Re: [Medup] On Extra Keys in pEp (Neal H. Walfield)
"Neal H. Walfield" <neal@walfield.org> Wed, 05 April 2023 18:08 UTC
Return-Path: <neal@walfield.org>
X-Original-To: medup@ietfa.amsl.com
Delivered-To: medup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B778CC15152E for <medup@ietfa.amsl.com>; Wed, 5 Apr 2023 11:08:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TEn31xtOWXFm for <medup@ietfa.amsl.com>; Wed, 5 Apr 2023 11:08:03 -0700 (PDT)
Received: from mail.dasr.de (mail.dasr.de [202.61.250.5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F12CC1522D3 for <medup@ietf.org>; Wed, 5 Apr 2023 11:08:02 -0700 (PDT)
Received: from [151.83.252.86] (helo=enkidu.walfield.org) by mail.dasr.de with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <neal@walfield.org>) id 1pk7Y7-0007jA-Sh; Wed, 05 Apr 2023 20:07:59 +0200
Date: Wed, 05 Apr 2023 20:07:59 +0200
Message-ID: <87bkk2mccg.wl-neal@walfield.org>
From: "Neal H. Walfield" <neal@walfield.org>
To: Metin Savignano <ms@savignano.net>
Cc: medup@ietf.org
In-Reply-To: <B15EED08-30E1-4EEF-BAFE-43625B60CA82@savignano.net>
References: <mailman.84.1680202803.50554.medup@ietf.org> <B15EED08-30E1-4EEF-BAFE-43625B60CA82@savignano.net>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM-LB/1.14.9 (Gojō) APEL-LB/10.8 EasyPG/1.0.0 Emacs/28.2 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="ISO-8859-7"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/medup/ij16_dt3BIiBzRp4tY4a7YxAiqg>
Subject: Re: [Medup] On Extra Keys in pEp (Neal H. Walfield)
X-BeenThere: medup@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Missing Elements for Decentralized and Usable Privacy <medup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/medup>, <mailto:medup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/medup/>
List-Post: <mailto:medup@ietf.org>
List-Help: <mailto:medup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/medup>, <mailto:medup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Apr 2023 18:08:08 -0000
On Fri, 31 Mar 2023 10:19:07 +0200, Metin Savignano wrote: > I hope it's okay when I jump in to share my thoughts. I'm happy you did. > >> [snip] > >> > >> // Ensure we don't encrypt to extra keys if this is a non-org account > >> if (!(target_id->flags & PEP_idf_org_ident)) > >> extra = NULL; > >> > >> [/snip] > > ... > However, I’d like to make one step back and ask: why do we need the extra key for that scenario? > > The reason I’m asking is that this requirement is not new at all, and the solution to it that I am aware of is that the organization must keep a copy of the private key of all its users. > > That’s why it's recommended to split keys between signing keys and encryption keys: so the organization can keep a copy of the private key, but not of the signing key, which allows it to decrypt messages, but not to step into the user’s identity. > > So I think the solution should be to allow the organization to get the private key, shouldn’t it? Or am I missing something here? Key escrow is a possible solution to this problem. But, some organizations don't want it, and if it is possible to come up with alternative approaches that also satisfy other requirements like archiving, and out-of-office employees then we should. One of the problems that extra keys solves (I think) is that it provides visibility to the sender that their message may be read by someone else without the recipient having to actively pass it on to the third party. I'd argue that this is a good property, and I think that is what Hernani is referring to when he wrote: > UX-wise it's also important that the employees > clearly see that the outgoing messages are also encrypted to an > *additional* key. Neal
- Re: [Medup] On Extra Keys in pEp (Neal H. Walfiel… Metin Savignano
- Re: [Medup] On Extra Keys in pEp (Neal H. Walfiel… Neal H. Walfield