Re: [Cryptography] Email and IM are ideal candidates for mix networks
On 8/25/13 at 8:32 PM, leich...@lrw.com (Jerry Leichter) wrote: *The* biggest headache is HTTP support. Even the simplest modern HTTP server is so complex you can never be reasonably sure it's secure (though, granted, it's simpler than a browser!) You'd want to stay simple and primitive. I'm currently over 250 messages behind, so please pardon me if this item has already been mentioned. Back in 2009, Charlie Landau and I worked on a DARPA contract to demonstrate a secure web key server[1]. We used CAPROS[2] as the underlying operating system and build a HTTP interpreter to act as the server. The system is GPL and the source for the web key server is available on Sourceforge[3]. Charlie comments that the IDL files are quite useful, but there really isn't any documentation. Let me give a brief overview: When a new TCP connection arrives, a new instance of the web key server is created. It can not communicate with any other instance of the web key server, and the only real authority it has, beyond sending and receiving on the TCP circuit, is to a name lookup system. This name lookup system takes a string -- the secret part of the web key -- and returns a resource. The web key server then returns the contents of that resource to the requestor. Since the name lookup system does not allow enumeration of its contents, even if an instance of the web key server is compromised, an attacker will still have to guess the secret part of the web key to retrieve authorities from the name lookup system. Cheers - Bill [1] Web key: http://waterken.sourceforge.net/web-key/ [2] http://www.capros.org/, http://capros.sourceforge.net/ [3] http://sourceforge.net/projects/capros/ --- Bill Frantz| Truth and love must prevail | Periwinkle (408)356-8506 | over lies and hate. | 16345 Englewood Ave www.pwpconsult.com | - Vaclav Havel | Los Gatos, CA 95032 ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On Aug 28, 2013, at 11:03 AM, Jonathan Thornburg wrote: On Wed, 28 Aug 2013, Jerry Leichter wrote: On the underlying matter of changing my public key: *Why* would I have to change it? It's not, as today, because I've changed my ISP or employer or some other random bit of routing information - presumably it's because my public key has been compromised. Maybe it's because you've forgotten the passphrase guarding the corresponding private key? Or because you'd like to do the electronic equivalent of change my name, start [this facet of] my electronic life over? The point of my question was that for different reasons for changing the public key, there are different issues and different potential responses. - If I need to change because the private key was compromised, there's nothing I can do about past messages; the question is what I do to minimize the number of new messages that will arrive with a now-known-insecure key. This was the case I assumed the previous poster was concerned with. - If I lost the private key, all previous messages remain secure - except they are now, unfortunately, secure against me as well :-(. New messages sent with the key will be unreadable, but if I am in a position to determine who sent them, I can tell them to re-send with a different key. If the system is set up so that even return information is encrypted, I'll have to rely on my correspondent's realizing they need to re-send via some other mechanism. (It could be through whatever revocation mechanism the system has; it could be through mail I send to everyone I correspond with; it could be through a phone call, or just by word of mouth. The sender will have to check the dates and realize that some message was sent recently enough that I probably couldn't decrypt it.) - As I outlined things, there was never a reason you couldn't have multiple public keys, and in fact it would be a good idea to make traffic analysis harder. Adding a new key for a new facet of your electronic life is trivial. -- Jerry -- -- Jonathan Thornburg jth...@astro.indiana.edu Dept of Astronomy IUCSS, Indiana University, Bloomington, Indiana, USA There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time. -- George Orwell, 1984 ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
Hello, I'm new here, so I apologize if I'm repeating past arguments or asking old questions. On Tue, Aug 27, 2013 at 8:52 PM, Jerry Leichter leich...@lrw.com wrote: On Aug 27, 2013, at 9:48 PM, Perry E. Metzger wrote: On Tue, 27 Aug 2013 22:04:22 +0100 Wendy M. Grossman wen...@pelicancrossing.net wrote: On 08/27/2013 18:34, ianG wrote: Why do we need the 1980s assumption of being able to send freely to everyone, anyway? It's clear you're not a journalist or working in any other profession where you actually need to be able to communicate spontaneously with strangers. Of course, as a reporter, you are probably getting email addresses of people to talk to via referral, and that could be used to get past the barrier. The problem of people spontaneously contacting a published address is harder. Actually, it isn't, or shouldn't be. Email addresses were originally things you typed into a terminal. They had to be short, memorable, and easy to type. Published meant printed on paper, which implied typing the thing back in. But none of that matters much any more. This is (anecdotally) completely untrue. A great way to experience this personally is to start using a strange email address, like mine. You quickly realize how often you *say* or *write on paper* your email address. Because my email address is odd, almost every time I say it, the listener asks me to spell it. I suspect if I could just say bob at gmail I wouldn't notice how often this occurs. Now I'm inspired to keep a log of how often I verbally spell an email address. It would be a grave mistake for us to say: we're going to help the typical user, and oh by-the-way, we'll just assume verbally saying email addresses is not common. Because if it is, then any solution based on that assumption will not be adopted, and will therefore not help the fabled typical user. If we went down the road of: well verbal transmission is rare and hard, but introductions through cc headers are easy to hook into, so we'll only support some uses, then we're creating a solution where users will be easily confused as to the security properties of an email address. Publication is usually on-line, so contact addresses can be arbitrary links. When we meet in person, we can exchange large numbers of bits between our smartphones. Hell, even a business card can easily have a QR code on the back. So I want to highlight something here: usually may be accurate, if we are counting number of transmissions of email addresses over time. Perhaps more and more of that traffic, by volume, is through automated systems, relieving the burden of users saying, typing, or otherwise dealing with the string contents. However, I believe such email transmissions are not at all equal in importance. For example, if someone just verbally told me their email address, there's a great chance this is much more important than when I receive h...