Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-04-19 Thread markus reichelt
* Ian G [EMAIL PROTECTED] wrote:

 So, why not always sign messages to a list that permits
 signatures?
 
 It's hard to see the benefit, and it is easy to see the potential
 cost.  In a litiguous world, we are (slightly) better off not using
 messages that are going to haunt us in years to come.  As a
 principle, I'd never advise anyone to sign any message unless they
 could state what that meant.

Well, I for one value the spreading of cryptographic means higher
than what might happen due to some misguided lawyer. with all the
lost privacy due to so-called protection laws from all the
evildoers this has only strengthened my resolve. after all, the
lawyers are still there even if one doesn't use cryptographic means.

In my world there's just too much lobbyism involved not to take
action in the vital field of privacy. Most people using electronic
communications either believe that some occasional eavesdropping is
ok (for they have nothing to hide; an arguement solely given by the
state in some 1984 manner), or they don't grasp the extent of
eavesdropping possibilities, or they just don't bother. not bothering
is just equally bad as giving in to the state because if one remains
passive, it is not likely that one will change one's perception
easily switching to actively propagate one's ideals (because of a
certain receptiveness to state arguements). and nowadays it's hard
enough to change things even if one is actively involved.


 It could well be that this is a difference in view across the
 Atlantic.  It seems that many (continental) Europeans do not
 perceive a threat to themselves from things they write; whereas the
 English-centric world is more NDA obsessed.

I guess you mean Non-Disclosure Agreement by NDA. All those acronyms;
it's about time the A takes action.

I haven't really perceived it the way you describe, but I don't work
in an environment where such things could matter at all. I'm in the
scientific community (chemistry), and there limits of talk (if you
get the meaning) are described pretty well, and this only affects
some areas of competition.

Given that some individual or even organisation keeps track of its
employees' writings in/on public media, I barely see the benefits
apart from some cases where it comes to leaking info which is already
prohibited by some kind of Non-Disclosure Agreement. those exist here
too, but with all the transparency about it, one really has to be
utterly stupid to mess things up.

From what you write I get the impression that even the slightest hint
about even the slightest clue may cause one harm. In my opinion this
fuels fear, just like telling a teenager not to ever fall in love
because he'll only get hurt anyway. we have misguided lawyers here
too, far too many of them in fact, for about over 20 years, and they
need to get an income. all that increased sueing stuff can be traced
back to the growing numbers of lawyers hitting the open market. not
that it offers a solution but there's still the bottom of the ocean
or the moon, and mars may be an issue soon...


 Quite frankly, I wouldn't have thought this topic would emerge the
 way it has on a cryptography mailinglist. Maybe it's about time to
 publish my article Why Cryptography Is Important In Modern Life
 after all (don't hold your breath; with me being pretty busy it's
 not due until after eastern).
 
 Cryptography is a tool, not a religion, notwithstanding the desires
 of many to deify it.  It is the application that delivers benefits,
 and properly thought out apps generally use as little crypto as
 they can get away with.  Top-down applications thinking says use
 the tool that does the job whereas bottom-up, toolbox thinking
 says use this tool because it's so cool!

I guess you got me wrong, and I'm not sure I get your top-down,
bottom-up analogies. Anyway, I'm not propagating means of
cryptography because of a religious hype or something. to clarify
this, me and my friends are not amused by officials having the legal
means to listen in on email communications, phone conversations, etc.
both without prior suspicion and some kind of notification of the
person(s) being listened in to, let alone legal backup (it was
rendered redundant anyway). because of the terrorist-threat-hype such
processes are now accelerated to fit only the state's benefits, yet
they sold as a citizen's benefit altogether. we have a saying here (i
hope it carries over, i'm not a native english speaker): working at
such a hectic pace replaces an intellectual calm.

From what I wrote above I guess it can be boiled down to this. Means
of cryptography are valued because of the possibility to protect
one's privacy that the state obviously has deemed unnecessary, for
good citizens surely don't have something to hide. simply put, since
we all don't walk the street naked, the state always wins. such a
state is out of balance, and checks are most likely still in place
where they possibly can't influence a larger picture.

someone 

Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-20 Thread Peter Saint-Andre
Ian G wrote:
 Chris Palmer wrote:
 Peter Saint-Andre writes:

 http://www.saint-andre.com/blog/2006-02.html#2006-02-27T22:13

 3. I see on your site you use and advertise for CACert. I hope CACert's
 signing cert(s) are never trusted by my browser, because then my browser
 would trust any cheap-ass random pseudonym in the world. 

IMHO trust is something you do, not something your browser does. Unless
you're going to delegate trust to the browser manufacturers...

 Which brings us
 to my next point...
 
 You are probably talking about the Class 1 root
 that CAcert uses to issue pseudonymous certs.
 Yes, they can be acquired by any cheap-ass
 psuedonym (but not randomly, as I think there is
 a serial number in there which I was told was
 an unavoidable artifact of x.509).
 
 Over on Peter's blog it seems to indicate he is
 an Assurer ... assuming that is correct [it isn't
 a cryptographically sound image :) ] then this
 means he is at least assured which is their
 term for his identity having been verified.

In CAcert, assurance is an action. You show me two government-issued
photo IDs (GIPIDs) and I compare them with your visage and physical
person; if I think they match, I assure you for some number of points
in the web of trust. If you get to a certain number of points, you can
use the Class 3 root. If you get even more points, you can become an
assurer (someone who does assurances). I happened to use the trusted
third party process for assurance (get copies of my GIPIDs witnessed
and notarized by two persons who are legally authorized in my
jurisdiction to witness and notarize documents), which results in more
points initially and the ability to become an assurer more quickly.

Peter

--
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml



smime.p7s
Description: S/MIME Cryptographic Signature


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-10 Thread Chris Palmer
Peter Saint-Andre writes:

 http://www.saint-andre.com/blog/2006-02.html#2006-02-27T22:13

1. Anonymity does matter. You might have heard of a little thing called
the First Amendment. ;) It's great that you're proud of what you say,
but no matter how proud you are, there could be bad, unfair consequences
if you say certain things and/or if you have a certain identity. A
little wisely-used anonymity can further an honest debate (such as
debating what should be in the Constitution!) and protect people from
low-power groups.

2. Email signing, alone, gives you only pseudonymity.

3. I see on your site you use and advertise for CACert. I hope CACert's
signing cert(s) are never trusted by my browser, because then my browser
would trust any cheap-ass random pseudonym in the world. Which brings us
to my next point...

4. Identity is not, and can never be, a substitute for a real judgement
about goodness. That I sign my messages doesn't make them any smarter;
many good and helpful comments come from such forgeable identities as
Steven Bellovin and Ben Laurie. Even fake names that look
ridiculously fake, like StealthMonger, sometimes send useful
information. When you immediately discount what that person says, you
are doing yourself an unfavor.


-- 
https://www.eff.org/about/staff/#chris_palmer



pgp3QSxLKKGry.pgp
Description: PGP signature


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-10 Thread James A. Donald

--
Victor Duchovni wrote:
 My claim is that, while indeed it is easier to set the initial
 barriers higher when you design with greater hindsight, and some of
 the tractable, but not widely deployed email security measures will
 be there in IM systems from the start, never the less IM systems if
 they are to encroach on the ubiquity of email for ad-hoc
 communications between strangers (it is far easier to address
 strangers via email today) will encounter exactly the same intrinsic
 issues, and that technical measures will have equally partial
 efficacy.

