--On Sunday, February 21, 2016 09:08 -0800 Lixia Zhang
<lixia(_at_)cs(_dot_)ucla(_dot_)edu> wrote:
There has probably been no idea more damaging to the security
of the Internet than the idea that end-to-end is the only way
to do security.
Email is an intrinsically store and forward system. Every
network mail system has had at least three parties and
Internet mail has had a four corner model since the early 90s.
I'd also add that this issue is not limited to just email (a
cisco forecast claims that "Sixty-two percent of all Internet
traffic will cross content delivery networks by 2019
globally", note that today's CDN traffic is not limited to
videos, but includes other more critical contents). Lets
recognize the fact that "Internet achieves end-to-end security
by end-to-end encrypted channel" is an illusion, as data is
not delivered through an end-to-end connection in many cases
today, and it is likely to become more so with more mobiles
and DTN-style apps.
Lixia,
While I agree with everything you say above, I am not clear
about where you think it takes us. In particular, there is a
layering issue involved with, e.g., "end to end" meaning
something different for IP and TCP than it does for, e.g., mail
payloads. Precisely because of the comments you make above in
combination with the observation that there is a much more
extensive history of compromised servers (including those that
relay mail)than of compromises to the long-haul network, where
the latter is involved, I'm aware of only two alternatives:
(i) Encryption of content on what the email community
often describes as an end-to-end basis.
(ii) More or less explicitly trusting every system
involved in the transmission of the message.
In most cases, the second alternative should be treated with
derision.
As with packet headers at lower levels in the system, the above
does nothing to protect against those whose interest is in the
information about where traffic is originated and where it is
bound.
john