Re: [openpgp] mailing list: managing the subscriber list
"Neal H. Walfield" <neal@walfield.org> Wed, 13 January 2016 15:30 UTC
Return-Path: <neal@walfield.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CF8D1A90C6 for <openpgp@ietfa.amsl.com>; Wed, 13 Jan 2016 07:30:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.348
X-Spam-Level:
X-Spam-Status: No, score=0.348 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_EQ_DE=0.35, SPF_HELO_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2qp6d4XDD0pV for <openpgp@ietfa.amsl.com>; Wed, 13 Jan 2016 07:30:23 -0800 (PST)
Received: from mail.dasr.de (mail.dasr.de [217.69.77.164]) by ietfa.amsl.com (Postfix) with ESMTP id 53BEF1A902D for <openpgp@ietf.org>; Wed, 13 Jan 2016 07:30:23 -0800 (PST)
Received: from p5ddf94f7.dip0.t-ipconnect.de ([93.223.148.247] helo=mail.huenfield.org) by mail.dasr.de with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from <neal@walfield.org>) id 1aJNNJ-0007vm-7P; Wed, 13 Jan 2016 15:30:17 +0000
Received: from [192.168.54.11] (helo=chu.huenfield.org) by mail.huenfield.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <neal@walfield.org>) id 1aJNNF-0002p3-Kn; Wed, 13 Jan 2016 16:30:17 +0100
Received: from localhost ([::1] helo=chu.huenfield.org.walfield.org) by chu.huenfield.org with esmtp (Exim 4.84) (envelope-from <neal@walfield.org>) id 1aJNNC-0005Im-4h; Wed, 13 Jan 2016 16:30:10 +0100
Date: Wed, 13 Jan 2016 16:30:10 +0100
Message-ID: <87pox54hvh.wl-neal@walfield.org>
From: "Neal H. Walfield" <neal@walfield.org>
To: Rick van Rein <rick@openfortress.nl>
In-Reply-To: <56943997.1000001@openfortress.nl>
References: <87ziwd3yrn.wl-neal@walfield.org> <56938B98.7000707@openfortress.nl> <87r3hn4tw2.wl-neal@walfield.org> <56943997.1000001@openfortress.nl>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM/1.14.9 (Gojō) APEL/10.8 EasyPG/1.0.0 Emacs/24.5 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
X-SA-Exim-Connect-IP: 192.168.54.11
X-SA-Exim-Mail-From: neal@walfield.org
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 17:06:47 +0000)
X-SA-Exim-Scanned: Yes (on mail.huenfield.org)
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/c_Cmer-S7hHHMpVi--wUvSp89Dw>
Cc: openpgp@ietf.org, Matthew Green <matthewdgreen@gmail.com>
Subject: Re: [openpgp] mailing list: managing the subscriber list
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2016 15:30:25 -0000
At Tue, 12 Jan 2016 00:24:07 +0100, Rick van Rein wrote: > > Thus, even though I realize it is not > > possible to completely protect the email addresses, I don't want to > > make it too easy to get them. > OK, so your target is to protect from passive observers. That is clear > enough. I want to protect the subscriber list from passive observers, but the message contents from active attackers (i.e., the same assurances that OpenPGP can provide). > > Likewise, I want to make it possible to protect the key ids as much as > > possible, which can be done using hidden recipients (i.e., using 0x0 > > for the key id in the PK-ESK packet). > I think that makes a lot of sense, the key ID being very similar to the > email address. > > On a side-note though :- it is trivial to use your existing key and > construct another ID for it; you can use the same key material and make > a self-signature with another timestamp. The result is a different > fingerprint and so another key ID. That might be helpful with your > obfuscation plans (blinding all but the last two bytes of the key > ID). I'm not sure how this helps. AIUI, the key id is used in the PK-ESK packet so that the OpenPGP implementation doesn't need to try to decrypt all PK-ESK packets with all available secret keys. This is not only potentially slow, but also annoying if the user has multiple passphrase-protected secret keys or secret keys on smartcards. In other words, including the key id in the PK-ESK packet improves usability for the *message recipient*. If the message recipient wants to hide the key id, then the message recipient can use your trick locally; there is no need to add this to a standard or the mailing list software implementation. > Note that it should also possible to take the subkey and hang it under > another public signing key. That was one of my concrete proposals for saving the subscribers in my mail from a few days ago: http://mailarchive.ietf.org/arch/msg/openpgp/UuWVSrMu8LEdChEBQgEpBtQR3-Y > You said you lack experience in RFC authoring; if you want to take that > route