Re: [openpgp] OpenPGP private certification
Phillip Hallam-Baker <phill@hallambaker.com> Wed, 08 April 2015 14:15 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1252C1B30EB for <openpgp@ietfa.amsl.com>; Wed, 8 Apr 2015 07:15:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QWGSAylgs2pv for <openpgp@ietfa.amsl.com>; Wed, 8 Apr 2015 07:15:44 -0700 (PDT)
Received: from mail-lb0-x235.google.com (mail-lb0-x235.google.com [IPv6:2a00:1450:4010:c04::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E7141B30DB for <openpgp@ietf.org>; Wed, 8 Apr 2015 07:15:43 -0700 (PDT)
Received: by lbbuc2 with SMTP id uc2so64586554lbb.2 for <openpgp@ietf.org>; Wed, 08 Apr 2015 07:15:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=hcntff9u+Mn3sAYlo9dnVudtUhIXx1dzE9RGNitXO1w=; b=MBfCbCjqAfH8NVFBXOn0baPuC/SXlkOImrCOhZQCeQ9y5FFPmeNRpLrB7Z0qBNLZ5R 1a+x7toq24S5TD9F0WiUBzCyGLqMBxNVKdIqPUBRp8z8TVTAJsfBbZsOsYhe1XfNHfk1 f1R0k7fqwXzGGzDGUFSCDTb45fzsfziuKv0q0ltj/rigB0Rz+KpVK84MCOWz/IrZoC1z yvOdWpjW9Z2+W9YTFZWAWS6TKdGYiCADGwOB9OojKLTYgNbcW2ux8Ka5M9b9oiDi3yH9 BIkuWOcVprWVZIInlY2DpNwkg+vXOL7A0+IfEHfPlb/xaszMPW+4Sc96wKIVuFtdK/Hn UDlg==
MIME-Version: 1.0
X-Received: by 10.112.151.226 with SMTP id ut2mr23820630lbb.55.1428502542076; Wed, 08 Apr 2015 07:15:42 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.147.165 with HTTP; Wed, 8 Apr 2015 07:15:41 -0700 (PDT)
In-Reply-To: <87vbh6zqsy.fsf@vigenere.g10code.de>
References: <CAA7UWsUz65C0GAQo8Yf7ZOeT9BYy+NLV5pbbPg+Ok0-72ca1eA@mail.gmail.com> <1426721882.4249.72.camel@scientia.net> <5510578A.80304@iang.org> <1427140788.10191.75.camel@scientia.net> <5510B7CF.8060308@iang.org> <1427168189.10191.241.camel@scientia.net> <5511FE82.6010807@iang.org> <1427243451.10191.375.camel@scientia.net> <5512F137.80702@iang.org> <CAHBU6isgirHnx+gHP+OiHuvhzD+1OTCShCHEkhWcqEmUn9qnzQ@mail.gmail.com> <CAMm+LwiXKf1DvgbHaZoJnKdCVbak-jderv6Z8KDs9xPEbUuYQQ@mail.gmail.com> <1427343948.23692.14.camel@scientia.net> <CAMm+Lwi5bVTujuazTXw7oRty7n5RtsObEfNrJzmbtPiOb-X25g@mail.gmail.com> <m27fu3fsom.fsf@usma1mc-0csx92.kendall.corp.akamai.com> <CAMm+LwjBuZfP4NwRCy23_d9eRtcfUiLKdyZOu+jYT72HfB0g9g@mail.gmail.com> <87vbhlt8tg.fsf@alice.fifthhorseman.net> <CAMm+Lwjo5eyCHNahqWcwUBoaevCw2s3WAeq-2=maW=JEpCFWxA@mail.gmail.com> <sjmvbheioxv.fsf@securerf.ihtfp.org> <CAMm+Lwi4zsnQoX0R0CRbmDceLKi8B3ipHnBvSqNgo8FA8UYh3w@mail.gmail.com> <87mw2i28nr.fsf@vigenere.g10code.de> <CAMm+Lwief440=CdrQrjma1qrFHJYKTZAM5gZ1N9mMVikFvDzSw@mail.gmail.com> <87vbh6zqsy.fsf@vigenere.g10code.de>
Date: Wed, 08 Apr 2015 10:15:41 -0400
X-Google-Sender-Auth: Gahud3c39zHcc2c_bwxBsygHlP0
Message-ID: <CAMm+Lwiq71ToxKwPgLPKhGvPCC5QRjeVeV+V8yOiG+e91JYmhQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Werner Koch <wk@gnupg.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/A70DytRaO7vEgIz6yOiFxuEDL2s>
Cc: Christoph Anton Mitterer <calestyo@scientia.net>, Brian Sniffen <bsniffen@akamai.com>, Derek Atkins <derek@ihtfp.com>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, IETF OpenPGP <openpgp@ietf.org>
