for <ietf@ietfa.amsl.com>; Wed, 26 Apr 2017 17:28:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vuRnGjEvxT_q for <ietf@ietfa.amsl.com>; Wed, 26 Apr 2017 17:28:44 -0700 (PDT)
Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77C031279E5 for <ietf@ietf.org>; Wed, 26 Apr 2017 17:28:44 -0700 (PDT)
Received: by mail-oi0-x22d.google.com with SMTP id j201so20540479oih.2 for <ietf@ietf.org>; Wed, 26 Apr 2017 17:28:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:organization:message-id:date:user-agent :mime-version:in-reply-to; bh=lAljMjcOU/IBCABNia+hno2l3mf/iHDS/vAXJ3bGTN4=; b=Ou7b5Bb5g9xf3VwRNy5YprCnGXSjAoH92Gdzp0gp/UeDTykLw4nMrkVc/VvOTeUJni 87OKDyr16L+QxsLmBgSIwgxYJRu1+QLLL9O/dpGFDN9LRGWk7HCO0OGOstR9MrWd9WLE xAN+R0k/C0EKQmEtjUYdcGpHBb9llu4LIKtslAWJLcUIHJ5qCxdXebPQ7v2NjAhxn6td 7695lfJrLiinS8qs2bw7nmyMNcM+z4J2Rwg0sOB/Ih4wXVxNOD/aVnNiLdhLVBUUMUPz Va+UrFEnusLbe5f1YMlgM4+5C8dBeW/RBApJxHbyrus5j3i5VuKxZXXQyFxHaWkLg5cz 2xYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:organization :message-id:date:user-agent:mime-version:in-reply-to; bh=lAljMjcOU/IBCABNia+hno2l3mf/iHDS/vAXJ3bGTN4=; b=QPKonzneZ/L3K7yCNGMDRq5xkeT41tPrvekU6lhU63cM40wV/GpPZaLg0VWLJARdLE 1g7dPJyjPfGRh+EEKGR9kMZmuHSfeeD1SUJt1amsKP3EO80+m0iCBwKz+ay6s55cyaYT 1aOI3ZZ4KGei0ejXw2I1kukaN/96YAX1orUYKNVp9Dkp1QzusGr9qHGQ5E4ktKOcatXp XC9eOEurRhTAhMRR4MGjI2s6Wim5QKPB0DHYZ391L1Jq9JJrbQFTvCDnuySUCwXXGlYn h9cqB7sHnxxoQmL/pzev+IhjT2k48PuZf0k6J5W2xjDnYn7arEfR3ua+m38m8d//chqG C35Q==
X-Gm-Message-State: AN3rC/5CfNUP+DNsLsylalbp5iYjk5gOBCroAuoj6qlmtntIXGDvp1X6 ONWRfbn5JtWbA0zIvCg=
X-Received: by 10.157.23.232 with SMTP id j95mr1505071otj.217.1493252923344; Wed, 26 Apr 2017 17:28:43 -0700 (PDT)
Received: from ?IPv6:2602:ae:1b37:7300::2? ([2602:ae:1b37:7300::2]) by smtp.googlemail.com with ESMTPSA id j51sm444081otc.47.2017.04.26.17.28.41 for <ietf@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 26 Apr 2017 17:28:41 -0700 (PDT)
Subject: Re: Why are mail servers not also key servers?
To: ietf@ietf.org
References: <849511c0-6526-ecbe-2b56-7b459eaf010b@hawaii.edu> <25a21fd6-467f-40c7-a16d-644b90e87574@dcrocker.net>
From: Doug Royer <douglasroyer@gmail.com>
Organization: http://SoftwareAndServices.NET
Message-ID: <737251d5-3684-4d22-93f7-0dfdc19efaad@gmail.com>
Date: Wed, 26 Apr 2017 18:28:40 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.0
MIME-Version: 1.0
In-Reply-To: <25a21fd6-467f-40c7-a16d-644b90e87574@dcrocker.net>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms060509090708050106050006"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/kDPikBxWfJKBWRiX-fzIVqYSmWk>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Apr 2017 00:28:46 -0000

On 04/26/2017 03:12 PM, Dave Crocker wrote:
> On 4/20/2017 6:20 AM, Jon wrote:
>> So, why hasn't key exchange been made to
>> be transparent? Why are (E)SMTP servers not also key servers?
> 
> 
> SMTP is a transfer protocol, for sending a specialized 'file' /to/ a 
> server.  A key server needs a query transaction, to get small bits of 
> data /from/ a server.  They are fundamentally different interaction 
> service models.

Yes.

 From an implementation point of view the MX/MTA is currently the only 
'authority' for what is a known email for a domain.

LDAP is generally not exposed to the Internet.

I understand that if a new non-MX/MTA protocol is designed, any 
compliant MUA and MTA would have to be rewritten, along with a new key 
server.

I was thinking that having them combined would be less new code and 
typing :-)

> A closer approximation would be DNS, which perhaps explains DKIM and 
> DANE, as has been cited in this thread.  (However they are at the domain 
> level and you appear to be targeting per-user keys, given the PGP 
> reference.  That's a much harder problem.)
> 
> The deeper concern is the apparent view that lack of key servers is the 
> limiting factor in use of encryption.  Typically, the problem is 
> assessed as usability -- key management on the infrastructure side, and 
> end-user interface on the apps side.

I tend to believe the deeper concert is the lack of any standard way to 
get an individuals key. Once a protocol exists, then the MUA's can 
implement it. And there should be NO UI issue. User enters the 
destination email address, user says encrypt this, it works or is told 
the destination email has no cert available.


-- 

Doug Royer - (http://DougRoyer.US  http://goo.gl/yrxJTu )
DouglasRoyer@gmail.com
714-989-6135

v2.23.0 | Report a Bug | By Email