@techsupport.example.com over http by going to my broken product's website. Suppose, as in Bitcoin, my email address *is* my public key. If you wanted to send me email, you'd have a routing problem - but I could even give you hints: My address would be leich...@lrw.com:public key. You can try there first, or you can look up my public key in some global dictionary. An attacker could get your mail to me to go to them, but they can't read it - you already know my public key, so only *I* can read it. The only attack they can mount is a denial of service. I can have any number of public keys, and all published routes to me may go through a mix - so I can minimize metadata leakage. The assumption that initial contact information has to be something human-processable creates the whole how do I securely map contact information to a key problem. Flip it around and that problem vanishes. This assumption does *not* create a problem. The problem exists out in the world where billions of people use technology based on the understandings and habits they learned from past experience. The problem out in the world doesn't vanish no matter what simplifying assumptions we might make on this list. A counter to my position here is that maybe a solution needn't be used by everyone initially. If it's sufficiently usable and has any kind of networking effect, its use can spread over the population. I can't think of any networking effect for privacy or authentication that's readily apparent to users, and which is backwards compatible with existing use. I'd love to hear suggestions though! Yet another counter is that maybe a solution needn't be used by a given user in every case, for example by suffixing key material to addresses in some automatable situations like you suggest.. If the goal is authenticating human's to one another, this may not be very successful without massive user education (I'm reminded of http vs https indicators in browser uis). If, OTOH, the goal is as much resistance to
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On Thu, Aug 29, 2013 at 3:31 PM, Callme Whatiwant nejuc...@gmail.comwrote: Hello, I'm new here, so I apologize if I'm repeating past arguments or asking old questions. On Tue, Aug 27, 2013 at 8:52 PM, Jerry Leichter leich...@lrw.com wrote: On Aug 27, 2013, at 9:48 PM, Perry E. Metzger wrote: On Tue, 27 Aug 2013 22:04:22 +0100 Wendy M. Grossman wen...@pelicancrossing.net wrote: On 08/27/2013 18:34, ianG wrote: Why do we need the 1980s assumption of being able to send freely to everyone, anyway? It's clear you're not a journalist or working in any other profession where you actually need to be able to communicate spontaneously with strangers. Of course, as a reporter, you are probably getting email addresses of people to talk to via referral, and that could be used to get past the barrier. The problem of people spontaneously contacting a published address is harder. Actually, it isn't, or shouldn't be. Email addresses were originally things you typed into a terminal. They had to be short, memorable, and easy to type. Published meant printed on paper, which implied typing the thing back in. But none of that matters much any more. This is (anecdotally) completely untrue. A great way to experience this personally is to start using a strange email address, like mine. You quickly realize how often you *say* or *write on paper* your email address. Because my email address is odd, almost every time I say it, the listener asks me to spell it. I suspect if I could just say bob at gmail I wouldn't notice how often this occurs. I have enough problems with mine. hal...@gmail.com, someone else registered hal...@gmail.com. But more generally, I want to make it easy for people to send me email. If they already have my address then it does not matter how easy it would be to add an encryption key, the opportunity to do so has passed. What I did realize would be useful is some sort of verification code. So this morning I was arranging a delivery of a screw for the shower. I give them the email address but they were going to do hallambaker@gmail.cominstead. So it would be nice if there was a code that someone could read back to tell you that they got the address right. It does not need to be particularly long, two maybe three letters. Just enough to provide a confirmation. And extending the concept. Let us imagine that I have a separate email address that I am only going to use for online purchases and that I have filled out a delivery address form somewhere for it and that agent will only give out the address to a party that presents an EV certificate to show that they are accountable and keep a record of everyone who asks. This does not really raise particular confidentiality concerns to me because it is simply a form of compression. My delivery addresses appear many times in my email inbox, I have a new entry every time I buy something online. If the mails travel through my ISP's server they will get that info soon enough (unless the sender encrypts). But it would make filling in online forms a lot easier and less error prone. -- Website: http://hallambaker.com/ ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Aug 29, 2013, at 3:43 AM, Jerry Leichter leich...@lrw.com wrote: - If I need to change because the private key was compromised, there's nothing I can do about past messages; the question is what I do to minimize the number of new messages that will arrive with a now-known-insecure key. This was the case I assumed the previous poster was concerned with. Personally, I think you shouldn't worry about this. The real sin is getting an attachment to a key. You are much better off developing a philosophy of key management in which you use it and then get rid of it regularly. If you do this reasonably well, it reduces the chance that a key will get compromised because its aegis, footprint, shadow, etc. is small. It also reduces the effect because most likely it takes more time to break the key than its lifetime; I consider hacking the key, stealing it, etc. to be a form of breaking. Stealing a key through a 'sploit is also cryptanalysis. Be Buddist about your keys and have no attachments. (This is also a good philosophy about mail, but that's a different discussion.) - As I outlined things, there was never a reason you couldn't have multiple public keys, and in fact it would be a good idea to make traffic analysis harder. Adding a new key for a new facet of your electronic life is trivial. That's a fine step to a good attitude, but the effect on traffic analysis will be small or close to nil. Traffic analysis includes social graph analysis and any good social graph analysis will include probabilities that an entity will have different personae. Keys are just masks, too, just like a persona. Jon -BEGIN PGP SIGNATURE- Version: PGP Universal 3.2.0 (Build 1672) Charset: us-ascii wj8DBQFSIC5MsTedWZOD3gYRAmpmAJ0UJ7K9GWo9FLSa8HR1CmSbWRZcgQCgkuif rbTWOi5eHdxNpRzQ9VkqDBY= =PpOZ -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On 27/08/13 at 10:05pm, Christian Huitema wrote: Suppose, as in Bitcoin, my email address *is* my public key You can even use some hash compression tricks so you only need 9 or 10 characters to express the address as hash of the public key. That works very well, until you have to change the public key. .. and until someone want to find a public key which shares the first 10 digits of the hash with yours. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On Aug 28, 2013, at 4:24 AM, danimoth wrote: On 27/08/13 at 10:05pm, Christian Huitema wrote: Suppose, as in Bitcoin, my email address *is* my public key You can even use some hash compression tricks so you only need 9 or 10 characters to express the address as hash of the public key. That works very well, until you have to change the public key. .. and until someone want to find a public key which shares the first 10 digits of the hash with yours. 9 or 10 *characters*, not *digits*. You need enough bits that, even given the birthday paradox, the probability of this occurring is low enough not to matter. Since the birthday paradox will lead to a 50% probability of collision after about the square root of the number of possible values, given a 10-character signature, that's at about 5 characters. Way too low, for digits. If characters are full bytes, 2^40 generated public keys is plausible, though perhaps uncomfortably small; and if the characters have to be printable - then I agree, way too low. You could use hash compression, but the retained compressed values will have to be rather larger. Say 150 bits worth, at least. On the underlying matter of changing my public key: *Why* would I have to change it? It's not, as today, because I've changed my ISP or employer or some other random bit of routing information - presumably it's because my public key has been compromised. That's a disaster no matter how I identify myself, one that's very difficult to recover from - pretty much impossible unless (a) there's some way to revoke a key (yes, we've had problems with getting that to work even in the current PKI environment, but there's no real alternative); (b) I've prepared for the eventuality. Given (a), I can send out a signed revocation message. (So can the attacker, but presumably he had bigger plans for the key than just killing it.) Given (b), I have pre-shared one or more replacement keys that I still trust, and my revocation can name the one to put into use. (Of course, it cannot introduce a brand new key!) Done this way, my response to key compromise is no different from normal key rollover. -- Jerry ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On Wed, 28 Aug 2013, Jerry Leichter wrote: On the underlying matter of changing my public key: *Why* would I have to change it? It's not, as today, because I've changed my ISP or employer or some other random bit of routing information - presumably it's because my public key has been compromised. Maybe it's because you've forgotten the passphrase guarding the corresponding private key? Or because you'd like to do the electronic equivalent of change my name, start [this facet of] my electronic life over? -- -- Jonathan Thornburg jth...@astro.indiana.edu Dept of Astronomy IUCSS, Indiana University, Bloomington, Indiana, USA There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time. -- George Orwell, 1984 ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On Aug 26, 2013, at 5:27 PM, The Doctor dr...@virtadpt.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/26/2013 08:46 AM, Phillip Hallam-Baker wrote: Which is why I think Ted Lemon's idea about using Facebook type friending may be necessary. Or Gchat-style contacts. I don't think we can rely on that for Key distribution. But I think it needs to be a part of the mix. What if the public key were baked into the user's public-facing profile in such a fashion that the client could pick it up automagickally but viewers just saw another link that they'd never click on anyway? I am thinking that I want to make face to face exchange of keys via an iPhone 'bump' type app possible Also I want to be able to use friend relationships as a spam filtering control. Perhaps you only want to accept encrypted email from people if you know them. My spam problem is a little larger than most. While I was doing anti-span at VeriSign I received a quarter of the mail for the company. I have been under a DoS attack on my mail for a considerable time. But in any case, at the moment we have email, I'm, voice and video all as separate apps unless we go through a proprietary scheme when they become one. The missing piece for email security is key discovery. If we are going to solve that problem for email we should do it for all the other apps as well. The market for secure email is going to be tiered. There will be folks like us who want to have full control and do a lot of the work ourselves and there will be people who want to buy in the expertise and then there will be institutions that need to outsource. As folk probably know, I work for Comodo and so I am interested in the possibility of establishing an enterprise market for secure email services. But that is only an interesting commercial prospect if there is a chance that secure email will become ubiquitous. In the near term, the critical mass for secure email has to come from another sector. People concerned about PRISM seems to be the constituency most likely to drive adoption. Even if the threat from other sources (Iran, Russia) is actually greater in my view. I have a protocol compiler. Just give it an abstract schema and out pops a server and client API library. Just need to add the code to implement the semantics. It is up on Sourceforge, will update later this week. Neat! Link, please? https://sourceforge.net/projects/jsonschema/ The code should be uploaded later this week or early next. Just got back from Europe and having some hardware issues of the expensive kind. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On 26/08/13 08:47 AM, Richard Clayton wrote: Even without the recent uproar over email privacy, at some point, someone was going to come up with a product along the following lines: Buy a cheap, preconfigured box with an absurd amount of space (relative to the huge amounts of space, like 10GB, the current services give you); then sign up for a service that provides your MX record and on-line, encrypted backup space for a small monthly fee. (Presumably free services to do the same would also appear, perhaps from some of the dynamic DNS providers.) Just what the world needs, more free email sending provision! sigh Right. One of the problems with email (as pointed out in OP's original post) is that it is free to send *and* it can be sent to everyone. The combination of these two assumptions/requirements is essential for spam. Chat systems have pretty much killed spam by making it non-possible to send to everyone. You need an introduction/invite/process/barrier, first. This has worked pretty well. Maybe the writing is on the wall? Maybe we just need to let email die? We can move email over to the 'IM technology' layer. We can retain the email metaphor by simply adding it to chat clients, and by adding IM technology to existing email clients. Both clients can allow us to write emails and send them, over their known IM channels to known contacts. Why do we need the 1980s assumption of being able to send freely to everyone, anyway? iang ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