Subject: Re: [openpgp] OpenPGP private certification
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Apr 2015 14:15:45 -0000
On Wed, Apr 8, 2015 at 9:35 AM, Werner Koch <wk@gnupg.org> wrote: > On Wed, 8 Apr 2015 15:05, phill@hallambaker.com said: > >> My point here is that if we want to get a billion people using >> encrypted mail then it has to offer iPhone class usability, not OK for >> 1990s usability. > > If that is the goal you only need to care about 140 character messages > or other useless status messages ;-). > > Actually I prefer 1990s use of mail instead of todays 50% of mails are > going through Compuserve^WGmail. But yeah, I am on a lost position with > that. > >> There are plenty of ways that the scheme could be fixed. Since key >> server enrollment can be made automatic, it would be pretty easy to >> renew the enrollment once every n months and discard keys that have > > It is about mail. Mail addresses are defined by the DNS. Bind the keys > to the DNS and your are done. This needs support from the mail > providers, though. I really don't like the use of the DNS for any scheme requiring more than host level granularity. We have tried to put user email addresses in the DNS from the very start [RFC1035]. It has never worked. Personally, I believe that owning your personal DNS name is as important for security as having a keypair. I have a huge part of my brand invested in hallam@gmail.com which I don't own. Which is why I switched to phill@hallambaker.com for ietf work. But I have yet to win that argument. I really don't like having ICANN as my root CA either. DNSSEC is a monolithic, single rooted scheme which I don't consider very trustworthy because of that. We do need trust hierarchies for key management. But each individual should be the root of their personal hierarchy. >> Having the key servers continue to regurgitate false or stale data >> forever because there is no way to stop them does not seem like an >> acceptable plan to me. > > Think of signature verification. It should work even after a mail/key > association has been disolved for example after a provider change. I > agree that this is onluy a problem for a smaller group but this is > something a keyserver network can be useful even after the migration of > the public key store from keyserver to more controlled service (DNS, > Web, whatever). Deleting keys from the keyservers is thus not going to > work. I don't think anyone has signature validation done right today. All signatures are broken unless they are enrolled in an append-only log. To verify a signature, you need to go back in time to the point where the signature was created and check the signature in that time context. This implies that all the cryptographic credentials should be enrolled as well. Which is something I am working on right now. But in JSON, not ASN.1. The expiry of the hash chain patent is an opportunity to do interesting stuff that was encumbered before.
