Re: [perpass] Another mail-related proposal

Yoav Nir <> Sun, 18 August 2013 18:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6BD9511E8184 for <>; Sun, 18 Aug 2013 11:50:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.561
X-Spam-Status: No, score=-10.561 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WYGyzgigkm8L for <>; Sun, 18 Aug 2013 11:49:54 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 5192511E8174 for <>; Sun, 18 Aug 2013 11:49:50 -0700 (PDT)
Received: from ([]) by (8.13.8/8.13.8) with ESMTP id r7IInlKF032757; Sun, 18 Aug 2013 21:49:47 +0300
X-CheckPoint: {5211174B-17-1B221DC2-1FFFF}
Received: from ([]) by ([]) with mapi id 14.02.0342.003; Sun, 18 Aug 2013 21:49:45 +0300
From: Yoav Nir <>
To: Jim Fenton <>
Thread-Topic: [perpass] Another mail-related proposal
Thread-Index: AQHOm4qE4/ehqlydKEC7ZVdJ6iTZi5mZt1oAgACRQYCAABmzAIAAlcWAgAAl/AA=
Date: Sun, 18 Aug 2013 18:49:45 +0000
Message-ID: <>
References: <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
x-cpdlp: 11841697a4f4d29a8315acb7043052ef5624c4f6e1
Content-Type: text/plain; charset="us-ascii"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Randy Bush <>, "<>" <>
Subject: Re: [perpass] Another mail-related proposal
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 18 Aug 2013 18:50:06 -0000

On Aug 18, 2013, at 7:33 PM, Jim Fenton <>

> On 08/18/2013 12:37 AM, Randy Bush wrote:
>>> I'm having more trouble coming up with use cases where I'd want to
>>> reject messages that don't use PGP or S/MIME.
>> visualize a future world where e2e message privacy is the default.  in
>> that world, some parties could view an unencrypted message as an attack.
> I'm curious what sort of attack you're envisioning here: what are the
> motives of the attacker, and what is the harm to the attacked party? I
> have one idea -- a bit of a stretch IMO -- see below. But I wonder if
> there are others.

Here's one. You and Randy are exchanging some emails. They're all encrypted, so listening in on your conversation is either impossible or prohibitively expensive. But the attacker finds some bug in your mail client, that makes it forget (or distrust) Randy's public key. Absent a public key, your mail client sends in the clear, and because of some BC code from the days when not all mail was encrypted, Randy's mail client displays the message. Because we all quote extensively, getting your side of the conversation is enough.

So the unencrypted message is not in itself an attack, but it is evidence of an attack. Does that mean it should be rejected? On the one hand, it's best to stop the conversation because it's not protected (and evidently is of some interest to someone). On the other hand, it makes no sense that the last message should be only available to an attacker. If some server in the middle is set up to drop all messages that are not encrypted (and the receiver has published a public key), this server may end up being before the point where the attacker is listening, foiling the attack. So I guess that could be an argument for dropping.