Iang wrote: Why do we need the 1980s assumption of being able to send freely to everyone, anyway? tech.supp...@i.bought.your.busted.thing.com is one that comes to mind. i...@sale.me.your.thing.com is another. I think the types of prior whitelist only secure systems being discussed on-list here lately will in the long run win out with the lions share of messages, but that bog standard 'dirty' email will persist for commercial interactions of the type I list above. -David Mercer David Mercer Portland, OR ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On 08/27/2013 18:34, ianG wrote: Why do we need the 1980s assumption of being able to send freely to everyone, anyway? It's clear you're not a journalist or working in any other profession where you actually need to be able to communicate spontaneously with strangers. wg -- www.pelicancrossing.net -- all about me Twitter: @wendyg ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On Tue, Aug 27, 2013 at 2:04 PM, Wendy M. Grossman wen...@pelicancrossing.net wrote: It's clear you're not a journalist or working in any other profession where you actually need to be able to communicate spontaneously with strangers. And if the people who attacked the NY Times' DNS today had chosen to replace the NY Times' MX records with pointers to their own mailserver . . . communications intended for journalists would be in the hands of the Syrian Electronic Army, or whoever's actually responsible for the hack. Unencrypted E-mail is going to result in someone's death pretty quickly, if it hasn't already. -- Greg Broiles gbroi...@gmail.com (Lists only. Not for confidential communications.) ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On Tue, Aug 27, 2013 at 5:04 PM, Wendy M. Grossman wen...@pelicancrossing.net wrote: On 08/27/2013 18:34, ianG wrote: Why do we need the 1980s assumption of being able to send freely to everyone, anyway? It's clear you're not a journalist or working in any other profession where you actually need to be able to communicate spontaneously with strangers. True, but you are probably willing to tolerate a higher level of spam getting through in that case. One hypothesis that I would like to throw out is that there is no point in accepting encrypted email from someone who does not have a key to encrypt the response. -- Website: http://hallambaker.com/ ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
Phillip Hallam-Baker wrote: One hypothesis that I would like to throw out is that there is no point in accepting encrypted email from someone who does not have a key to encrypt the response. I'd agree, as I was in just this position in the last week or so: I got a gpg encryped email from someone I had no key for, and I haven't cut or circulated one in a very long while (my bad, as it were, on the latter point). So what's the point in even getting a key from them at that point, after the fact? They ARE not many 'hops' away from me in a web of trust sense so far as knowing people in person, but without having keys exchanged ahead of time, its all moot. As I'm sure this list already knows. Just re-iterating the point made here in various ways that key exchange is THE big problem in all of this. If we can usably crack that nut with 'house servers' on a dongle, we're most of the way there wrt secure email, IMNSHO. Zooko's triangle, pet names...we have cracked the THEORY of secure naming, just not the big obstacle of key exchange. And I don't think the wider public was concerned/scared enough to care before Snowden. Let's hope they care long enough to adopt any viable solutions to the problem that might pop up in the wake of all this. The traffic on this list the past week is a very welcome thing. -David Mercer David Mercer Portland, OR ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On Tue, 27 Aug 2013 21:33:01 + radi...@gmail.com wrote: Iang wrote: Why do we need the 1980s assumption of being able to send freely to everyone, anyway? tech.supp...@i.bought.your.busted.thing.com is one that comes to mind. i...@sale.me.your.thing.com is another. I think the types of prior whitelist only secure systems being discussed on-list here lately will in the long run win out with the lions share of messages, but that bog standard 'dirty' email will persist for commercial interactions of the type I list above. On the other hand, tech.support@sillycompany could just accept all contact requests, at least temporarily. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On Tue, 27 Aug 2013 22:04:22 +0100 Wendy M. Grossman wen...@pelicancrossing.net wrote: On 08/27/2013 18:34, ianG wrote: Why do we need the 1980s assumption of being able to send freely to everyone, anyway? It's clear you're not a journalist or working in any other profession where you actually need to be able to communicate spontaneously with strangers. Of course, as a reporter, you are probably getting email addresses of people to talk to via referral, and that could be used to get past the barrier. The problem of people spontaneously contacting a published address is harder. I don't claim to have all the answers, but experimentation will probably tell us a lot more than simply thinking in the abstract. -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On 8/27/13 7:48 PM, Perry E. Metzger wrote: On Tue, 27 Aug 2013 22:04:22 +0100 Wendy M. Grossman wen...@pelicancrossing.net wrote: On 08/27/2013 18:34, ianG wrote: Why do we need the 1980s assumption of being able to send freely to everyone, anyway? It's clear you're not a journalist or working in any other profession where you actually need to be able to communicate spontaneously with strangers. Of course, as a reporter, you are probably getting email addresses of people to talk to via referral, and that could be used to get past the barrier. And that's how friend-of-friend stuff is happening now (LinkedIn and the like). In a way the old-fashioned letter of introduction had a lot to recommend it. :-) Peter -- Peter Saint-Andre https://stpeter.im/ ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On 8/27/13 7:45 PM, Perry E. Metzger wrote: On Tue, 27 Aug 2013 21:33:01 + radi...@gmail.com wrote: Iang wrote: Why do we need the 1980s assumption of being able to send freely to everyone, anyway? tech.supp...@i.bought.your.busted.thing.com is one that comes to mind. i...@sale.me.your.thing.com is another. I think the types of prior whitelist only secure systems being discussed on-list here lately will in the long run win out with the lions share of messages, but that bog standard 'dirty' email will persist for commercial interactions of the type I list above. On the other hand, tech.support@sillycompany could just accept all contact requests, at least temporarily. Realistically they all have a web-based contact form these days anyway. Similarly, they all have live web-based chat systems that don't require opening up more broadly. HTTP is the new TCP and all that. For truly federated communication (BigRetailer wants its employees to exchange messages with smaller companies in its supply chain), a more open technology is needed, but we have those for email and IM. However, we're off-topic for what's truly important here: not enterprise email and IM, but secure technologies for individuals. Peter -- Peter Saint-Andre https://stpeter.im/ ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On Aug 27, 2013, at 9:48 PM, Perry E. Metzger wrote: On Tue, 27 Aug 2013 22:04:22 +0100 Wendy M. Grossman wen...