IETF Logo Mail Archive

Re: Proposed Proposed Statement on e-mail encryption at the IETF

Russ Housley <housley@vigilsec.com> Tue, 02 June 2015 14:08 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA3C31AC3B3 for <ietf@ietfa.amsl.com>; Tue, 2 Jun 2015 07:08:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MjPaXAfjPdkt for <ietf@ietfa.amsl.com>; Tue, 2 Jun 2015 07:08:04 -0700 (PDT)
Received: from odin.smetech.net (x-bolt-wan.smeinc.net [209.135.219.146]) by ietfa.amsl.com (Postfix) with ESMTP id 3D6311ABC10 for <ietf@ietf.org>; Tue, 2 Jun 2015 07:07:40 -0700 (PDT)
Received: from localhost (unknown [209.135.209.5]) by odin.smetech.net (Postfix) with ESMTP id BC48E9A401A; Tue, 2 Jun 2015 10:07:29 -0400 (EDT)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([209.135.209.4]) by localhost (ronin.smeinc.net [209.135.209.5]) (amavisd-new, port 10024) with ESMTP id NRF8bOitAbCD; Tue, 2 Jun 2015 10:06:29 -0400 (EDT)
Received: from [192.168.2.100] (pool-108-51-128-219.washdc.fios.verizon.net [108.51.128.219]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id 489D69A400D; Tue, 2 Jun 2015 10:07:29 -0400 (EDT)
Subject: Re: Proposed Proposed Statement on e-mail encryption at the IETF
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: multipart/signed; boundary="Apple-Mail-217--319694698"; protocol="application/pkcs7-signature"; micalg="sha1"
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <DD88F4E4-6BBA-4610-BB49-3158A26DF55B@hopcount.ca>
Date: Tue, 02 Jun 2015 10:07:18 -0400
Message-Id: <4D7CDD5E-5D04-4024-BE88-6248B54D6381@vigilsec.com>
References: <DD88F4E4-6BBA-4610-BB49-3158A26DF55B@hopcount.ca>
To: Joe Abley <jabley@hopcount.ca>
X-Mailer: Apple Mail (2.1085)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/uxxMcYYpmUAguu9wR8JpInh0T7U>
Cc: IETF Discussion Mailing List <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jun 2015 14:08:05 -0000

Joe:

Some mail lists are configures to add a suffix to the message.  Others, like this one, do not.

Adding a suffix changes the content, and that action is guaranteed to break a signature.

Russ


On Jun 2, 2015, at 9:44 AM, Joe Abley wrote:

> Hi all,
> 
> All this "HTTPS everywhere" mail collided for me this morning with a similar avalanche of press about Facebook's freshly-announced use of PGP:
> 
> https://www.facebook.com/notes/protecting-the-graph/securing-email-communications-from-facebook/1611941762379302
> 
> Mail to public mailing lists can already be signed (like this one is). It'd be nice if mailman didn't MITM the signed content, so that the signature can be validated. (Perhaps it will; I will find out after I hit send.) There's lots of other mail from individuals to closed groups like the IAB and the IESG and from IETF robots to individuals that *could* be encrypted, or at least signed. There is work here that *could* be done.
> 
> If the argument that we should use HTTPS everywhere (which I do not disagree with) is reasonable, it feels like an argument about sending encrypted e-mail whenever possible ought to be similarly reasonable. Given that so much of the work of the IETF happens over e-mail, a focus on HTTP seems a bit weird.
> 
> Note that this is not an attempt to start a conversation about whether PGP is usable, or whether S/MIME is better. I will fall off my chair in surprise if it doesn't turn into one, though.
> 
> 
> Joe

v2.23.0 | Report a Bug | By Email