Total perfect and complete solutions will never be possible, but
stopping the most flagrant and inconvenient abuses is perfectly
feasible, and not even remarkably difficult.  These days you see
little spam on most Usenet groups, and one of the primary uses of
Usenet is ad hoc communication between strangers.

SSL works fine, PKI has serious problems. Usenet for the most part
works fine, Jabber works fine, email has serious problems

The federated structure of jabber, where random people connect to any
one of a very large number of privileged servers is similar to the
Usenet structure - and the Usenet structure works because for your
server to retain your privileges, you need to control spam.

 I am willing to speculate that people will continue to unfairly
 tarnish the competence of the email RFC writers, without regard to
 the intrinsic properties of the medium.

It is not so much that they were incompetent, but that they were
writing for a more trusting and trustworthy world.  Today, we have to
do things differently.

--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 PRRq2Za8iG5qzD2wX3ug3xGXEWyekUqHQTZAspUQ
 4Mjw8nFOqtf9erylBgQZo+5aUTVPzgKVdij0TQUDs

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-08 Thread Victor Duchovni
On Wed, Mar 01, 2006 at 06:15:36PM +0100, Ian G wrote:

 Email is hard to get encrypted, but it didn't stop Skype from doing
 encryped IMs easily.
 
 
 Likewise I have secured email communications with my wife via a single
 key exchange, so what? Skype has not easily created an interoperable
 federated system that secures all IM communications end-to-end, and
 many of the issues in doing that are non-technical.
 
 
 Right.  Nor did email create a single federated
 system that crosses across to mobile phones.  There
 is always a boundary where a system stops.

Federated accross millions of account issuing organizations, not
technologies, and email did do that, and IM did not. IM is like email from
a choice MCI, Sprint or ATT, sure they can control the medium better,
but this is a temporary state of affairs...

 The point is that the non-technical issues we
 are looking at here are *better* handled at the
 level of competitive systems, because they have
 incentives to solve them, whereas technical
 committees writing RFCs do not.

These are closed systems that compete with each other, once
they become federated, they can no longer compete on end-to-end
security, because that is a property of the interoperability
framework, not the individual product. Also with millions
of account issuers, the abuse and identity problems become
just as bad as for email. The problem is intrinsic, is not
the result of lazy RFC writers.

-- 

 /\ ASCII RIBBON  NOTICE: If received in error,
 \ / CAMPAIGN Victor Duchovni  please destroy and notify
  X AGAINST   IT Security, sender. Sender does not waive
 / \ HTML MAILMorgan Stanley   confidentiality or privilege,
   and use is prohibited.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-08 Thread Peter Thoenen
--- John W Noerenberg II [EMAIL PROTECTED] wrote:
 Oh really?  Then you should be able to send a note to my gmail
 address.

So I have been reading this thread for the last couple days and the
above comment gives me a chance to voice something that really needs to
be said.  Let's face it, a large chunk of emails (including work and
official emails) are sent from folks personal yahoo, google, hotmail,
AOL, etc etc accounts via web based interfaces.  Hell  even lots of
official work accounts are going webmail now days as anything to make
like better for the ignorant worker.  We keep talking about tools and
email client integration but everybody seems to be missing the obvious.
 Where are the inline integrated webmail authentication tools and don't
say copy / paste.

Until we solve this problem, I don't see mom and pop signing their
emails automatically and / or transparently.  


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-08 Thread Ben Laurie
[EMAIL PROTECTED] wrote:
 Alex Alten wrote:
 At 05:12 PM 2/26/2006 +, Ben Laurie wrote:
 Alex Alten wrote:
 At 02:59 PM 2/24/2006 +, Ben Laurie wrote:
 Ed Gerck wrote: We have keyservers for this (my chosen
 technology was PGP). If you liken their use to looking up an
 address in an address book, this isn't hard for users to grasp.

 I used PGP (Enterprise edition?) to encrypt my work emails to a 
 distributed set of members last year.  We all had each other's
 public keys (about a dozen or so).

 What I really hated about it was that when [EMAIL PROTECTED] sent
 me an email often I couldn't decrypt it.  Why?  Because his
 firm's email server decided to put in the FROM field
 [EMAIL PROTECTED]. Since it didn't match the email name
 in his X.509 certificate's DN it wouldn't decrypt the S/MIME
 attachment. This also caused problems with replying to his email.
 It took us hours, with several experimental emails sent back and
 forth, to figure out the root of the problem.

 No wonder PKI has died commercially and encrypted email is on the
  endangered species list.
 I trust you don't think this is a problem with PKI, right? Since
 clearly the issue is with the s/w you were using.
 I place the blame squarely on X.509 PKI.  The identity aspect of it
 is all screwed up. No software implementation can overcome such a
 fundamental architectural flaw.
 OK - I'll bite - why does the sender's identity have any impact on the
 recipient's ability to decrypt?

 
 Because the software needs a unique ID/name to find the correct key to 
 use. In practice (corporate) users can have multiple email names, see 
 my reply to Peter Gutman.  This is not the fault of the email 
 architecture, which has been working fine for 30-40 years, but the fault
 of the X.509 architecture trying to piggyback on an address/name space 
 that is not designed with security/cryptography considerations in mind.

I have to admit to not being familiar with S/MIME, but the usual
practice is to identify the signing key in the signature. Certainly this
is what OpenPGP does. Its also kinda weird to refuse to decrypt just
because the signature can't be verified.

Cheers,

Ben.


-- 
http://www.apache-ssl.org/ben.html   http://www.links.org/

There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-08 Thread Ben Laurie
[EMAIL PROTECTED] wrote:
 - Original Message -
 From: Ben Laurie [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Subject: Re: NPR : E-Mail Encryption Rare in Everyday Use
 Date: Thu, 02 Mar 2006 10:16:55 +


 [EMAIL PROTECTED] wrote:
 Alex Alten wrote:
 At 05:12 PM 2/26/2006 +, Ben Laurie wrote:
 Alex Alten wrote:
 At 02:59 PM 2/24/2006 +, Ben Laurie wrote:
 Ed Gerck wrote: We have keyservers for this (my chosen
 technology was PGP). If you liken their use to looking up an
 address in an address book, this isn't hard for users to grasp.

 I used PGP (Enterprise edition?) to encrypt my work emails to 
 a distributed set of members last year.  We all had each 
 other's
 public keys (about a dozen or so).

 What I really hated about it was that when [EMAIL PROTECTED] sent
 me an email often I couldn't decrypt it.  Why?  Because his
 firm's email server decided to put in the FROM field
 [EMAIL PROTECTED]. Since it didn't match the email name
 in his X.509 certificate's DN it wouldn't decrypt the S/MIME
 attachment. This also caused problems with replying to his email.
 It took us hours, with several experimental emails sent back and
 forth, to figure out the root of the problem.

 No wonder PKI has died commercially and encrypted email is on the
  endangered species list.
 I trust you don't think this is a problem with PKI, right? Since
 clearly the issue is with the s/w you were using.
 I place the blame squarely on X.509 PKI.  The identity aspect of it
 is all screwed up. No software implementation can overcome such a
 fundamental architectural flaw.
 OK - I'll bite - why does the sender's identity have any impact on the
 recipient's ability to decrypt?

