On Tue, Jan 12, 2016 at 2:19 AM, Werner Koch <wk(_at_)gnupg(_dot_)org> wrote:
On Mon, 11 Jan 2016 23:46, neal(_at_)walfield(_dot_)org said:
There are two types of re-encryption that I think are inappropriate:
- when the mailing list software decrypts and reencrypts each
message before forwarding it on to the list of subscriber, and,
As soon as you are in the need for a mailing list you have severe opsec
problems which I consider not solvable: You not only need to fully trust
all participants but also need to make sure that _all_ their boxes are
properly secured against attacks.
Adding another box to reencrypt the messages does not change the picture
much more than adding another subscriber.
I heard that Schleuder (schleuder.nadir.org or apt-get install schleuder)
is a matured tool for encrypted group communication.
There is an approach that I think works but it requires significant
changes to the OpenPGP protocol.
The problem with having to have a trusted box as the remailer is the
same as the problem with using STARTTLS to secure SMTP - running a
server is expensive. The incremental cost for sending additional
messages is almost nil. But if you want to completely trust a service
you have to have your own machine, run it in a trusted location, etc.
That costs several $1000s a year for even a basic setup. For something
that is really secure you are looking at seven figures plus.
So if we want the system to be accessible, it has to be possible to
run all the code on a machine managed by a data canter run by daleks
without a confidentiality or integrity concern (a service provider
will always be able to deny service).
This is the problem that proxy re-encryption solves. Instead of
decrypting the message at the server and re-encrypting it, the server
recrypts the message using a key that transforms the data encrypted
for one key to data encrypted with a different one.
There are good ways to do this that appear to be unencumbered for
Diffie Hellman (if anyone knows of patents, please let me know).
The problem is that these techniques don't solve the general case of
Alice sets up the server and gives it a key that allows it to convert
a message encrypted under the mailing list key to Bob's public key
published in a directory. What it does allow is to encrypt the message
to a key that Alice has picked and assigned to Bob. That key can then
be sent as an encrypted blob along with the message.
What this would require is specifying a new encryption algorithm type
for recryption. It is probably best to leave off doing that until CFRG
is done.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp