Re: [openpgp] [openpgp-email] Keyserverless Use of OpenPGP in Email
Ruben Pollan <meskio@sindominio.net> Tue, 12 April 2016 14:34 UTC
Return-Path: <meskio@sindominio.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6FF512EE44 for <openpgp@ietfa.amsl.com>; Tue, 12 Apr 2016 07:34:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.897
X-Spam-Level:
X-Spam-Status: No, score=-2.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hYH2FuT1-ogW for <openpgp@ietfa.amsl.com>; Tue, 12 Apr 2016 07:34:40 -0700 (PDT)
Received: from eternauta.sindominio.net (eternauta.sindominio.net [80.81.122.47]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E687412EEBF for <openpgp@ietf.org>; Tue, 12 Apr 2016 07:34:39 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by lesnaus.sindominio.net (Postfix) with ESMTP id 206744046E4; Tue, 12 Apr 2016 16:34:38 +0200 (CEST)
Received: from eternauta.sindominio.net ([127.0.0.1]) by localhost (lesnaus.sindominio.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id foc7QukMoWBn; Tue, 12 Apr 2016 16:34:32 +0200 (CEST)
Received: from localhost (unknown [95.63.56.146]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by lesnaus.sindominio.net (Postfix) with ESMTPSA id 806804046E0; Tue, 12 Apr 2016 16:34:31 +0200 (CEST)
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="===============6113357987027387068=="
MIME-Version: 1.0
Content-Disposition: inline
To: Simon Josefsson <simon@josefsson.org>, Vincent Breitmoser <look@my.amazin.horse>
From: Ruben Pollan <meskio@sindominio.net>
In-Reply-To: <20160412154918.1ca8da7c@latte.josefsson.org>
References: <20160412121549.GB16775@littlepip.fritz.box> <20160412154918.1ca8da7c@latte.josefsson.org>
Message-ID: <146047167027.5102.16171502176440717800@KingMob>
Date: Tue, 12 Apr 2016 16:34:30 +0200
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/jjm9JrorAuWf0yl5pOjiP-rDfuw>
Cc: IETF OpenPGP <openpgp@ietf.org>, openpgp-email <openpgp-email@enigmail.net>
Subject: Re: [openpgp] [openpgp-email] Keyserverless Use of OpenPGP in Email
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Apr 2016 14:34:43 -0000
Quoting Simon Josefsson (2016-04-12 15:49:18) > > To counteract this, we can significantly reduce the number of attached > > public keys if we are just a little bit clever about the decision of > > when to add it. Roughly, it makes sense to attach the public key to > > the first message of a conversation with each recipient. > > It sounds good in theory, but I don't think that will work. Let's > compare how I use e-mail clients. I use k9, claws, evolution, webmail, > and probably several other clients that I forgot. I don't read all > emails in all clients, of course. I only read the emails that I need > in the client I happen to have available. So if you only include the > public key in the first message of a conversation, the majority of my > clients would never see that email because of my usage pattern. None > of any newly installed MUA would ever see the email, which over time > tends to approach 100% of my MUAs since I re-install most of them from > time to time. > > Now it may be that my usage pattern is a corner case, but I believe it > is typical for many users today. In the multi-device world you are describing I think is pretty important to share your keyring among your devices, not just your private keys, but all your known public keys and your trust on them. > > Another question is, where to place the key. In email, we have two > > options: in a separate mime part, or directly next to the pgp > > signature data. > > You could put it in the email header too. It would be bizare for > larger keys, but at least possible in theory. > > Also, the OpenPGP mail/news url field header was intended to provide an > indirect way to support this: > > http://josefsson.org/openpgp-header/ > > You still have some of the keyserver privacy concerns, and require > a network connection, but I'd just like to mention it as another option > to consider. In bitmask we do some of the things you propose Vincent. We attach public keys to all sent emails until we get an email encrypted to this public key. We attach the key as a mime part, because enigmail already have support for that and is one click to import it in your keyring. We also add the OpenPGP header to all the sent emails and use it to discover keys from the 'url' field if it's https and from the same domain than the email address. Even dough I have many concerns about key discovery on the key servers, I think we need key servers for key updates. We need to be able to revoke, extend expiration, rotate subkeys, ... I think is really important for OpenPGP email clients to be able to update periodically the keyring in a 'privacy preserving way'. We even dream to have some crappy forward secrecy by rotating encryption subkeys often, and deleting them from the keyring. -- Ruben Pollan | http://meskio.net/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- My contact info: http://meskio.net/crypto.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nos vamos a Croatan.
- [openpgp] Keyserverless Use of OpenPGP in Email Vincent Breitmoser
- Re: [openpgp] Keyserverless Use of OpenPGP in Ema… Paul Wouters
- Re: [openpgp] Keyserverless Use of OpenPGP in Ema… Vincent Breitmoser
- Re: [openpgp] [openpgp-email] Keyserverless Use o… Simon Josefsson
- Re: [openpgp] [openpgp-email] Keyserverless Use o… Neal H. Walfield
- Re: [openpgp] [openpgp-email] Keyserverless Use o… Vincent Breitmoser
- Re: [openpgp] [openpgp-email] Keyserverless Use o… Ruben Pollan
- Re: [openpgp] Keyserverless Use of OpenPGP in Ema… Derek Atkins
- Re: [openpgp] [openpgp-email] Keyserverless Use o… Neal H. Walfield
- Re: [openpgp] Keyserverless Use of OpenPGP in Ema… Werner Koch
- Re: [openpgp] [openpgp-email] Keyserverless Use o… Werner Koch
- Re: [openpgp] [openpgp-email] Keyserverless Use o… Vincent Breitmoser
- Re: [openpgp] [openpgp-email] Keyserverless Use o… Ruben Pollan