you probably don't want to overload a given key ID field with > other meaning but instead want to define a new one which simply has two > bytes only or which has a variable size, perhaps prefixed with up to 8 > bits "0" and 1 bit "1" to mark the start of a variable-sized ending of > the key ID. Again, a driving concern is backwards compatibility and, if I understand your suggestion correctly, you are suggesting a non-backwards compatible change. Perhaps this extension is useful to consider for 4880bis. > > There are two types of re-encryption that I think are inappropriate: > > > > - when the mailing list software decrypts and reencrypts each > > message before forwarding it on to the list of subscriber, and, > > You specified below that this is because you consider the system running > your mailing list to be part of the passive observation infrastructure. If I did, then I misstated my position. I consider the system running the mailing list software to be a potentially active adversary. > > The problem with the mailing list software having access to the > > cleartext is that the mailing list server becomes part of the trusted > > computing base (TCB), which is often undesirable, because we'd like to > > have some untrusted party provide and manage our infrastructure. > > Note: this has nothing to do with the list owner, who, I assume, is > > part of the TCB. > > OK, you are mistrusting the hosting provider. This will be virtually > impossible to do really well, but if it is possible then crypto is the > answer. A non-technical answer to that is "pay them enough so they will > want to behave". Another might be to spread the power over a number of > partial providers. And this quickly brings you to a distributed scheme, > such as a p2p network. For the purposes of this exercise, I want to trust the mail server as much as a normal OpenPGP user trusts an SMTP server. Namely, an OpenPGP user reveals the list of recipients to the SMTP server and relies on the server to forward the encrypted message. I realize that there are other approaches that reveal less meta-data, but insofar as they exist today, they are not widely adopted. I don't want to say that those fights are not worth fighting, but I am looking for a short-term solution that provides similar security guarantees that OpenPGP provides for normal encrypted email. > > The problem with reencryption algorithms is that a subscriber can't > > reuse her own secret key. Instead, she gets a new secret key (sent > > via email, which she has to import) for each mailing list > > subscription. > > If you know your crypto algorithms well enough, you might be able to > cook up something different... RSA, DH, ECDH are all more potent than > their everyday applications make you believe. Unfortunately, I'm not that good of a cryptographer. But if you have some concrete suggestions of things to look at or keywords to search for, I'd appreciate it. > > These are good suggestions and I appreciate the tips! You're probably > > right that a good solution can more easily be found by disregarding > > backwards compatibility. But, in this project, I'm trying to > > determine the best mechanism that doesn't require users to change > > their habits or upgrade their software (other than their OpenPGP > > implementation and then, only for posters, not list subscribers). > I think you are targeting an audience that, if it is to wisely use the > list and not leak to "interested extra subscribers" by letting them in > on the list (had you thought of the signup procedure yet? key management > is always the culprit) will be quite able to change habits. I'm trying to target all OpenPGP users. I'm not just interested in helping those who the subject of a targeted attack, but also those who are unsophisticated, but are interested in inhibiting mass surveillance. Thanks, :) Neal
- [openpgp] mailing list: managing the subscriber l… Neal H. Walfield
- Re: [openpgp] mailing list: managing the subscrib… Rick van Rein
- Re: [openpgp] mailing list: managing the subscrib… Neal H. Walfield
- Re: [openpgp] mailing list: managing the subscrib… Rick van Rein
- Re: [openpgp] mailing list: managing the subscrib… Werner Koch
- Re: [openpgp] mailing list: managing the subscrib… Neal H. Walfield
- Re: [openpgp] mailing list: managing the subscrib… Neal H. Walfield
- Re: [openpgp] mailing list: managing the subscrib… vedaal
- Re: [openpgp] mailing list: managing the subscrib… Phillip Hallam-Baker