@pelicancrossing.net wrote: On 08/27/2013 18:34, ianG wrote: Why do we need the 1980s assumption of being able to send freely to everyone, anyway? It's clear you're not a journalist or working in any other profession where you actually need to be able to communicate spontaneously with strangers. Of course, as a reporter, you are probably getting email addresses of people to talk to via referral, and that could be used to get past the barrier. The problem of people spontaneously contacting a published address is harder. Actually, it isn't, or shouldn't be. Email addresses were originally things you typed into a terminal. They had to be short, memorable, and easy to type. Published meant printed on paper, which implied typing the thing back in. But none of that matters much any more. Publication is usually on-line, so contact addresses can be arbitrary links. When we meet in person, we can exchange large numbers of bits between our smartphones. Hell, even a business card can easily have a QR code on the back. Suppose, as in Bitcoin, my email address *is* my public key. If you wanted to send me email, you'd have a routing problem - but I could even give you hints: My address would be leich...@lrw.com:public key. You can try there first, or you can look up my public key in some global dictionary. An attacker could get your mail to me to go to them, but they can't read it - you already know my public key, so only *I* can read it. The only attack they can mount is a denial of service. I can have any number of public keys, and all published routes to me may go through a mix - so I can minimize metadata leakage. The assumption that initial contact information has to be something human-processable creates the whole how do I securely map contact information to a key problem. Flip it around and that problem vanishes. -- Jerry I don't claim to have all the answers, but experimentation will probably tell us a lot more than simply thinking in the abstract. -- Perry E. Metzger pe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Suppose, as in Bitcoin, my email address *is* my public key You can even use some hash compression tricks so you only need 9 or 10 characters to express the address as hash of the public key. That works very well, until you have to change the public key. - -- Christian Huitema -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (MingW32) Comment: Using gpg4o v3.1.107.3564 - http://www.gpg4o.de/ Charset: utf-8 iQEcBAEBAgAGBQJSHYUrAAoJELba05IUOHVQkb0H/ixGQK+kLx+SYp1FRJB5UF/Y lEfP8UGt+FVUweq3N0OWG7JB4HJzg14+tLbYjpkq6tJdJJPdoyDUVX9NgNvHRwl0 ELB3xhpXtXUg1YbM+IPrGVHDJUp6oBMnM4LEjnT5UP9kSW3yrkm9tu7k3bo9Xq/i gShIWOZcWVCxsY4WI/RetfXvLI/xZQwczxBzmTcSfB8w7khvpyr98VW5PMeX6Uu1 VBEN4dZiUIjKvhN0HMGMZtDrfbWeXIvGYkA5OjTeAGDExt5C+nvB3BCb87pGf8NJ nTrRgLNJjU6hpD7giPD0SgLOe9uye5DXrUyOwSmHGCgqZjj/P07+i/nyJczwZ48= =iZk1 -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In message fdd34a58-6ce6-497a-a177-b940d36d0...@lrw.com, Jerry Leichter leich...@lrw.com writes On the flip side, mail systems like gMail or Yahoo mail are complex and difficult to run *exactly because they are immense*. The mail systems part is really rather simple... and pretty much looks after itself. That's not where all the employees work. But what are they getting for that size? There are no economies of scale here - in fact, there are clear *dis*economies. ... the economy of scale is in identifying and routing spam of various kinds. Some can be detected a priori -- the majority of the detection relies on feedback from users (the chances are that someone else got the bad mail before you did, so it can be arranged that you are not bothered) Even without the recent uproar over email privacy, at some point, someone was going to come up with a product along the following lines: Buy a cheap, preconfigured box with an absurd amount of space (relative to the huge amounts of space, like 10GB, the current services give you); then sign up for a service that provides your MX record and on-line, encrypted backup space for a small monthly fee. (Presumably free services to do the same would also appear, perhaps from some of the dynamic DNS providers.) Just what the world needs, more free email sending provision! sigh What's the value add of one of the giant providers? If you run your own emails system then you'll rapidly find out what 2013's spam / malware problem looks like. Just as success in crypto deployment isn't about algorithms or file formats, success in mail handling isn't about MX records and MTAs. - -- richard Richard Clayton They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 iQA/AwUBUhrsBeINNVchEYfiEQKkQQCcDXtNGi30Zp8yhazPbQOvqEmu6icAnjqe y5QvKffZakNHejWz1tu4PJ4d =oGIg -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On Mon, 26 Aug 2013 06:47:49 +0100 Richard Clayton rich...@highwayman.com wrote: If you run your own emails system then you'll rapidly find out what 2013's spam / malware problem looks like. This is slightly off topic, but... As it happens, I run my own email system (and run email for a few other people at the same time.) My email address is also very very widely published, so I'm on virtually every spam list in existence. Thus, I'm reasonably qualified to speak on this. Things work pretty well, and I spend essentially no time on required maintenance. Malware is not a problem. Viruses by email haven't been prevalent for a while anyway, but because I block all windows executable formats in attachments at the SMTP server, back when they were common, none of that traffic got through. 100% coverage. For spam, I use a couple of reliable RBLs, a few simple block rules, and spamassassin for postprocessing. I get almost everything. About ten spams a day get through to me, but on the other hand, I get hundreds of legitimate messages on an average day and my address is _very_ widely published. I think that a zero maintenance box that handles this is probably doable. One could also set up a peer to peer blacklisting/spam reporting and detection system that would reduce the problem further without individual work. All that said, there is a good reason that I proposed that in the long run, whitelist only systems like Jabber and Facebook messaging are a better model. -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
