Re: 0, 1, or many standards and their impact (or not)
Phillip Hallam-Baker <hallam@gmail.com> Wed, 04 December 2013 03:00 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E1091AE019 for <ietf@ietfa.amsl.com>; Tue, 3 Dec 2013 19:00:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C06A1l4jBtRy for <ietf@ietfa.amsl.com>; Tue, 3 Dec 2013 19:00:02 -0800 (PST)
Received: from mail-wg0-x230.google.com (mail-wg0-x230.google.com [IPv6:2a00:1450:400c:c00::230]) by ietfa.amsl.com (Postfix) with ESMTP id 9C3ED1ADFAD for <ietf@ietf.org>; Tue, 3 Dec 2013 19:00:01 -0800 (PST)
Received: by mail-wg0-f48.google.com with SMTP id z12so14518566wgg.27 for <ietf@ietf.org>; Tue, 03 Dec 2013 18:59:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=E8rLdMny3ckyNmFYDTIb3UcKvuv0HSOxB8zgLjlCZxk=; b=savDirweFzPXwMRZmsD0JSwMpwuP+SGvGYRAIuNIZpWeoNWUffM29KNWtiB+wR/bsQ m1yGMem7yYe65WQnwFmy3pYpPrf3ykQjxpL3B5o+gvPqjlHr+iG8VivqKIet7Ag0akTr n4XBTQKtj84rms0y6hG8cVa1gRK0r6cCTLIIhq4juZ4PhfpRTOAp+smL0zZXqNTnHHwV t6LyuMkjSNDlloMBsQ0DBJ3zSz7zwe1UV1kCxzbgbRxlYW3dchuVryESlcPMcVN1CUJi l0vpoIQNnPxFHMGIqieoDIJ+kiYnOUej6wS8+TD51R4Mu4yyDi/4vVaynUdUTGiG4Q/t QTpw==
MIME-Version: 1.0
X-Received: by 10.180.210.232 with SMTP id mx8mr5173825wic.34.1386125998108; Tue, 03 Dec 2013 18:59:58 -0800 (PST)
Received: by 10.194.243.136 with HTTP; Tue, 3 Dec 2013 18:59:57 -0800 (PST)
In-Reply-To: <529DF90D.3030908@cisco.com>
References: <DUB127-W23531D0E8B15570331DB51E0EE0@phx.gbl> <52974AA8.6080702@cisco.com> <1F79045E-8CD0-4C5D-9090-3E82853E62E9@nominum.com> <52976F56.4020706@dcrocker.net> <3CD78695-47AD-4CDF-B486-3949FFDC107B@nominum.com> <949EF20990823C4C85C18D59AA11AD8B0EF1B8@FR712WXCHMBA11.zeu.alcatel-lucent.com> <D45703FF-109A-4FFF-92E9-1CC7767C52F7@nominum.com> <CAP+FsNc=cGhOJNTwXY1z-5ZjisOOvX=EOYEf3htGXGcWRKBf6g@mail.gmail.com> <529CF5F1.9000106@dcrocker.net> <CAMm+LwjCvzDgWTi9mqgvWCoCyRhB+4c8QoaaPQtk=xkBcXMtZA@mail.gmail.com> <529DF90D.3030908@cisco.com>
Date: Tue, 03 Dec 2013 21:59:57 -0500
Message-ID: <CAMm+Lwhs+TkU7A5X-E=abF4DZOo9hvVJ+c_5PrQMXGdYDETQjg@mail.gmail.com>
Subject: Re: 0, 1, or many standards and their impact (or not)
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Eliot Lear <lear@cisco.com>
Content-Type: multipart/alternative; boundary="001a11c3337abb39f604ecac9b12"
Cc: Dave Crocker <dcrocker@bbiw.net>, IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Dec 2013 03:00:04 -0000
On Tue, Dec 3, 2013 at 10:30 AM, Eliot Lear <lear@cisco.com> wrote: > > On 12/3/13 12:46 PM, Phillip Hallam-Baker wrote: > > > And twenty years later the market still hasn't decided between S/MIME > and PGP. > > > I agree with Jim that having two standards in this space has mattered not > one bit. There are many reasons why email simply isn't encrypted. First, > it's hard to get a key. Second, those who are in a position to simply dole > them out don't as it provides no value to them. Third, there is no > deployed directory infrastructure to find someone else's key. Forth, if > there was one, it would result in defeating of common > anti-spam/anti-malware tools. > All true. But I think the reason neither camp has tried to address them is that they think the real problem is that the other is confusing the market. Comodo and another CA actually do dole the keys out (or at least sign them) for free. But that isn't the real problem. The real problem is that it is a complete pain to register for the key even if that is free and it only lasts a year when you do. So for most people they spend fifteen minutes setting up encryption, use it once or twice and the next time they want to use it their certificate has expired. There are a lot of problems here, but I think they can all be solved. In fact I think I have already solved them. 1) The keygen tool I have written generates keys and will in the future configure an email client to use them to decrypt mail. 2) Strong email addresses mean that it