 Because the software needs a unique ID/name to find the correct 
 key to use. In practice (corporate) users can have multiple email 
 names, see my reply to Peter Gutman.  This is not the fault of 
 the email architecture, which has been working fine for 30-40 
 years, but the fault
 of the X.509 architecture trying to piggyback on an address/name 
 space that is not designed with security/cryptography 
 considerations in mind.
 I have to admit to not being familiar with S/MIME, but the usual
 practice is to identify the signing key in the signature. Certainly this
 is what OpenPGP does. Its also kinda weird to refuse to decrypt just
 because the signature can't be verified.

 
 How does OpenPGP identify the signing key in the incoming email's signature?

Here's the output of one of the example programs in OpenPGP:SDK
(http://openpgp.nominet.org.uk/), showing the structure of an OpenPGP
signed file. I trust it is self-explanatory.

 ptag new_format=0 content_tag=8 length_type=3 length=0x0 (0)
position=0x0 (0)
COMPRESSED packet
Compressed Data Type: 1

 ptag new_format=0 content_tag=4 length_type=0 length=0xd (13)
position=0x0 (0)
ONE PASS SIGNATURE packet
Version: 3
Signature Type: Signature of a binary document (0x0)
Hash Algorithm: SHA1 (0x2)
Public Key Algorithm: RSA (Encrypt or Sign) (0x1)
Signer ID: 0x8337FE6485F4ED64
Nested: 1

 ptag new_format=0 content_tag=11 length_type=0 length=0x22 (34)
position=0xf (15)
LITERAL DATA HEADER packet
  literal data header format=b filename='to-be-signed'
modification time=1141297085 (Thu Mar  2 10:58:05 2006)
LITERAL DATA BODY packet
  literal data body length=16
data=
To Be Signed.



 ptag new_format=0 content_tag=2 length_type=1 length=0x95 (149)
position=0x33 (51)
SIGNATURE packet
Signature Version: 3
Signature Creation Time: time=1141297085 (Thu Mar  2 10:58:05 2006)
Signature Type: Signature of a binary document (0x0)
Signer ID: 0x8337FE6485F4ED64
Public Key Algorithm: RSA (Encrypt or Sign) (0x1)
Hash Algorithm: SHA1 (0x2)
hash2: 0xBF33
sig=7344970C0DF62B089E79FFF024137E9D7D8919B6B1F1F29F3CCE8CD34625759EC181452C1A17858E418BA838FD3FED6AD013E7562F0B4E87BCA81D82D22B825A3ED6447E0F31F14DE0321554D558CEDCC339424ADA01B7C7374BBC59DE54E6BE4670D9D9E6FAC6412E927545DF1D2F0A373BFE6D058893CF675554F2DF8BE079

-- 
http://www.apache-ssl.org/ben.html   http://www.links.org/

There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-08 Thread Anton Stiglic

More strongly, if we've never met, and you are not in the habit of
routinely signing email, thereby tying a key to your e-persona, it
makes no sense to speak of *secure* communication to *you*. 

Regularly signing email is not necessarily a good idea.  I like to be able
to repudiate most emails I send...

 --Anton

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 268.1.2/274 - Release Date: 03/03/2006
 


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-08 Thread Florian Weimer
* Bill Stewart:

 Or you could try using the Google Keyserver -
   just because there isn't one
 doesn't mean you can't type in 9E94 4513 3983 5F70
 or 9383DE06   or   [EMAIL PROTECTED] PGP Key
 and see what's in Google's cache.

What a peculiar advice.  We know for sure that Google logs these
requests and stores them indefinitely. 8-(

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-08 Thread Alex Alten

At 05:58 AM 3/3/2006 +, Ben Laurie wrote:

[EMAIL PROTECTED] wrote:
 [EMAIL PROTECTED] wrote:
 Alex Alten wrote:
 At 05:12 PM 2/26/2006 +, Ben Laurie wrote:
 Alex Alten wrote:
 At 02:59 PM 2/24/2006 +, Ben Laurie wrote:
 Ed Gerck wrote: We have keyservers for this (my chosen
 technology was PGP). If you liken their use to looking up an
 address in an address book, this isn't hard for users to grasp.

 I used PGP (Enterprise edition?) to encrypt my work emails to
 a distributed set of members last year.  We all had each
 other's
 public keys (about a dozen or so).

 What I really hated about it was that when [EMAIL PROTECTED] sent
 me an email often I couldn't decrypt it.  Why?  Because his
 firm's email server decided to put in the FROM field
 [EMAIL PROTECTED]. Since it didn't match the email name
 in his X.509 certificate's DN it wouldn't decrypt the S/MIME
 attachment. This also caused problems with replying to his email.
 It took us hours, with several experimental emails sent back and
 forth, to figure out the root of the problem.

 No wonder PKI has died commercially and encrypted email is on the
  endangered species list.
 I trust you don't think this is a problem with PKI, right? Since
 clearly the issue is with the s/w you were using.
 I place the blame squarely on X.509 PKI.  The identity aspect of it
 is all screwed up. No software implementation can overcome such a
 fundamental architectural flaw.
 OK - I'll bite - why does the sender's identity have any impact on the
 recipient's ability to decrypt?

 Because the software needs a unique ID/name to find the correct
 key to use. In practice (corporate) users can have multiple email
 names, see my reply to Peter Gutman.  This is not the fault of
 the email architecture, which has been working fine for 30-40
 years, but the fault
 of the X.509 architecture trying to piggyback on an address/name
 space that is not designed with security/cryptography
 considerations in mind.
 I have to admit to not being familiar with S/MIME, but the usual
 practice is to identify the signing key in the signature. Certainly this
 is what OpenPGP does. Its also kinda weird to refuse to decrypt just
 because the signature can't be verified.


 How does OpenPGP identify the signing key in the incoming email's 
signature?


Here's the output of one of the example programs in OpenPGP:SDK
(http://openpgp.nominet.org.uk/), showing the structure of an OpenPGP
signed file. I trust it is self-explanatory.


Assuming this file is attached to an incoming email message, how does the
receiver's email software match the Signer ID (= 0x8337FE6485F4ED64) to
a X.509 cert in his local cache that is associated with the email sender's name
(= [EMAIL PROTECTED])?


--

- Alex Alten


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-08 Thread Peter Gutmann
Hi,

Basically our customer required us to encrypt any team communications. So we
used PGP with email.  I know the body of the email was encrypted, and I
believe attachments were too.  The certs were used to automate the
decryption.  Basically the PGP plugin would check the incoming mail's sender
email name and try to find a local cert that had the same email name in it.

Hmm, that sounds like broken software then, since the (probabilistically)
unique keyID to locate the appropriate decryption or signature verification
key is included in the message/signature - you never have to look at the From:
address, and indeed trying to use it for key lookups would be a recipe for
disaster because of the problems you pointed out.

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-08 Thread Alex Alten

At 03:13 AM 3/6/2006 +1300, Peter Gutmann wrote:


Basically our customer required us to encrypt any team communications. So we
used PGP with email.  I know the body of the email was encrypted, and I
believe attachments were too.  The certs were used to automate the
decryption.  Basically the PGP plugin would check the incoming mail's sender
email name and try to find a local cert that had the same email name in it.

Hmm, that sounds like broken software then, since the (probabilistically)
unique keyID to locate the appropriate decryption or signature verification
key is included in the message/signature - you never have to look at the From:
address, and indeed trying to use it for key lookups would be a recipe for
disaster because of the problems you pointed out.