Hi, On 26.08.2013 00:28, Perry E. Metzger wrote: We probably don't want any sort of central service running this network that could be easily disrupted, so identifier to IP address information should probably be stored in some big honking DHT, signed in the ID's key. Access to the DHT probably should happen in some privacy preserving way, possibly through the mix network itself or a PIR protocol. Hashing it out in public: Common failure modes of DHT-based anonymity schemes by Andrew Tran, Nicholas Hopper, and Yongdae Kim. In the Proceedings of the Workshop on Privacy in the Electronic Society (WPES 2009), Chicago, IL, USA, November 2009. http://freehaven.net/anonbib/#wpes09-dht-attack We examine peer-to-peer anonymous communication systems that use Distributed Hash Table algorithms for relay selection. We show that common design flaws in these schemes lead to highly effective attacks against the anonymity provided by the schemes. These at- tacks stem from attacks on DHT routing, and are not mitigated by the well-known DHT security mechanisms due to a fundamental mismatch between the security requirements of DHT routing’s put- get functionality and anonymous routing’s relay selection function- ality. [...] CONCLUSION The anonymity literature, including all of the schemes investi- gated here, is replete with claims that a peer-to-peer architecture is necessary in order to construct a scheme that will work at Internet scale. Distributed Hash Tables offer a scalable architecture for or- ganizing and finding peers, and thus appear to be an obvious choice of peer-to-peer architecture. However, as we have shown there is not a clear bijection between the security and robustness require- ments of a DHT’s put-get interface and an anonymity scheme’s re- lay selection mechanism. This leads to severe vulnerabilities in the existing schemes based on DHTs, limiting the deployability of such schemes. The critical question for future work in this line of research is whether a “DHT-like” algorithm can be designed to meet the specific requirements – in terms of privacy, availability, and correctness – of an anonymity scheme. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On Aug 26, 2013, at 10:14 AM, Perry E. Metzger pe...@piermont.com wrote: On Mon, 26 Aug 2013 06:47:49 +0100 Richard Clayton rich...@highwayman.com wrote: If you run your own emails system then you'll rapidly find out what 2013's spam / malware problem looks like. This is slightly off topic, but... As it happens, I run my own email system (and run email for a few other people at the same time.) My email address is also very very widely published, so I'm on virtually every spam list in existence. Thus, I'm reasonably qualified to speak on this. Things work pretty well, and I spend essentially no time on required maintenance This is my experience as well. My primary email address is actually served by a small ISP whose spam filter I don't trust - too many false positives. Actually, I have yet to see a spam filter I *do* trust. So I've configured my account at the ISP to mark what it thinks is spam in the subject line but then pass it through. My primary spam filtering is from Mail.app - but I manually check everything in my Junk mailbox before tossing it. I see every message it thinks is spam, everything my ISP thinks is spam, and everything they think is ham as well. (Mail.app has no idea what the ISP's Spam marking means, but presumably adds it as an element in its own decisions.) Like Perry's, my email address has been the same for a while (25 years or so, in my case - it was initially delivered via UUCP) and has been widely distributed. My experience is that Mail.app's junk filtering is rather good, producing a small number of false positives and negatives. My ISP's filtering is considerably worse. Reviewing my junk mail is no big deal. Way back when, I used to get an overwhelming amount of spam. Looking at it, the cause became clear: I own lrw.com, and have the only mailbox there. I had set it up to forward mail sent to any user at lrw.com to me. I never got anything useful that way - but I got *tons* of spam. Simply black-holing anything not sent specifically to leich...@lrw.com cut the load *way* down. Keep in mind that one of the starting points of this discussion was how to implement mail that was proof against PRISM-like bulk monitoring. That rules out solutions in which a central server has access to the cleartext of your mail to do spam scanning anyway. If people were willing to send definite spam to a central server, and accept consensus updates to their spam filter in response, there's no reason why the same algorithms that the big guys currently run couldn't be combined with local scanning. (At least you could safely send examples of spam. Sending ham is more problematic. And one could speculate about the kinds of attacks that targeted spam, together with monitoring of when it gets noticed and sent back to the service, could enable.) -- Jerry ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On 08/25/2013 03:28 PM, Perry E. Metzger wrote: So, imagine that we have the situation described by part 1 (some universal system for mapping name@domain type identifiers into keys with reasonable trust) and part 2 (most users having some sort of long lived $40 device attached to their home network to act as a home server.) My main issue with this proposal is that somebody identifiable is going to manufacture these boxes. Maybe several somebodies, but IMO, that's an identifiable central point of control/failure. If this is deployed, what could an attacker gain by compromising the manufacturers, via sabotage, component modification/substitution at a supplier's chip fab, or via secret court order from a secret court operating according to a secret interpretation of the law? Bear ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On 08/25/2013 08:32 PM, Jerry Leichter wrote: Where mail servers have gotten into trouble is when they've tried to provide additional services - e.g., virus scanners, which then try to look inside of complex formats like zip files. This is exactly the kind of thing you want to avoid - another part of the mission creep that we tend to see in anything that runs on a general-purpose computer. Absolutely agreed; the most reliable things are the least complex. That's 20th century thinking: The computer is expensive, keep it busy. Twenty first century thinking should be: The computer is cheap - leave it alone to do its job securely. My thinking is more like: The computer has a multitasking OS. Whatever else it needs to be doing will be in another process. So you lose nothing if you keep each process simple. Or if it's a single-purpose box intended to provide security; don't dilute its purpose. Keep it simple enough that even installations of it in the wild, after unknown handling and in all possible configurations, can be unambiguously, easily, and exhaustively tested so you know they're doing exactly what they should be and no more. Realistically, it will be impossible to get little appliances like this patched on a regular basis - how many people patch their WiFi routers today? - so better to design on the assumption there won't be any patches. Also agreed; online patches are the number one distribution vector of malware that such a device would need to be worried about. Firstly because whoever can issue such a patch is a central point of control/ failure and can be coerced. So send it out with an absolutely sealed kernel. Bear ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On Mon, 26 Aug 2013 10:40:17 -0700 Ray Dillinger b...