is easy to use the key since it combines the fingerprint for verifying the public key and the location at which to discover it. There is no need for any external infrastructure except for the ability to publish the public key and policy blob on a Web site. 3) The Web and .well-known is all we need for this. If the strong email address is <fingerprint>?alice@example.com, then the public key blob can be found at http://example.com/.well-known/ni/ <fingerprint> 4) Spam, shmam. it really isn't as much as a problem as you might think since we assume anyone who is going to send encrypted email is going to have the means to sign it. If we can sign the email we can use their reputation. All that end to end encryption defeats is content analysis. Which is no real loss because spam filtering hasn't relied on content analysis for a very long time now. <fingerprint> is the hash of a public key. It is best if this is a long term key that is used to sign use keys with finite lifespans. This would normally be an encryption keypair shared across all devices and a signature keypair per device. The long term master key can also sign a policy statement that specifies how the keys should be used. The policy can include statements like 'always send encrypted mail if you can' to 'send mail encrypted only after specific authorization'. In the longer term I am expecting that we will establish an infrastructure for key distribution that combines CA issued trust with peer endorsement and has strong timestamping. With that infrastructure deployed I can have policy statements of the form 'encrypted email preferred but only send encrypted if you have a key older than at least a year. -- Website: http://hallambaker.com/
- Re: Alternative decision process in RTCWeb Jari Arkko
- Alternative decision process in RTCWeb Gonzalo Camarillo
- Re: Alternative decision process in RTCWeb Eliot Lear
- Re: Alternative decision process in RTCWeb Dave Cridland
- Re: Alternative decision process in RTCWeb Eric Burger
- Re: Alternative decision process in RTCWeb Dave Cridland
- A few thoughts on processes WAS (Re: Alternative … Gonzalo Camarillo
- Re: Alternative decision process in RTCWeb Eric Burger
- Re: Alternative decision process in RTCWeb Eliot Lear
- Re: Alternative decision process in RTCWeb Dave Cridland
- Re: Alternative decision process in RTCWeb Dave Crocker
- Re: Alternative decision process in RTCWeb Eric Rescorla
- Re: Alternative decision process in RTCWeb Dave Cridland
- Re: Alternative decision process in RTCWeb Ted Lemon
- Re: Alternative decision process in RTCWeb Sam Hartman
- Re: Alternative decision process in RTCWeb Eric Rescorla
- Re: Alternative decision process in RTCWeb Dave Crocker
- Re: Alternative decision process in RTCWeb Cullen Jennings
- Re: Alternative decision process in RTCWeb Dave Cridland
- Re: Alternative decision process in RTCWeb Ted Lemon
- Re: Alternative decision process in RTCWeb Melinda Shore
- Re: Alternative decision process in RTCWeb Tim Bray
- Re: Alternative decision process in RTCWeb Yoav Nir
- Re: Alternative decision process in RTCWeb Michael Richardson
- Re: Alternative decision process in RTCWeb Ted Lemon
- RE: [rtcweb] Alternative decision process in RTCW… Bernard Aboba
- Re: Alternative decision process in RTCWeb Phillip Hallam-Baker
- Re: Alternative decision process in RTCWeb Phillip Hallam-Baker
- Re: Alternative decision process in RTCWeb Carsten Bormann
- Re: [rtcweb] Alternative decision process in RTCW… Ted Lemon
- Re: [rtcweb] Alternative decision process in RTCW… Roberto Peon
- Re: Alternative decision process in RTCWeb Dave Cridland
- Re: Alternative decision process in RTCWeb Stephan Wenger
- Re: Alternative decision process in RTCWeb Roger Jørgensen
- Re: Alternative decision process in RTCWeb Harald Alvestrand
- Re: Alternative decision process in RTCWeb Dave Crocker
- Re: Alternative decision process in RTCWeb Joel M. Halpern