RFC 3280 states that an end entity's subject key id SHOULD be included. It is
not a MANDATORY extension field, see section 4.2.1.2.  So the software is
not technically broken.

Since the key id is derived from the raw public key itself,  doesn't that 
defeat

the purpose of automatically authenticating that the encrypted email is really
from [EMAIL PROTECTED]?  I'm assuming a naive email user on the receiver
side that never manually maps the key id to [EMAIL PROTECTED].  Most
general users sort of understand the email name format, it's a bit much to 
force
them to map a cryptic looking key id to it too.  Especially considering the 
user
might have dozens or hundreds of people on their mailing list.  Mapping 
mistakes

would be common.

I won't mention the questions regarding certificate revocaton vs user email 
name.

:-)

- Alex


--

- Alex Alten


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-08 Thread Peter Gutmann
Alex Alten [EMAIL PROTECTED] writes:
At 03:13 AM 3/6/2006 +1300, Peter Gutmann wrote:
 Basically our customer required us to encrypt any team communications. So we
 used PGP with email.  I know the body of the email was encrypted, and I
 believe attachments were too.  The certs were used to automate the
 decryption.  Basically the PGP plugin would check the incoming mail's sender
 email name and try to find a local cert that had the same email name in it.

Hmm, that sounds like broken software then, since the (probabilistically)
unique keyID to locate the appropriate decryption or signature verification
key is included in the message/signature - you never have to look at the From:
address, and indeed trying to use it for key lookups would be a recipe for
disaster because of the problems you pointed out.

RFC 3280 states that an end entity's subject key id SHOULD be included. It is
not a MANDATORY extension field, see section 4.2.1.2.  So the software is not
technically broken.

Uhh, what does RFC 3280 have to do with PGP, which is what you said you were
using?  In any case if you are using X.509 certs, you match by subject DN (or
issuerAndSerialNumber for S/MIME), all of which serve the same function as the
PGP key ID.

Since the key id is derived from the raw public key itself,  doesn't that
defeat the purpose of automatically authenticating that the encrypted email
is really from [EMAIL PROTECTED]?

You use the PGP keyID or X.509 issuerAndSerialNumber to look up the key or
certificate, then display as the signer the identity associated with the key
or certificate.  What's in the From: address never enters into it, although
your software may choose to warn if the From: address doesn't match the email
address associated with the key.

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-08 Thread Ben Laurie
Alex Alten wrote:
 At 05:58 AM 3/3/2006 +, Ben Laurie wrote:
 [EMAIL PROTECTED] wrote:
  [EMAIL PROTECTED] wrote:
  Alex Alten wrote:
  At 05:12 PM 2/26/2006 +, Ben Laurie wrote:
  Alex Alten wrote:
  At 02:59 PM 2/24/2006 +, Ben Laurie wrote:
  Ed Gerck wrote: We have keyservers for this (my chosen
  technology was PGP). If you liken their use to looking up an
  address in an address book, this isn't hard for users to grasp.
 
  I used PGP (Enterprise edition?) to encrypt my work emails to
  a distributed set of members last year.  We all had each
  other's
  public keys (about a dozen or so).
 
  What I really hated about it was that when [EMAIL PROTECTED] sent
  me an email often I couldn't decrypt it.  Why?  Because his
  firm's email server decided to put in the FROM field
  [EMAIL PROTECTED]. Since it didn't match the email name
  in his X.509 certificate's DN it wouldn't decrypt the S/MIME
  attachment. This also caused problems with replying to his email.
  It took us hours, with several experimental emails sent back and
  forth, to figure out the root of the problem.
 
  No wonder PKI has died commercially and encrypted email is on the
   endangered species list.
  I trust you don't think this is a problem with PKI, right? Since
  clearly the issue is with the s/w you were using.
  I place the blame squarely on X.509 PKI.  The identity aspect of it
  is all screwed up. No software implementation can overcome such a
  fundamental architectural flaw.
  OK - I'll bite - why does the sender's identity have any impact
 on the
  recipient's ability to decrypt?
 
  Because the software needs a unique ID/name to find the correct
  key to use. In practice (corporate) users can have multiple email
  names, see my reply to Peter Gutman.  This is not the fault of
  the email architecture, which has been working fine for 30-40
  years, but the fault
  of the X.509 architecture trying to piggyback on an address/name
  space that is not designed with security/cryptography
  considerations in mind.
  I have to admit to not being familiar with S/MIME, but the usual
  practice is to identify the signing key in the signature. Certainly
 this
  is what OpenPGP does. Its also kinda weird to refuse to decrypt just
  because the signature can't be verified.
 
 
  How does OpenPGP identify the signing key in the incoming email's
 signature?

 Here's the output of one of the example programs in OpenPGP:SDK
 (http://openpgp.nominet.org.uk/), showing the structure of an OpenPGP
 signed file. I trust it is self-explanatory.
 
 Assuming this file is attached to an incoming email message, how does the
 receiver's email software match the Signer ID (= 0x8337FE6485F4ED64) to
 a X.509 cert in his local cache that is associated with the email
 sender's name
 (= [EMAIL PROTECTED])?

It is _OpenPGP_ so it does not match it to an X.509 cert. It matches it
to an OpenPGP key.

-- 
http://www.links.org/

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-08 Thread Peter Saint-Andre
Victor Duchovni wrote:
 On Wed, Mar 01, 2006 at 06:15:36PM +0100, Ian G wrote:
 
 Email is hard to get encrypted, but it didn't stop Skype from doing
 encryped IMs easily.

 Likewise I have secured email communications with my wife via a single
 key exchange, so what? Skype has not easily created an interoperable
 federated system that secures all IM communications end-to-end, and
 many of the issues in doing that are non-technical.

 Right.  Nor did email create a single federated
 system that crosses across to mobile phones.  There
 is always a boundary where a system stops.
 
 Federated accross millions of account issuing organizations, not
 technologies, and email did do that, and IM did not. IM is like email from
 a choice MCI, Sprint or ATT, sure they can control the medium better,
 but this is a temporary state of affairs...

Monolithic consumer IM services (AIM, MSN, Yahoo, etc. are like that.
Existing federated IM standards (e.g., Jabber/XMPP) are not.

 The point is that the non-technical issues we
 are looking at here are *better* handled at the
 level of competitive systems, because they have
 incentives to solve them, whereas technical
 committees writing RFCs do not.
 
 These are closed systems that compete with each other, once
 they become federated, they can no longer compete on end-to-end
 security, because that is a property of the interoperability
 framework, not the individual product. Also with millions
 of account issuers, the abuse and identity problems become
 just as bad as for email. The problem is intrinsic, is not
 the result of lazy RFC writers.

Well, in the Jabber/XMPP world we require authentication, servers must
stamp the from addresses, and we use (at a minimum) reverse DNS lookups
to verify server identities (or use certs with TLS + SASL-EXTERNAL if
you want true server-to-server authentication). So I'd say the abuse and
identity problems are not as bad in IM (at least the IM technology I'm
familiar with) as in email. But you'd hope that we've learned a thing or
two since email was invented. ;-)

Peter

--
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml



smime.p7s
Description: S/MIME Cryptographic Signature


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-08 Thread Peter Saint-Andre
Anton Stiglic wrote:
 More strongly, if we've never met, and you are not in the habit of
 routinely signing email, thereby tying a key to your e-persona, it
 makes no sense to speak of *secure* communication to *you*. 
 