@sonic.net wrote: On 08/25/2013 03:28 PM, Perry E. Metzger wrote: So, imagine that we have the situation described by part 1 (some universal system for mapping name@domain type identifiers into keys with reasonable trust) and part 2 (most users having some sort of long lived $40 device attached to their home network to act as a home server.) My main issue with this proposal is that somebody identifiable is going to manufacture these boxes. Maybe several somebodies, but IMO, that's an identifiable central point of control/failure. One can use a commercial PC if one wants to install on one's own, or any one of many manufacturers of small boxes. It is certainly the case that the hardware layer can be attacked, all is lost. On the other hand, if we presume supply chain attacks, all is lost anyway -- once you control the computer, the protocols it is running don't matter. Even keyboards can be suborned -- see Gaurav Shah's work on that, for example. I would prefer not to try to solve that problem right now -- it is too broad and too general. If others can solve it, that's of course a great thing. :) Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On Mon, Aug 26, 2013 at 02:44:32PM -0400, Perry E. Metzger wrote: My main issue with this proposal is that somebody identifiable is going to manufacture these boxes. Maybe several somebodies, but IMO, that's an identifiable central point of control/failure. Recently there's a trend for at least somewhat open hardware (Raspberry Pi, other ARM systems, Parallella Epiphany) some of which contain enough FPGA real estate (sure, we know there are FPGA backdoors, but) so that you could boot up an open core soft CPU, and even bootstrap your own toolchain from scratch. One can use a commercial PC if one wants to install on one's own, or any one of many manufacturers of small boxes. It is certainly the case In principle an FPGA die is regular, and hence more easily inspectable, but even SoCs can be sampled by reverse-engineering them from the metal layers. that the hardware layer can be attacked, all is lost. On the other hand, if we presume supply chain attacks, all is lost anyway -- once you control the computer, the protocols it is running don't matter. Even keyboards can be suborned -- see Gaurav Shah's work on that, for example. We need open, fully inspectable systems. If proving code, or at least, auto-generating code from state machines catches on in open source the number of exploitable vulnerabilities can be greatly diminished. I would prefer not to try to solve that problem right now -- it is too broad and too general. If others can solve it, that's of course a great thing. :) ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/26/2013 08:46 AM, Phillip Hallam-Baker wrote: Which is why I think Ted Lemon's idea about using Facebook type friending may be necessary. Or Gchat-style contacts. I don't think we can rely on that for Key distribution. But I think it needs to be a part of the mix. What if the public key were baked into the user's public-facing profile in such a fashion that the client could pick it up automagickally but viewers just saw another link that they'd never click on anyway? I have a protocol compiler. Just give it an abstract schema and out pops a server and client API library. Just need to add the code to implement the semantics. It is up on Sourceforge, will update later this week. Neat! Link, please? - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ Who are you? -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIbyDoACgkQO9j/K4B7F8EjDACgrDH06jqgRCew6iVWbB5w9qm8 +e4AnjeMnOvmmNQoHuuxFMdHEv3Nff9i =8hzx -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On 8/26/13 8:14 AM, Perry E. Metzger wrote: there is a good reason that I proposed that in the long run, whitelist only systems like Jabber and Facebook messaging are a better model. As one of those Jabber guys, I agree. :-) Perry, thanks for starting some very interesting threads here -- I'll post more soon. Peter -- Peter Saint-Andre https://stpeter.im/ ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
I think we can agree that the first step is to deploy home servers, and that the first application there would to host communication applications. Just doing that without much other change would already provide protection against the silent spying that goes on in big cloud servers. Initial deployment of anything must provide an immediate reward to the early adopters. You cannot rely on a network effect, and that means you can certainly not request third parties to adopt a new protocol. So better pinch our noses and say that, of course, we will accept SMTP mail. Probably SIP as well, and XMPP. We just need at first to make sure that the home server is easy to deploy and maintain. Then the adopters get the immediate reward, nobody can go through my mail archives without asking me. The various P2P enhancements come next, once there already is a network of home servers. The obvious one is a communication application that beats traffic analysis by embedding its own shuffling or onion routing. I don't think we can run anything like that directly on a phone, it would drain the battery way too quickly. -- Christian Huitema ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On Sun, 25 Aug 2013 16:04:59 -0700 Christian Huitema huit...@huitema.net wrote: I think we can agree that the first step is to deploy home servers, and that the first application there would to host communication applications. Just doing that without much other change would already provide protection against the silent spying that goes on in big cloud servers. Initial deployment of anything must provide an immediate reward to the early adopters. You cannot rely on a network effect, and that means you can certainly not request third parties to adopt a new protocol. So better pinch our noses and say that, of course, we will accept SMTP mail. Probably SIP as well, and XMPP. We just need at first to make sure that the home server is easy to deploy and maintain. Then the adopters get the immediate reward, nobody can go through my mail archives without asking me. I do not disagree, and given a home server, supporting whatever protocols are popular is merely a matter of software. One reason I split that proposal (more to come!) into multiple messages was because I think the issues are somewhat distinct, and home servers would be of use regardless. That said, I personally don't need much of a network effect to make things like secure IM useful to me. I exchange instant messages all day long, but only with about a dozen people for the most part. I don't need the whole world to switch to a new IM system for me to be much happier, just that dozen people. My email network is somewhat wider, but even there, I'd get incremental benefit from a new protocol. The trick is to make it easy to do the old and the new at the same time. Most IMAP and Jabber clients will happily handle multiple accounts, however, so I don't even have to choose if the client access protocol remains the same. The various P2P enhancements come next, once there already is a network of home servers. The obvious one is a communication application that beats traffic analysis by embedding its own shuffling or onion routing. I don't think we can run anything like that directly on a phone, it would drain the battery way too quickly. It might not if the total traffic was quite low (even if my IM traffic in bytes or packets was 10x larger because of a mix network participation, it would still be tiny compared to even a couple of phone calls a day). Still, I tend to agree that home nodes make better mix participants. -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On Aug 25, 2013, at 6:28 PM, Perry E. Metzger wrote: [Commenting on just one minor piece] ...Similar techniques may be useful for voice traffic, but that has interesting latency requirements, and they're hard to fulfill with a mix network that might take arbitrary time. There's been some interesting work by a number of people (including one of my doctoral brothers) on this topic. It probably would require a bunch of experimentation to get it right. On the other hand, anything might be better than what we have now for voice traffic, which is essentially zero privacy from the operators of most of the services. There's another problem with voice: People have come to expect services beyond the old point-to-point conversations that the traditional phone network provided. Group conferences are now very much an expected part of on-line voice services. These actually require fairly sophisticated processing of the audio to balance levels, avoid or suppress echoes, and so on. The only implementation techniques available today require a central server with access to cleartext voice streams. Not only does the server need to be trusted to handle the cleartext voice streams, it has to be trusted to do all the authentication - what comes out of the system doesn't usually match what went in from any one endpoint. Multi-way chat has similar, if much simpler, problems. On the rare occasions these problems (or even multi-party video conferencing) get mentioned, someone usually suggests using homomorphic cryptography. Besides being way too expensive to be practical at the moment, it's not even clear to me that it provides a useful kind of security. What kind of authentication model could such a system implement? Without it, what's to prevent a rogue server from inserting its own voice into the conversation? There are probably a couple of nice PhD dissertations in here -- Jerry ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On Aug 25, 2013, at 7:04 PM, Christian Huitema wrote: I think we can agree that the first step is to deploy home servers, and that the first application there would to host communication applications. Just doing that without much other change would already provide protection against the silent spying that goes on in big cloud servers. Initial deployment of anything must provide an immediate reward to the early adopters. You cannot rely on a network effect, and that means you can certainly not request third parties to adopt a new protocol. So better pinch our noses and say that, of course, we will accept SMTP mail. Probably SIP as well, and XMPP. We just need at first to make sure that the home server is easy to deploy and maintain. Then the adopters get the immediate reward, nobody can go through my mail archives without asking me. I agree, and have suggested this as the right next step for a couple of years. (For services like mail, it's the right next step *even without the security considerations*. At one time, everyone who wanted to run use mail ran his own mail server. This was a pain to do, and didn't work well in a world of intermittent network connectivity and small disks. Letting someone else figure out how to keep sendmail working, provide a continuous on-line presence, back up the disks, and so on, was a clear win. Today, however, pretty much everyone (well, at least in the first world; but the problems elsewhere are of an entirely different nature anyway) has a continuous, immensely fast (relative to the demands of mail) internet connection, disk is too cheap to meter, machines run of years with no maintenance, and you can back everything up using readily-available tools to encrypted copies in the cloud, or on friend's system. What's been missing is the ability to configure your local mail server as easily as you set up an email address at Google or Yahoo or at any other provider. But that's a solvable problem. On the flip side, mail systems like gMail or Yahoo mail are complex and difficult to run *exactly because they are immense*. But what are they getting for that size? There are no economies of scale here - in fact, there are clear *dis*economies. Even without the recent uproar over email privacy, at some point, someone was going to come up with a product along the following lines: Buy a cheap, preconfigured box with an absurd amount of space (relative to the huge amounts of space, like 10GB, the current services give you); then sign up for a service that provides your MX record and on-line, encrypted backup space for a small monthly fee. (Presumably free services to do the same would also appear, perhaps from some of the dynamic DNS providers.) What's the value add of one of the giant providers? The various P2P enhancements come next, once there already is a network of home servers. The obvious one is a communication application that beats traffic analysis by embedding its own shuffling or onion routing. A single-purpose appliance - a box that has exactly two open ports on the Internet, one for SMTP and one for IMAP, with management over a physically separate interface, would have a tiny attack surface and could be very secure. The more interfaces you put on the box, the less secure it gets. Maybe you can play games with virtualization - not the kind of virtualization that's used today, with all kinds of hooks for efficient sharing, but virtualization specifically for security, with as little sharing as possible (e.g., completely separate virtual disks; so what if you duplicate stuff, programs and such are tiny relative to disk sizes today). *The* biggest headache is HTTP support. Even the simplest modern HTTP server is so complex you can never be reasonably sure it's secure (though, granted, it's simpler than a browser!) You'd want to stay simple and primitive. Probably the biggest threat to such a device is a rogue update that installs malware. You can try to mitigate that risk by requiring that all updates be signed by multiple independent parties who vet the patch, but there are difficult tradeoffs: Too few checkers, and a rogue patch can get through; too many, and if a severe problem develops, you can't get a patch out quickly. I think the goal to aim for is no patches! Keep the device and its interfaces simple enough that you can get a decent formal proof of correctness, along with a ton of careful review and testing (per Don Knuth's comment somewhere to Be careful of the following code, I've only proved it correct, not tested it) and then *leave it alone*. If you don't think you can do without patches for the whole thing, maybe you can have a non-patched security kernel, with patches only to portions that cannot break your security guarantees. (Yes, this is also a hard problem.) An important element of a secure design is some sort of obliviousness. A mail server doesn't, on its own, need to