ietf
[Top] [All Lists]

Re: Agenda, security, and monitoring

2014-02-03 08:08:19
On Sun, Feb 02, 2014 at 06:44:58PM -0600, Pete Resnick wrote:
I agree that authentication is irrelevant in this context. But
that's leads me to agree with Dave on a central point (hence the
little I-D we've been banging on and submitted to the STRINT folks):
The problem with PGP and S/MIME is that they require authentication
in order to start using encryption, and since authentication is both
irrelevant to this *and* a pain to do...

We should be a bit careful about our terms here.  If we don't care
about authentication at all, one solution is to just do hop-by-hop
diffie hellman (or TLS with completely unchecked certificates).
That's actually pretty easy, and it's not a bad thing to do whether or
not we do anything else, since it makes pervasive monitoring more
expensive by requiring the attacker to forgo passive eavesdropping and
have to do active M-I-T-M attacks.

If instead what we are saying is that we don't really care about
tieing a particular encryption key to a specifically named human
being, but to some other property, then this starts addressing the "do
we really need to have geek-friendly-but-scares-the-civilians PGP key
signing party" problem.  Instead you might want to say, "I don't care
whether this really is Mr. John Doe from Lower Elbonia, but I do want
to know whether this is the same entity who has been corresponding for
the last two months on the wg mailing list --- or is the author of a
particular I-D".

As a specific example, if all you want to do is make sure that someone
really controls the e-mail address named in the PGP key identity, then
you could do an web-automated version of "CAFF" (Certifying Authority
Fire and Forget)[1].

[1] http://manpages.ubuntu.com/manpages/hardy/man1/caff.1.html

So imagine a web service, running on tools.ietf.org, (a) which makes
someone prove that they have control over a specified e-mail address,
by mailing them a URL with a one-time code embedded in it, then (b)
asks them to upload a PGP key, and then (c) it sends back to that
e-mail address their PGP key signed with a registry key --- but the
signature is encrypted so only someone with the private key of the PGP
key can decrypt it.  This basically proves that the submitting entity
has control over both the e-mail address and the private key of the
PGP key that they are requesting be certified.

If this is being done via https, and you trust that the CA for
ietf.org is doing a competent job, and *all* CA's and sub-CA's trusted
by your browser are doing a competent job, then this will basically do
what you want, and it doesn't require people to show up at a PGP
signing party.  The user experience becomes that which is needed when
you sign up for a Google, or Yahoo, or any other web site which
demands that you prove that you have a valid e-mail address.

                                                - Ted