 Regularly signing email is not necessarily a good idea.  I like to be able
 to repudiate most emails I send...

As previously mentioned, anonymity and repudiability aren't high on my
list of values -- not that anyone cares about my hierarchy of values ;-)

But as promised I did blog about it:

http://www.saint-andre.com/blog/2006-02.html#2006-02-27T22:13

Peter

--
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml



smime.p7s
Description: S/MIME Cryptographic Signature


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-08 Thread Victor Duchovni
On Wed, Mar 08, 2006 at 12:53:16PM -0700, Peter Saint-Andre wrote:

  These are closed systems that compete with each other, once
  they become federated, they can no longer compete on end-to-end
  security, because that is a property of the interoperability
  framework, not the individual product. Also with millions
  of account issuers, the abuse and identity problems become
  just as bad as for email. The problem is intrinsic, is not
  the result of lazy RFC writers.
 
 Well, in the Jabber/XMPP world we require authentication, servers must
 stamp the from addresses, and we use (at a minimum) reverse DNS lookups
 to verify server identities (or use certs with TLS + SASL-EXTERNAL if
 you want true server-to-server authentication). So I'd say the abuse and
 identity problems are not as bad in IM (at least the IM technology I'm
 familiar with) as in email. But you'd hope that we've learned a thing or
 two since email was invented. ;-)

What is the value of such authentication? Which organizations will you
trust? For example, most mail that passes SPF is spam... Authentication
by the issuing organization is only useful, if you can keep bad issuers
of the net... If federated Jabber becomes universal, the bad guys cannot
be excised from the network. The botnets cannot be excised from the network,
...

The problem is technology neutral. Loosely along the lines of Goedel's
incompleteness theorem, any universally deployed federated communications
medium will exhibit spam.

MaximEither it is not mature enough, or it has spam./Maxim

-- 

 /\ ASCII RIBBON  NOTICE: If received in error,
 \ / CAMPAIGN Victor Duchovni  please destroy and notify
  X AGAINST   IT Security, sender. Sender does not waive
 / \ HTML MAILMorgan Stanley   confidentiality or privilege,
   and use is prohibited.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-08 Thread Peter Saint-Andre
Victor Duchovni wrote:
 On Wed, Mar 08, 2006 at 12:53:16PM -0700, Peter Saint-Andre wrote:
 
 These are closed systems that compete with each other, once
 they become federated, they can no longer compete on end-to-end
 security, because that is a property of the interoperability
 framework, not the individual product. Also with millions
 of account issuers, the abuse and identity problems become
 just as bad as for email. The problem is intrinsic, is not
 the result of lazy RFC writers.
 Well, in the Jabber/XMPP world we require authentication, servers must
 stamp the from addresses, and we use (at a minimum) reverse DNS lookups
 to verify server identities (or use certs with TLS + SASL-EXTERNAL if
 you want true server-to-server authentication). So I'd say the abuse and
 identity problems are not as bad in IM (at least the IM technology I'm
 familiar with) as in email. But you'd hope that we've learned a thing or
 two since email was invented. ;-)
 
 What is the value of such authentication? Which organizations will you
 trust? For example, most mail that passes SPF is spam... Authentication
 by the issuing organization is only useful, if you can keep bad issuers
 of the net... If federated Jabber becomes universal, the bad guys cannot
 be excised from the network. The botnets cannot be excised from the network,
 ...
 
 The problem is technology neutral. Loosely along the lines of Goedel's
 incompleteness theorem, any universally deployed federated communications
 medium will exhibit spam.

I never made the strong claim that the federated Jabber network is or
always will remain spam free, only the weaker claim that its abuse and
identity problems are and will remain less serious than those of the
federated email network as it exists today. There is no magic bullet,
and a spam-free utopia is not an option if federated communications are
desired. I do not dispute that if Jabber becomes popular enough, there
will be rogue servers that don't enforce local authentication (although
with server dialback and TLS they can't fake from addresses at other
domains, see RFC 3920), and that those who deploy Jabber services will
need to blacklist those domains. I do not dispute that there will be
spam bots and that server admins or end users will need to block
communication with those bots (e.g., using the privacy list protocol
defined in RFC 3921). I do not dispute that there will be phishing
attacks (e.g., using internationalized addresses that look like but are
not identical to familiar addresses) and that client software will need
to take appropriate measures to differentiate between legitimate and
mimicked addresses (e.g., using petname systems as described in
JEP-0165). All I'm saying is that we have a lot of the infrastructure in
place (and are building more) to make abuse harder and identity stronger
than it is on the existing email network. Is Jabber perfect? No. We're
just trying to make it good enough that the bad guys will go elsewhere
(which, so far, they have).

Peter

--
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml



smime.p7s
Description: S/MIME Cryptographic Signature


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-08 Thread Victor Duchovni
On Wed, Mar 08, 2006 at 01:55:16PM -0700, Peter Saint-Andre wrote:

 I never made the strong claim that the federated Jabber network is or
 always will remain spam free, only the weaker claim that its abuse and
 identity problems are and will remain less serious than those of the
 federated email network as it exists today.

Time will tell. All I expect from the ultimate (~3 years out) rollout
of email authentication is less backscatter, not less phishing or
spam.

 I do not dispute that if Jabber becomes popular enough, there
 will be rogue servers that don't enforce local authentication (although
 with server dialback and TLS they can't fake from addresses at other
 domains, see RFC 3920), and that those who deploy Jabber services will
 need to blacklist those domains.

Of course new domains are less than $4 each in bulk... How will you
lock out throw-away domains? The black-list problem for email is not
solved. The good lists are nowhere near 100% effective. Is the equivalent
of port 25 blocking tractable for Jabber? Is there a difference between
the user-to-server port/protocol and the server-to-server port/protocol
in Jabber?

 I do not dispute that there will be
 spam bots and that server admins or end users will need to block
 communication with those bots (e.g., using the privacy list protocol
 defined in RFC 3921). I do not dispute that there will be phishing
 attacks (e.g., using internationalized addresses that look like but are
 not identical to familiar addresses) and that client software will need
 to take appropriate measures to differentiate between legitimate and
 mimicked addresses (e.g., using petname systems as described in
 JEP-0165).

Yes petname systems are an important UI tool for preserving the integrity
of existing peer communications. If IM is to replace email as some
want to claim, it needs to support messages from a fair share of total
strangers (we have never met).

 All I'm saying is that we have a lot of the infrastructure in
 place (and are building more) to make abuse harder and identity stronger
 than it is on the existing email network. Is Jabber perfect? No. We're
 just trying to make it good enough that the bad guys will go elsewhere
 (which, so far, they have).

My claim is that, while indeed it is easier to set the initial barriers
higher when you design with greater hindsight, and some of the tractable,
but not widely deployed email security measures will be there in IM
systems from the start, never the less IM systems if they are to encroach
on the ubiquity of email for ad-hoc communications between strangers
(it is far easier to address strangers via email today) will encounter
exactly the same intrinsic issues, and that technical measures will have
equally partial efficacy.

I am willing to speculate that the more likely scenario is that IM will
not become the ubiquitous medium that email is, and will escape the
problem by avoiding scope creep.

