Re: Threat model

[Doug Barton <dougb@dougbarton.us>]

On 03/13/2016 08:40 AM, John C Klensin wrote:
> Part 2 of 2 -- see introduction to immediately prior note.
>
> --On Saturday, March 12, 2016 12:15 PM -0800 Doug Barton
> <dougb@dougbarton.us> wrote:
>
>> Given that the DNS RR in question is something the end user
>> has to explicitly request, the danger is not immediately
>> obvious to me.
>
> --On Saturday, March 12, 2016 4:09 PM -0500 Paul Wouters
> <paul@nohats.ca> wrote:
>
>> 2 In an email server has paul@nohats.ca and Paul@nohats.ca,
>> AND these are different users, then instead of JUST mailing
>> the wrong user in plaintext, the wrong user is emailed
>> encrypted to that user. This is functionaly still better than
>> the current deployment, since only 1 wrong user can see the
>> (encrypted) email instead of everyone on the path plus the
>> user who can see the never-encrypted email.
>
> That depends entirely on the threat model you are concerned
> about.   I (and others) have repeatedly asked that you be
> explicit in the I-D about applicable threat models (aka "the
> problem you are trying to solve") in more specificity then you
> have now and that you see if you can get consensus.   If the
> goal is to try to get more email on the Internet encrypted as an
> "opportunistic" matter, then certainly your reasoning is
> correct, perhaps modulo one other issue.

I agree that the draft needs to spell this out in more detail.

> In our quest for more privacy, language like "everyone on the
> path" implies something similar to letters being posted in shop
> windows for public viewing before being delivered (or as a means
> of delivery).  The reality is the most ISPs, and most operators
> of mail servers and relays, take at least some measures (often
> strong ones) to ensure that the collection of people who can get
> to a message in transit is very restricted and a lot short of
> "everyone".  Yes, those measures, and the ISPs and mail
> providers themselves, can be subverted or forced to expose
> message traffic, but the parties who can do that aren't
> "everyone" either.  If one is interested in attacks from them
> --either on you or as part of a pervasive surveillance effort--
> then the threat model changes quite a bit.

Paul has a point here. For good reasons or ill, the number of "eyes" 
(where "eyes" can also be various forms of machine tools) "on the path" 
can be non-trivial.

It's also worth reiterating one of his points ... the risk to neither 
the sending nor the receiving user is not increased, and may in fact be 
decreased, by the mechanism described in the draft. Do you believe 
differently? (Note, I'm not asking about your analysis of the relative 
"worth" of the decrease. I'm only interested in whether you see that 
there is a decrease, or more significantly, if you see an increase in 
risk, and why.)

> In particular, if a user has a sensitive information to
> transmit, information that will not be transmitted at all unless
> there is high assurance that it will go encrypted and encrypted
> in the key of the right party, then the choice between "one
> wrong person sees it" and "everyone sees it" is a not-starter.

I disagree quite strongly with your assessment here.

Further, your caveat of "encrypted in the key of the right party" by 
definition precludes using OPENPGPKEY as the sole point of information 
in determining said key, which renders your argument here moot.

Doug