Re: [plasma] why not web portal mail?

Trevor Freeman <> Tue, 12 April 2011 00:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5AC0BE0714 for <>; Mon, 11 Apr 2011 17:02:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -110.598
X-Spam-Status: No, score=-110.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AxBR12Z7jrge for <>; Mon, 11 Apr 2011 17:02:20 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A39E5E0673 for <>; Mon, 11 Apr 2011 17:02:16 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Mon, 11 Apr 2011 17:02:15 -0700
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Mon, 11 Apr 2011 17:02:15 -0700
Received: from ([fe80::cc46:3da5:bed6:8dfc]) by ([fe80::d940:e316:1daa:5e6a%10]) with mapi id 14.01.0218.012; Mon, 11 Apr 2011 17:02:14 -0700
From: Trevor Freeman <>
To: Stephen Farrell <>
Thread-Topic: [plasma] why not web portal mail?
Thread-Index: Acv0kXrWGetxV1fRTF6d/JQ0xrOecQBxLT4AAJFdkKA=
Date: Tue, 12 Apr 2011 00:02:14 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_E545B914D50B2A4B994F198378B1525D339D558ADFM1411exchange_"
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [plasma] why not web portal mail?
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The PoLicy Augmented S/Mime \(plasma\) bof discussion list." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 12 Apr 2011 00:02:26 -0000

Hi Steve,

-----Original Message-----
From: Stephen Farrell []
Sent: Friday, April 08, 2011 11:34 AM
To: Trevor Freeman
Subject: Re: [plasma] why not web portal mail?

Hi Trevor,

On 06/04/11 20:33, Trevor Freeman wrote:

> Stephen Farrell asked why not use Web portal mail? Why do we need to

> develop plasma?


> I don't think we concisely answered that question in the BoF and it is

> an important data point.

Thanks for trying now.

> The web portal mail products are used where there is no way to

> securely deliver sensitive mail to a recipient outside the sender's organization.

> The message is held within the sender's organization and a

> notification email is sent to the recipient.  The notification email

> contains a HTTPS URI to the original message with the sensitive content.


> This model work Ok if it is bilateral communication e.g.

> doctor-patient where you want to reply to the sender. This has been deployed with my

> healthcare provider and we can exchange messages.

Well, its also works fine for announcements, i.e. 1:N messages.

[TF] Agreed.

> However the

> notification email are very generic by design so it hard to find

> specific messages in your inbox other than by date and time sent. It

> also means useful features like inbox search don't work as you only

> have the notification message in your inbox.

True. However, does that mean that you'd expect the UA search function to be plasma-aware? If not, then won't the sensitive information be vulnerable in whatever search DB the UA uses?

Maybe that's a question of defining the trust boundaries for this, but given that the search may be on an IMAP server its possibly complicated doing that in a secure way.

[TF] Yes I expect search engines to become Plasma aware just as search engines have become aware of other encrypted content types. The search engine does not necessary need unrestricted access to content and the content indexed is by definition potentially sensitive so have to be controlled. However that process is a local UA process so is not in scope for Plasma. However the fact that all the user content is in their inbox makes it a tractable problem.

> This model fails totally if it's multilateral communication where you

> want to reply all or forward to messages.

Hmm. So that'd imply that forwarding etc. is an important part of the proposed work? It strikes me that that's one of the weakest aspects of generic s/mime (just from personal experience, its not something I've gone out of my way to test). There'd also be some pretty complex policy calculations to make to figure out what can be forwarded to whom, I assume, so this seems like a fairly complex area.

[TF] Not just forwarding - reply all is just as important as we have demonstrated with this thread. One of the value propositions for email is the flexible, multiparty nature of the asynchronous communication whereby groups of individuals can be part of a conversation and any recipient can participate in the thread or can spawn new threads just as we are doing here. The objective that Plasma brings is the desire to maintain a degree of policy enforcement to the process when the content of the message is either sensitive or regulated. What if, as part of my reply, I wanted to inject some information which was Microsoft confidential and was being shared under respective non-disclosure agreements? The aim of Plasma would be to allow me to add a policy check before the decryption key to my reply was disclosed to recipients to ensure every recipient was in an organization which had a current legal agreement in place. This message is using a distribution list managed outside my organization so I cannot determine the exact list of recipients at send time. If the mail list was an S/MIME MLA I could protect the confidentiality of the information so only plasma mail list subscribers can read the content but this does not satisfy the policy requirements of determining if there is a legal agreement in place.

> The message never leaves the

> originators organization so you cannot originate new message as if it

> were from a recipient's organization. This means for business to

> business scenario it would hinder the use of email for collaboration.

I don't get that at all. But never mind.

[TF] I think it's a critical reason for why Plasma.  Consider the scenario where this thread becomes sensitive as I suggested above and I was to use a web portal for this reply. That portal would be hosted on a Microsoft corporate server since I invoked the sensitivity clause and you would have received a notification email instead of the actual email. If you were to further reply all or forward that messages the origination point for that message would be from a Microsoft corporate server. The Microsoft server would in turn send out an email notification with a FROM address of<> with a url of https:\\\???

This seems a highly dubious pattern which matches the pattern used by phishers and spammers. How could you expect Microsoft to be authoritative for sending mail as someone from Trinity College Dublin to all the recipients on the distribution list?

What is the scenario was reversed and we used a web portal in your domain and I still wanted to add some Microsoft sensitive information to the thread. How would your portal know what my corporate rulers were if I were to reply all?

> With these limitations I think it's clear that that plasma offers some

> significant benefits over web portal email.

Not that clear to me I'm afraid.

While you're arguing for plasma on this basis, to judge those arguments people would need some kind of evidence that's a good bit better than just an assertion. But I'm sure you guys are working on that.

[TF] Yes that is what dialog is about:)





> *Dr Trevor Freeman*  Senior Security Strategist


> *End to End Trust Team*

> <>**


> *Microsoft Trustworthy

> Computing*<>






> _______________________________________________

> plasma mailing list