I am willing to speculate that people will continue to unfairly tarnish
the competence of the email RFC writers, without regard to the intrinsic
properties of the medium.

-- 

 /\ ASCII RIBBON  NOTICE: If received in error,
 \ / CAMPAIGN Victor Duchovni  please destroy and notify
  X AGAINST   IT Security, sender. Sender does not waive
 / \ HTML MAILMorgan Stanley   confidentiality or privilege,
   and use is prohibited.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-01 Thread Victor Duchovni
On Sun, Feb 26, 2006 at 01:42:56PM -0800, Trevor Perrin wrote:

 Perhaps this is further support for Iang's contention that we should 
 expect newer, interactive protocols (IM, Skype, etc.) to take the lead 
 in communication security.  Email-style message encryption may simply 
 be a much harder problem.

This is neither surprising, nor relevant to email.

We are at this point reasonably good at encrypting unicast traffic and
the associated key management problem is often viable. Encrypting stored
data is a substantially more difficult problem.

We have increasingly common opportunistic TLS encryption of email traffic,
with occasional fully verified secure-channels between some pairs of
sites. We could conceivably some day (political barriers primarily
at this point) have a secure DNS for secure MX record lookups and key
distribution enabling secure channels between most sites. This is viable,
traffic encryption is a tractable problem.

Encrypting email content, to be stored encrypted, and decrypted when
read off-line, or read again later, ... is a problem that the IM
and VoIP vendors don't have to solve. They also don't have to solve
global federation of universally interoperable systems...

-- 

 /\ ASCII RIBBON  NOTICE: If received in error,
 \ / CAMPAIGN Victor Duchovni  please destroy and notify
  X AGAINST   IT Security, sender. Sender does not waive
 / \ HTML MAILMorgan Stanley   confidentiality or privilege,
   and use is prohibited.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-01 Thread John W Noerenberg II

At 5:58 PM -0800 2/24/06, Ed Gerck wrote:

A phone number is not an envelope -- it's routing information, just like
an email address. Publishing the email address is not in question and
there are alternative ways to find it out, such as search engines.


Oh really?  Then you should be able to send a note to my gmail address.

At 1:11 PM -0800 2/25/06, Ed Gerck wrote:

Arguments that people give each other their cell phone numbers, for example,
and even though there isn't a cell phone directory people use cell phones
well, also forget the user's point of view when comparing a phone number with
a public-key.


And that distinction is?

To me a cell-phone number is a string of characters, and a public-key 
is - a string of characters.



Finally, the properties of MY public-key will directly affect the 
confidentiality
properties of YOUR envelope. For example, if (on purpose or by 
force) my public-key

enables a covert channel (eg, weak key, key escrow, shared private key), YOUR
envelope is compromised from the start and you have no way of 
knowing it. This is
quite different from an address, which single purpose is to route 
the communication.


And if (on purpose or by force) your cell-phone number is being 
monitored by an eavesdropper, MY call is compromised from the start 
and I have no way of knowing it.


There is no difference.
--

john noerenberg
  --
  All actions are wrought by the qualities of nature only.
  The self, deluded by egoism, thinketh, I am the doer.
  -- Bhagavad Gita
  --

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-01 Thread Ed Gerck

John W Noerenberg II wrote:

At 5:58 PM -0800 2/24/06, Ed Gerck wrote:
A phone number is not an envelope -- it's routing information, just 
like

an email address. Publishing the email address is not in question and
there are alternative ways to find it out, such as search engines.


Oh really?  Then you should be able to send a note to my gmail address.


I did quite not get the irony/humor. All I'm saying about an email
address is that (1) it does not work as an envelope (hiding contents); and
(2) there's no big problem in using it. You publish your email address
every time you send an email from it, which may also make it searchable.


At 1:11 PM -0800 2/25/06, Ed Gerck wrote:
Arguments that people give each other their cell phone numbers, for 
example,

and even though there isn't a cell phone directory people use cell phones
well, also forget the user's point of view when comparing a phone 
number with

a public-key.


And that distinction is?

To me a cell-phone number is a string of characters, and a public-key is 
- a string of characters.


The distinction should be obvious if you try to tell someone your public-key
over the phone, byte by byte for 1024 bits, versus telling her your
8-digit cell phone number.

Cheers,
Ed Gerck

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-01 Thread StealthMonger
Ben Laurie [EMAIL PROTECTED] writes:

 Florian Weimer wrote:

  I couldn't find a PGP key server operator that committed itself to
  keeping logs confidential and deleting them in a timely manner (but I
  didn't look very hard, either).  Of course, since PGP hasn't
  progressed as faster as our computing resources, I'm nowadays in a
  position to run my own key server, but this is hardly a solution to
  that kind of problem.

 OK, I buy the problem, but until we do something about the totally
 non-anonymising properties of the 'net, revealing that I want the public
 key for some person seems to be quite minor - compared, for example, to
 revealing that I sent him email each time I do.

But you don't have to reveal that you sent him email.  You can use
stealthy communication.

Stealthy communication is communication wherein not only is the
content concealed from eavesdroppers by encryption, but information
about who is communicating with whom, when, or if at all, is
concealed, as well.

The Internet can be used for stealthy communication.  The basic idea
is that each potential participant has ongoing traffic to and from a
message pool which is propagated world-wide.  When the participant has
no live traffic to send, dummy traffic is sent instead.  The dummy
traffic is indistinguishable from the live traffic except by using
decryption keys which are chosen by correspondents.  The outbound
traffic continues autonomously without interruption for months and
years and is not correlated to the live traffic, so an observer
without the keys cannot determine when or how much live communication
is happening.  Inbound cover traffic consists of taking a full feed of
the message pool at all times without interruption.

A Debian Linux package exists which enables stealthy email.  It has
been in everyday use for years, although not widely.  Details on
request.  I am looking for someone to host it.  Any volunteers?

 -- StealthMonger

 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-01 Thread Udhay Shankar N

At 04:52 PM 2/26/2006, Ben Laurie wrote:


Don't forget that the ability to decrypt is just as good as a signature
to prove association of the key.


All it needs is for one successful trojan that steals your private 
key/passphrase and plausible deniability is available again. :)


Does anybody know if there were followups to the Caligula virus, 
which was a proof-of-concept that stole PGP keyrings?


Udhay

--
((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com))


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-01 Thread Bill Stewart

Somebody, probably Florian, wrote:

 I couldn't find a PGP key server operator that committed itself to
 keeping logs confidential and deleting them in a timely manner (but I
 didn't look very hard, either).


Keyservers are a peripheral issue in PGP -
important for convenience and for quick distribution of revocation lists,
but they're very strongly just a tool for convenience.

Security through Inconvenience is one flipside of Security through 
Obscurity, I suppose...


If you've got a threat model that includes traffic analysis,
then either you and your unindicted co-conspirators
need to find other ways to exchange keys,
like printing them on business cards,
or find a keyserver that lets you suck down all the keys
so it's not obvious which key you're looking for,
or start using Tor to access the keyservers.

Or you could try using the Google Keyserver -
  just because there isn't one
doesn't mean you can't type in 9E94 4513 3983 5F70
or 9383DE06   or   [EMAIL PROTECTED] PGP Key
and see what's in Google's cache.