- Re: [openpgp] New encryption formats for messaging Christoph Anton Mitterer
- Re: [openpgp] New encryption formats for messaging ianG
- Re: [openpgp] New encryption formats for messaging Christoph Anton Mitterer
- Re: [openpgp] New encryption formats for messaging ianG
- Re: [openpgp] New encryption formats for messaging Christoph Anton Mitterer
- [openpgp] Manifesto - who is the new OpenPGP for? ianG
- Re: [openpgp] Manifesto - who is the new OpenPGP … Christoph Anton Mitterer
- Re: [openpgp] Manifesto - who is the new OpenPGP … Phillip Hallam-Baker
- Re: [openpgp] Manifesto - who is the new OpenPGP … Falcon Darkstar Momot
- Re: [openpgp] Manifesto - who is the new OpenPGP … Werner Koch
- Re: [openpgp] Manifesto - who is the new OpenPGP … Stephen Paul Weber
- Re: [openpgp] Manifesto - who is the new OpenPGP … Stephen Paul Weber
- Re: [openpgp] Manifesto - who is the new OpenPGP … Wyllys Ingersoll
- Re: [openpgp] Manifesto - who is the new OpenPGP … Clint Adams
- Re: [openpgp] Manifesto - who is the new OpenPGP … Phillip Hallam-Baker
- Re: [openpgp] Manifesto - who is the new OpenPGP … ianG
- Re: [openpgp] Manifesto - who is the new OpenPGP … ianG
- Re: [openpgp] Manifesto - who is the new OpenPGP … Tim Bray
- Re: [openpgp] Manifesto - who is the new OpenPGP … Phillip Hallam-Baker
- Re: [openpgp] Manifesto - who is the new OpenPGP … Christoph Anton Mitterer
- Re: [openpgp] Manifesto - who is the new OpenPGP … John Kreznar
- Re: [openpgp] Manifesto - who is the new OpenPGP … Werner Koch
- Re: [openpgp] Manifesto - who is the new OpenPGP … Phillip Hallam-Baker
- Re: [openpgp] Manifesto - who is the new OpenPGP … Brian Sniffen
- Re: [openpgp] Manifesto - who is the new OpenPGP … Bill Frantz
- Re: [openpgp] Manifesto - who is the new OpenPGP … Phillip Hallam-Baker
- Re: [openpgp] Manifesto - who is the new OpenPGP … Christoph Anton Mitterer
- Re: [openpgp] Manifesto - who is the new OpenPGP … Christoph Anton Mitterer
- [openpgp] OpenPGP private certification [was: Re:… Daniel Kahn Gillmor
- Re: [openpgp] OpenPGP private certification [was:… Phillip Hallam-Baker
- Re: [openpgp] OpenPGP private certification [was:… Daniel Kahn Gillmor
- Re: [openpgp] OpenPGP private certification [was:… Phillip Hallam-Baker
- [openpgp] public logging of e-mail certificates [… Daniel Kahn Gillmor
- Re: [openpgp] public logging of e-mail certificat… Phillip Hallam-Baker
- Re: [openpgp] public logging of e-mail certificat… Daniel Kahn Gillmor
- Re: [openpgp] public logging of e-mail certificat… Phillip Hallam-Baker
- Re: [openpgp] OpenPGP private certification [was:… Derek Atkins
- Re: [openpgp] public logging of e-mail certificat… Brian Sniffen
- Re: [openpgp] OpenPGP private certification [was:… Phillip Hallam-Baker
- Re: [openpgp] public logging of e-mail certificat… Phillip Hallam-Baker
- Re: [openpgp] Manifesto - who is the new OpenPGP … ianG
- Re: [openpgp] OpenPGP private certification Werner Koch
- Re: [openpgp] OpenPGP private certification Phillip Hallam-Baker
- Re: [openpgp] OpenPGP private certification Christoph Anton Mitterer
- Re: [openpgp] OpenPGP private certification Phillip Hallam-Baker
- Re: [openpgp] OpenPGP private certification Christoph Anton Mitterer
- Re: [openpgp] OpenPGP private certification Werner Koch
- Re: [openpgp] OpenPGP private certification Derek Atkins
- Re: [openpgp] OpenPGP private certification Phillip Hallam-Baker
- Re: [openpgp] OpenPGP private certification Phillip Hallam-Baker
- Re: [openpgp] OpenPGP private certification Christoph Anton Mitterer
- Re: [openpgp] OpenPGP private certification Christoph Anton Mitterer
- Re: [openpgp] OpenPGP private certification Phillip Hallam-Baker
- Re: [openpgp] OpenPGP private certification Christoph Anton Mitterer
- Re: [openpgp] OpenPGP private certification Werner Koch
- Re: [openpgp] OpenPGP private certification ianG
- Re: [openpgp] OpenPGP private certification [was:… ianG
- Re: [openpgp] public logging of e-mail certificat… Phillip Hallam-Baker
- Re: [openpgp] public logging of e-mail certificat… ianG
- [openpgp] New encryption formats for messaging David Leon Gil
- Re: [openpgp] OpenPGP private certification Ben McGinnes