Re: [plasma] why not web portal mail?

Phillip Hallam-Baker <hallam@gmail.com> Tue, 12 April 2011 15:13 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: plasma@ietfc.amsl.com
Delivered-To: plasma@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 3472CE07FF for <plasma@ietfc.amsl.com>; Tue, 12 Apr 2011 08:13:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.666
X-Spam-Level:
X-Spam-Status: No, score=-2.666 tagged_above=-999 required=5 tests=[AWL=-0.068, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gRxno5kGR4AB for <plasma@ietfc.amsl.com>; Tue, 12 Apr 2011 08:13:26 -0700 (PDT)
Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by ietfc.amsl.com (Postfix) with ESMTP id BAAEBE07EF for <plasma@ietf.org>; Tue, 12 Apr 2011 08:13:26 -0700 (PDT)
Received: by vxg33 with SMTP id 33so6134327vxg.31 for <plasma@ietf.org>; Tue, 12 Apr 2011 08:13:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=h8p0KOaMX5Ch3ySQuM9MGae19EtkkIuYhlGldWVZmVc=; b=niY0dZuS3BK26wQ6JyVG82pgBM2Nf5ve2MVBl0bv0OtBKsWxziFVrVePXG6g1mSG/A SQJfGmTACfNS7+qDIOmMqvkj7BBm9LCZhDArHesTvC1MNQoZtxP18T8nMMS0Mrle4Fs2 4hFDvhOe/lQTGO6E0fVlXEoCP8lp+nOtht89E=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=xBv0blxRcefkqvzfeIeGPvzJZJVlN+JEhBleD3pv2t8m+q52VC37HcYSSh5tHmEGmP gvGH/0LxU5iifrullm4VBgA7WO99qkmnE5qVLlHMpXv22O9iPdSA24zF0OA3uuNhHrN4 2JO9a4w3QNOIVu8rWQ2HG8VaNwONQjQuUVZrI=
MIME-Version: 1.0
Received: by 10.52.159.132 with SMTP id xc4mr1280540vdb.229.1302621204965; Tue, 12 Apr 2011 08:13:24 -0700 (PDT)
Received: by 10.52.166.230 with HTTP; Tue, 12 Apr 2011 08:13:24 -0700 (PDT)
In-Reply-To: <4DA45FE5.3020102@mnt.se>
References: <E545B914D50B2A4B994F198378B1525D2F49734F@DF-M14-12.exchange.corp.microsoft.com> <4DA45FE5.3020102@mnt.se>
Date: Tue, 12 Apr 2011 11:13:24 -0400
Message-ID: <BANLkTinDGHx7rF81tnSJwjGi9881FnKqLw@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Leif Johansson <leifj@mnt.se>
Content-Type: multipart/alternative; boundary=bcaec53f920b33369f04a0ba2260
Cc: plasma@ietf.org
Subject: Re: [plasma] why not web portal mail?
X-BeenThere: plasma@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The PoLicy Augmented S/Mime \(plasma\) bof discussion list." <plasma.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/plasma>, <mailto:plasma-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/plasma>
List-Post: <mailto:plasma@ietf.org>
List-Help: <mailto:plasma-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/plasma>, <mailto:plasma-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Apr 2011 15:13:28 -0000

I don't think it actually helps to artificially narrow the scope of the use
cases.

The real use cases here are of the form 'Alice wants to protect her
information against unintended disclosure'.

It may make sense to restrict the initial detailed specification to a single
protocol, but the architecture has to be designed with the general case in
mind from the start. Otherwise we end up with a hack that enables policy to
be used with SMTP based email but nothing else.

My experience is that special case protocols start off more complex and
become even more so over time than proposals that start from the general
case. FTP is actually a far more involved protocol than HTTP with far more
features and complexity. But HTTP is actually the more flexible protocol
because of that (try layering your Web Service over FTP and let me know how
it works for you). Insisting on generality forces people to give up their
special case hacks and results in a cleaner result.


The starting point as I see it should be an identifier for security
policies. Make it easy for the end user to specify that document X is under
control of policy Y. Since we want the policy identifiers to be easy to
remember and want an infinite registry space of them, this results in the
user presentation looking something like:

policyname#example.com

And it is convenient to also have a URI form.

policy:example.com/policyname

We thus have separate forms of the identifier for human readability and
machine readability.


It is pretty easy to see that anyone who wants to define policies can do so
by registering a domain name. Also we have a fairly clear mapping from the
DNS to the some sort of policy service.


The policy service is of course going to be some sort of Web Service that we
discover by means of the DNS. We may well have a separate mechanism (e.g. CA
certs) for establishing trust. But that is something to defer to much later.

Given a web service to support the security policy management protocol we
can now interrogate it to ask queries of the form 'how do I apply policy X
to object Y in the context of operation Z'.

So we have an architecture that is completely general and can in theory be
used to support any protocol whatsoever without special casing.


The next question is going to be whether the policy enforcement is going to
be discretionary or mandatory (yeah, I know the terms are polluted, but I
can't think of better words).

The traditional approach to CRM has been to try to design systems where the
data is protected with cryptography and there is no way for the end user to
evade the controls. That is desirable in some cases but not if it limits the
scope of the policy language to features that can be enforced
cryptographically.

I think that the enforcement mechanism for a policy should itself be a
policy issue. So just like an auth scheme that allows username password for
low security sites and requires 2 factor for banking sites, we might have a
policy mechanism that might allow data controlled by a low restriction
security policy to be passed with an 'advisory' note while top secret
documents would be exchanged encrypted.


Now as far as deployment incentives go, I think the big one for me would be
to have a mechanism that would make S/MIME actually work as an email
mechanism which at the moment it does not. None of the clients implement an
effective cert discovery mechanism by default and so most mail is sent
without S/MIME.

So I would look at ways to combine the policy mechanism with the cert
discovery mechanism.

If PLASMA ends up being another option on a protocol with unusable
implementations, there is not much point.



On Tue, Apr 12, 2011 at 10:21 AM, Leif Johansson <leifj@mnt.se> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/06/2011 09:33 PM, Trevor Freeman wrote:
> > Stephen Farrell asked why not use Web portal mail? Why do we need to
> develop plasma?
>
> Maybe that question is easier to answer if we consider plasma for XMPP
> and not just for email. There are important differences between XMPP
> and email that make it much more challenging to build web-only versions
> of the XMPP.
>
>        Cheers Leif
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk2kX+UACgkQ8Jx8FtbMZndeOwCcC1BQafbUXYLHJZKxsuAcV8eS
> 6ukAnA0JGhMsLdmh+WG+GqEUoVMWj7+e
> =5lPF
> -----END PGP SIGNATURE-----
> _______________________________________________
> plasma mailing list
> plasma@ietf.org
> https://www.ietf.org/mailman/listinfo/plasma
>



-- 
Website: http://hallambaker.com/