-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-28 Thread Nicolas Rachinsky
* Ed Gerck [EMAIL PROTECTED] [2006-02-25 13:11 -0800]:
 Finally, the properties of MY public-key will directly affect the 
 confidentiality
 properties of YOUR envelope. For example, if (on purpose or by force) my 
 public-key
 enables a covert channel (eg, weak key, key escrow, shared private key), 
 YOUR
 envelope is compromised from the start and you have no way of knowing it. 
 This is
 quite different from an address, which single purpose is to route the 
 communication.
 
 That's I said the postal analogue of the public-key is the envelope.

I don't agree with that analogue. An paper envelope does not prevent
anybody from opening it (you can open it without any tools and with
nearly no effort). The encryption should make it impossible for
anybody to see the contents.  The recipient might detect that the
envelope was opened or replaced, but you must trust that he will
detect this (you can't check it yourself).

Nicolas

-- 
http://www.rachinsky.de/nicolas

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-28 Thread Matthew Byng-Maddick
On Sat, Feb 25, 2006 at 07:33:38PM +0100, Ian G wrote:
 areas.  The fact is that SSH came in with a solution
 and beat the other guy - Telnet secured over SSL.  It
 wasn't the crypto that did this, it was the key management,
 plain and simple.

Very few people I knew at the time moved to SSH because it was more
secure and because passwords weren't in plaintext. Most of the
people moved because of the things you could do with SSH above and
beyond telnet (port forwarding, X11 forwarding etc). In fact, the
latter is the main reason I moved - it dated before i started taking
an interest in security. Not to say that there weren't *any* who had
the security reasons for moving, but then kerberized telnet existed
too at that point in time.

Cheers,

MBM

-- 
Matthew Byng-Maddick  [EMAIL PROTECTED]   http://colondot.net/
  (Please use this address to reply)

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-28 Thread Trevor Perrin

Ed Gerck wrote:

Ben Laurie wrote:


I totally don't buy this distinction - in order to write to you with
postal mail, I first have to ask you for your address.



We all agree that having to use name and address are NOT the problem,
for email or postal mail. Both can also deliver a letter just with
the address (CURRENT RESIDENT junk mail, for example).

The problem is that pesky public-key. A public-key such as

[2. application/pgp-keys]...


is N O T user-friendly.



True enough about public keys.  Not so true about key fingerprints - a 
20-char fingerprint is probably not much harder to manage than the usual 
sorts of contact info (email, postal,  IM addresses, phone numbers, etc.).


Of course, a fingerprint won't let you encrypt an email without 
supporting infrastructure for key lookups.  However, it *will* let you 
authenticate a session (e.g., IM, VoIP, SSH) if your parter presents his 
public key in the handshake.


Perhaps this is further support for Iang's contention that we should 
expect newer, interactive protocols (IM, Skype, etc.) to take the lead 
in communication security.  Email-style message encryption may simply 
be a much harder problem.



Trevor

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-28 Thread Alex Alten

At 05:12 PM 2/26/2006 +, Ben Laurie wrote:

Alex Alten wrote:
 At 02:59 PM 2/24/2006 +, Ben Laurie wrote:
 Ed Gerck wrote: We have keyservers for this (my chosen technology
 was PGP). If you liken their use to looking up an address in an
 address book, this isn't hard for users to grasp.

 I used PGP (Enterprise edition?) to encrypt my work emails to a
 distributed set of members last year.  We all had each other's public
 keys (about a dozen or so).

 What I really hated about it was that when [EMAIL PROTECTED] sent me
 an email often I couldn't decrypt it.  Why?  Because his firm's email
 server decided to put in the FROM field [EMAIL PROTECTED].
 Since it didn't match the email name in his X.509 certificate's DN it
 wouldn't decrypt the S/MIME attachment. This also caused problems
 with replying to his email.  It took us hours, with several
 experimental emails sent back and forth, to figure out the root of
 the problem.

 No wonder PKI has died commercially and encrypted email is on the
 endangered species list.

I trust you don't think this is a problem with PKI, right? Since clearly
the issue is with the s/w you were using.


I place the blame squarely on X.509 PKI.  The identity aspect of it is all 
screwed up.

No software implementation can overcome such a fundamental architectural flaw.

- Alex


--

- Alex Alten


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-28 Thread Peter Gutmann
Alex Alten [EMAIL PROTECTED] writes:

What I really hated about it was that when [EMAIL PROTECTED] sent me an email
often I couldn't decrypt it.  Why?  Because his firm's email server decided
to put in the FROM field [EMAIL PROTECTED].  Since it didn't match
the email name in his X.509 certificate's DN it wouldn't decrypt the S/MIME
attachment. This also caused problems with replying to his email.  It took us
hours, with several experimental emails sent back and forth, to figure out
the root of the problem.

Something's getting lost in this description.  What does the value in the
From field have to do with you decrypting a message?  OTOH the mention of an
attachment indicates a detached S/MIME signature, which doesn't have
anything to do with encryption.  If it is a signature, then the software
should verify it with the included cert and display that as the signer.

Please correct and resubmit.

Peter.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-28 Thread Ben Laurie
Florian Weimer wrote:
 * Ben Laurie:
 
 I don't use PGP - for email encryption I use enigmail, and getting
 missing keys is as hard as pressing the get missing keys button.
 
 A step which has really profound privacy implications.
 
 I couldn't find a PGP key server operator that committed itself to
 keeping logs confidential and deleting them in a timely manner (but I
 didn't look very hard, either).  Of course, since PGP hasn't
 progressed as faster as our computing resources, I'm nowadays in a
 position to run my own key server, but this is hardly a solution to
 that kind of problem.

OK, I buy the problem, but until we do something about the totally
non-anonymising properties of the 'net, revealing that I want the public
key for some person seems to be quite minor - compared, for example, to
revealing that I sent him email each time I do.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html   http://www.links.org/

There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-28 Thread Ben Laurie
Alex Alten wrote:
 At 05:12 PM 2/26/2006 +, Ben Laurie wrote:
 Alex Alten wrote:
 At 02:59 PM 2/24/2006 +, Ben Laurie wrote:
 Ed Gerck wrote: We have keyservers for this (my chosen
 technology was PGP). If you liken their use to looking up an
 address in an address book, this isn't hard for users to grasp.
 
 
 I used PGP (Enterprise edition?) to encrypt my work emails to a 
 distributed set of members last year.  We all had each other's
 public keys (about a dozen or so).
 
 What I really hated about it was that when [EMAIL PROTECTED] sent
 me an email often I couldn't decrypt it.  Why?  Because his
 firm's email server decided to put in the FROM field
 [EMAIL PROTECTED]. Since it didn't match the email name
 in his X.509 certificate's DN it wouldn't decrypt the S/MIME
 attachment. This also caused problems with replying to his email.
 It took us hours, with several experimental emails sent back and
 forth, to figure out the root of the problem.
 
 No wonder PKI has died commercially and encrypted email is on the
  endangered species list.
 
 I trust you don't think this is a problem with PKI, right? Since
 clearly the issue is with the s/w you were using.
 
 I place the blame squarely on X.509 PKI.  The identity aspect of it
 is all screwed up. No software implementation can overcome such a
 fundamental architectural flaw.

OK - I'll bite - why does the sender's identity have any impact on the
recipient's ability to decrypt?

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html   http://www.links.org/

There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-28 Thread Victor Duchovni
On Sat, Feb 25, 2006 at 07:33:38PM +0100, Ian G wrote:

 Hence, IM/chat, Skype, TLS experiments at Jabber, as
 well as the OpenPGP attempts.
 