- Re: Alternative decision process in RTCWeb Bjoern Hoehrmann
- Re: Alternative decision process in RTCWeb Melinda Shore
- Re: Alternative decision process in RTCWeb Eric Burger
- Re: Alternative decision process in RTCWeb Ofer Inbar
- Re: Alternative decision process in RTCWeb Phillip Hallam-Baker
- Re: Alternative decision process in RTCWeb cb.list6
- Re: Alternative decision process in RTCWeb Ted Hardie
- Re: Alternative decision process in RTCWeb Melinda Shore
- Re: Alternative decision process in RTCWeb Scott O. Bradner
- Re: Alternative decision process in RTCWeb Eric Burger
- Re: Alternative decision process in RTCWeb Paul Hoffman
- Re: Alternative decision process in RTCWeb Ted Hardie
- Re: Alternative decision process in RTCWeb Avri Doria
- RE: [rtcweb] Alternative decision process in RTCW… DRAGE, Keith (Keith)
- Re: [rtcweb] Alternative decision process in RTCW… Mary Barnes
- Re: Alternative decision process in RTCWeb Cullen Jennings (fluffy)
- Re: [rtcweb] Alternative decision process in RTCW… Ron
- Re: Alternative decision process in RTCWeb cb.list6
- Daughter of CODEC (was Re: Alternative decision p… Eric Burger
- Re: Daughter of CODEC (was Re: Alternative decisi… cb.list6
- Re: Daughter of CODEC (was Re: Alternative decisi… Mary Barnes
- Re: Alternative decision process in RTCWeb Carsten Bormann
- Re: Alternative decision process in RTCWeb Dave Crocker
- Re: Daughter of CODEC (was Re: Alternative decisi… Phillip Hallam-Baker
- Re: [rtcweb] Alternative decision process in RTCW… Bjoern Hoehrmann
- Re: [rtcweb] Alternative decision process in RTCW… Phillip Hallam-Baker
- Re: Alternative decision process in RTCWeb Pete Resnick
- Re: Alternative decision process in RTCWeb Phillip Hallam-Baker
- Re: Alternative decision process in RTCWeb Jari Arkko
- Re: [rtcweb] Alternative decision process in RTCW… Dave Crocker
- Re: Daughter of CODEC (was Re: Alternative decisi… Eric Burger
- Re: Alternative decision process in RTCWeb Sam Hartman
- Re: [rtcweb] Alternative decision process in RTCW… Sam Hartman
- Re: [rtcweb] Alternative decision process in RTCW… Bjoern Hoehrmann
- Re: [rtcweb] Alternative decision process in RTCW… Martin Thomson
- Re: Alternative decision process in RTCWeb Ofer Inbar
- Re: [rtcweb] Alternative decision process in RTCW… Stephan Wenger
- Re: [rtcweb] Alternative decision process in RTCW… Phillip Hallam-Baker
- Re: [rtcweb] Alternative decision process in RTCW… Harald Alvestrand
- Re: [rtcweb] Alternative decision process in RTCW… Ted Lemon
- Re: [rtcweb] Alternative decision process in RTCW… Eric Burger
- Re: [rtcweb] Alternative decision process in RTCW… Jim Gettys
- 0, 1, or many standards and their impact (or not) Eliot Lear
- Re: [rtcweb] Alternative decision process in RTCW… Hector Santos
- Re: 0, 1, or many standards and their impact (or … Phillip Hallam-Baker
- Re: [rtcweb] Alternative decision process in RTCW… Phillip Hallam-Baker
- Re: Daughter of CODEC (was Re: Alternative decisi… Peter Saint-Andre
- Re: [rtcweb] Alternative decision process in RTCW… Jari Arkko
- Re: Daughter of CODEC (was Re: Alternative decisi… Gonzalo Camarillo
- Re: [rtcweb] Alternative decision process in RTCW… Eric Burger
- Re: Daughter of CODEC (was Re: Alternative decisi… Richard Barnes
- Re: [rtcweb] Alternative decision process in RTCW… Phillip Hallam-Baker
- Re: [rtcweb] Alternative decision process in RTCW… David Singer
- Re: Daughter of CODEC (was Re: Alternative decisi… Cullen Jennings (fluffy)
- Re: A few thoughts on processes WAS (Re: Alternat… Eliot Lear
- Re: A few thoughts on processes WAS (Re: Alternat… Harald Alvestrand
- Re: A few thoughts on processes WAS (Re: Alternat… Dave Crocker
- Re: A few thoughts on processes WAS (Re: Alternat… Gonzalo Camarillo
- Re: A few thoughts on processes WAS (Re: Alternat… Spencer Dawkins at IETF
- Re: Daughter of CODEC (was Re: Alternative decisi… Timothy B. Terriberry