[Top] [All Lists]

Re: Need for secured email delegation workflow

2017-07-15 03:24:24

On 15 Jul 2017, at 1:36, Michael Richardson 
<mcr+ietf(_at_)sandelman(_dot_)ca> wrote:

Yoav Nir <ynir(_dot_)ietf(_at_)gmail(_dot_)com> wrote:
This is part of a wider issue. Even without delegation, if I use my own
email account with several MUAs (say, my laptop and my phone), where is
the private key stored? Is it shared between laptop and phone?

I think that simple delegation would be a better tool to delegate email
access from my desktop to my phone and/or laptop.  That way the server
knows it's an anciliary device, it could be revoked easier, and a more
suspicious profile could be applied by servers.   Google has tried to
do this with the "App passwords", but my understanding is that they still
not restricted to specific apps.  Just additional passwords that have
most access, but not password resetting access.

OpenPGP format permits a (public) key blog on contain many signing (sub)keys,
and so distributing a public key with a set of subkeys where the private
keys are stored into laptops and phones, etc. would work.

You end up reading encrypted mail only using one MUA, which is one more
thing dragging the use of S/Mime down.

Agreed; I'm not sure if PKIX has a subkey concept.  I suspect it's in a
standard, but I'm unclear if it was ever deployed.

That works OK for signatures, but for encryption?  You’d have to encrypt the 
message with each subkey.  Yeah, I know only the symmetric key gets encrypted 
but it’s still ugly.

And we haven’t even mentioned the web MUA and where it stores the private keys.

Attachment: signature.asc
Description: Message signed with OpenPGP