>From: "Craig A. Finseth" <fin(_at_)unet(_dot_)umn(_dot_)edu>
>Subject: archival of Federal email, fun topic.
>Date: Mon, 21 Nov 1994 15:37:51 -0600
>That's my point. If I'm sending a message to a .gov, .mil, etc. site, I am
>by definition not engaging in private communication for which there is such
>an expectation.
I have learned something I never knew about the Internet. There are
actual and explicit privacy and non-privacy domains, driven by social
convention.
And whilst one might use high-assurance PEM to protect against active
messaging threats, the address may well dictate if the mail content is
"private."
I wonder (personally) if I mail to the notional
j(_dot_)major(_at_)no10(_dot_)hmg(_dot_)uk, if
its the same. or j(_dot_)delors(_at_)cec(_dot_)be
Lets consider a use of the ANSI certificate to address the threat of
being duped as to (or informed of) the privacy policy of a given
recipient. Then we will have made an advance. Not only might the ANSI
extensions facilitate mapping equivalent assurance domains, but they
might also convey information privacy policy indications.
We know in PEM that one must verify a complete recipient certificate
chain before releasing and sending a confidential memo, in order that
the originator is not duped into releasing sensitive information to an
imposter.
We know in PEM, users must evaluate the degree of trust in the
assurances by inspection. For a given security domain, then, an
extension might be defined as critical, which requires conforming UAs
to display a string which asserts: "All mail to any mailbox used by
this distinguished user is potentially subject to public archival."
before mail submission. Then we need not worry about attacks on the
directory name->address lookup, or have social conventions about domain
naming linked to actual privacy policies.
So just as in miltary UAs, one informs the user of the clearnace level
of a recipient set, and the submission agent insists on a given
security policy over the relative clearances, so a "privacy disclosure"
might achieve the same end-to-end controls over public versus private
release of mail contents.
The PEM system could then stay independent of O/RAddress conventions,
yet ensure a sender has the information available to know the degree of
privacy which may be afforded.
The threat is simply that of security level violation in the
intra-messaging threat category. CCITT defined levels suitable for MHS:
public, personal, private, and company confidential. Then suitable
privacy marks might be added - For official use only, in strictest
confidence, etc.
So what we have come down to is that the "threat of public archival" is
nothing but the "threat of security level violation". PGP and PEM user
are liable to attack on their intra-messaging expectations, as the key
distribution system design didnt consider it necessary to classify
Internet mailboxes or Mail users with clearance levels.