ietf
[Top] [All Lists]

Re: Threat model

2016-03-13 20:56:33
On 03/13/2016 08:40 AM, John C Klensin wrote:
Part 2 of 2 -- see introduction to immediately prior note.

--On Saturday, March 12, 2016 12:15 PM -0800 Doug Barton
<dougb(_at_)dougbarton(_dot_)us> wrote:

Given that the DNS RR in question is something the end user
has to explicitly request, the danger is not immediately
obvious to me.

--On Saturday, March 12, 2016 4:09 PM -0500 Paul Wouters
<paul(_at_)nohats(_dot_)ca> wrote:

2 In an email server has paul(_at_)nohats(_dot_)ca and 
Paul(_at_)nohats(_dot_)ca,
AND these are different users, then instead of JUST mailing
the wrong user in plaintext, the wrong user is emailed
encrypted to that user. This is functionaly still better than
the current deployment, since only 1 wrong user can see the
(encrypted) email instead of everyone on the path plus the
user who can see the never-encrypted email.

That depends entirely on the threat model you are concerned
about.   I (and others) have repeatedly asked that you be
explicit in the I-D about applicable threat models (aka "the
problem you are trying to solve") in more specificity then you
have now and that you see if you can get consensus.   If the
goal is to try to get more email on the Internet encrypted as an
"opportunistic" matter, then certainly your reasoning is
correct, perhaps modulo one other issue.

I agree that the draft needs to spell this out in more detail.

In our quest for more privacy, language like "everyone on the
path" implies something similar to letters being posted in shop
windows for public viewing before being delivered (or as a means
of delivery).  The reality is the most ISPs, and most operators
of mail servers and relays, take at least some measures (often
strong ones) to ensure that the collection of people who can get
to a message in transit is very restricted and a lot short of
"everyone".  Yes, those measures, and the ISPs and mail
providers themselves, can be subverted or forced to expose
message traffic, but the parties who can do that aren't
"everyone" either.  If one is interested in attacks from them
--either on you or as part of a pervasive surveillance effort--
then the threat model changes quite a bit.

Paul has a point here. For good reasons or ill, the number of "eyes" (where "eyes" can also be various forms of machine tools) "on the path" can be non-trivial.

It's also worth reiterating one of his points ... the risk to neither the sending nor the receiving user is not increased, and may in fact be decreased, by the mechanism described in the draft. Do you believe differently? (Note, I'm not asking about your analysis of the relative "worth" of the decrease. I'm only interested in whether you see that there is a decrease, or more significantly, if you see an increase in risk, and why.)

In particular, if a user has a sensitive information to
transmit, information that will not be transmitted at all unless
there is high assurance that it will go encrypted and encrypted
in the key of the right party, then the choice between "one
wrong person sees it" and "everyone sees it" is a not-starter.

I disagree quite strongly with your assessment here.

Further, your caveat of "encrypted in the key of the right party" by definition precludes using OPENPGPKEY as the sole point of information in determining said key, which renders your argument here moot.

Doug