 There are important lessons to be learnt in the rise of
 IM over email.

Likewise the rise of the telephone over paper mail, but the phone does
not obviate the need for paper mail.

 Email is held back by its standardisation, chat seems to overcome
spam quite nicely.

Where's Gaddi Evron when you need him? This is just not true, the spam
volume is rising for both blogs and IM.

 Email is hard to get encrypted, but it didn't stop Skype from doing
 encryped IMs easily.

Likewise I have secured email communications with my wife via a single
key exchange, so what? Skype has not easily created an interoperable
federated system that secures all IM communications end-to-end, and
many of the issues in doing that are non-technical.

 The competition between the IM systems is what is driving
 the security forward.  As there is no competition in the
 email world, at least at the level of the basic protocol
 and standard, there is no way for the security to move
 forward.
 

IM is islands of automation, luckily email works globally.

 Phishing is possible over chat,
 but has also been relatively easy to address - because
 the system owners have incentives and can adjust.

This is naive, IM will become federated and decentralized and abuse
issues will be the same as for email. You can't fence the bad guys
out of the network.

-- 

 /\ ASCII RIBBON  NOTICE: If received in error,
 \ / CAMPAIGN Victor Duchovni  please destroy and notify
  X AGAINST   IT Security, sender. Sender does not waive
 / \ HTML MAILMorgan Stanley   confidentiality or privilege,
   and use is prohibited.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-28 Thread Peter Saint-Andre
bear wrote:
 
 On Fri, 24 Feb 2006, Peter Saint-Andre wrote:
 
 
 Personally I doubt that anything other than a small percentage of email
 will ever be signed, let alone encrypted (heck, most people on this list
 don't even sign their mail).

 
 I don't think I've said anything here that I will later want to be
 able to prove incontrovertibly was said by me.
 
 In general, signing your mail has a downside in this age of litigous
 potential mail recipients, and except when your mail regards the
 disposition of assets, no upside.
 
 In the long run, I think the population of people who want to sign
 their mail is about the same as the population of people who want to
 post on usenet with their real name and put their street address
 and phone number at the bottom of every post.
 
 Why give the anonymous cowards who are collecting information with
 robotic trawlers, whether for spam lists or any other reason, proof
 of exactly who you are?

The short answer to your unstated question is: anonymity is not high in
my scale of values. The long answer will require some reflection on my
part, which I won't post here but at my blog when I have the time.

Peter

--
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml



smime.p7s
Description: S/MIME Cryptographic Signature


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-28 Thread Jon Callas
I have to chime in on a number of points. I'll try to keep commercial  
plugs to a minimum.


* An awful lot of this discussion is some combination of outdated and  
true but irrelevant. For example, it is true that usability of all  
computers is not what it could be. But a lot of what has cruised by  
here is similar to someone saying, Yes, usability is atrocious --  
here, look at this screenshot of Windows 3.1. Someone else pipes up,  
You think that's bad, let me show you this example from the Xerox  
Alto. What*ever* were they thinking? And then someone else says,  
Yeah, and if you think that's bad, look at what 'ls' did in Unix  
V6! Then when someone else says, Y'know, I'm using the latest  
version of Firefox, and it's actually pretty good the next message  
says, But what about the Y2K issues, and what happens when in 2038?  
I swear, guys, this thread is the crypto version of the Monty Python  
Luxury sketch.


* Whitten and Tygar is a great paper, but it was written ages ago on  
software that was released in 1997. Things aren't perfect now, but  
let's talk about what's out there now. Even at the time, one of  
Whitten's main points is how hard it is to apply usability to  
security, because of how odd it is. As a very quick example, in most  
forms of user design, you let exploration take a prominent place. But  
it doesn't work in security because you can't click undo when you do  
something you didn't intend.


* There are new generations of crypto software out there. I produce  
the PGP products, and PGP Desktop and PGP Universal are automatic  
systems that look up certs use them, automatically encrypt, and even  
does both OpenPGP and S/MIME.


They're not perfect, and lead to other amusing issues. For example,  
an hour ago, I was coordinating with someone that I'm meeting at a  
conference. I got a reply saying, I'm at the airport and can't  
decrypt your message from my phone. I hadn't realized that I *had*  
encrypted my message, because my system and my colleague's system had  
been doing things for us.


I habitually send most of my email securely, but I don't think about  
it. My robots take care of it for me. I tune policies, I don't  
encrypt messages.


If you don't want to use my products, as Ben Laurie pointed out,  
there's a very nice plugin for Thunderbird called Enigmail that makes  
doing crypto painless.


* There are also new generations of keyservers out there that work on  
the issues of the old servers to trim defunct keys, and manage other  
issues. I have out there the PGP Global Directory. Think of it as a  
mash-up of a keyserver along with Robot CA concepts and user  
management goodness adapted from modern mailing list servers like  
Mailman.


* A number of us are also re-thinking other concepts such as using  
short-lived certificates based on the freshness model to constrain  
lifecycle management issues.


* There are many challenges remaining. Heck, the fact that people  
here apparently have not updated their knowledge any time this  
century is part of the problem. But let me tell you that email  
encryption is growing, and growing strongly. However, most of the  
successes are not happening where you see them. They're happening in  
business, where communities of partners decide they need to do secure  
email, and then they do. This is another place where things have  
changed radically. A decade ago, we thought that security would be a  
grass-roots phenomenon where end-users and consumers would push  
security into those stodgy businesses. What's happening now is the  
exact opposite -- savvy businesses are putting together sophisticated  
security systems, and that's slowly starting to get end-users to wake  
up.


I'd be happy to discuss at length where things are getting better,  
where they aren't, and where some issues have been shuffled around.  
But we do need to talk about what's going on now, not ten years ago.


Jon






-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-26 Thread Greg Black
On 2006-02-24, Peter Saint-Andre wrote:

 Personally I doubt that anything other than a small percentage of email
 will ever be signed, let alone encrypted (heck, most people on this list
 don't even sign their mail).

That's at least partly because too many mailing lists either
reject signed messages out of hand or, worse, have subscribers
who use providers that reject signed messages and then spam you
with their idiotic bounce messages.  Keeping track of which
lists allow signed email and which don't is impractical if you
subscribe to hundreds of lists, so the simple thing is to tick
the don't sign box on list messages.

In this case, since Peter's message was signed, I know this list
allows signatures.  So I'll sign this message.

But the signature will be of limited utility, as not one of the
several email addresses on my signature is a match for the email
address I am sending this from.  Again, lists being what they
are, I use a different address for most lists and my PGP key
would become absurd if I added several hundred addresses to it.

I personally would prefer to sign every email I send.  I'd also
prefer to encrypt all non-public messages.  I am fully competent
in the use of the current technology, but it turns out to be not
practical to use.

Greg


pgp3qLCcQF5wT.pgp
Description: PGP signature


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-26 Thread John Kelsey
From: Peter Saint-Andre [EMAIL PROTECTED]
Sent: Feb 24, 2006 3:18 PM
Subject: Re: NPR : E-Mail Encryption Rare in Everyday Use

...
We could just as well say that encryption of remote server sessions is
rare in everyday use. It's just that only geeks even do remote server
sessions, so they use SSH instead of telnet.

The thing is that email is in wide use (unlike remote server sessions).
Personally I doubt that anything other than a small percentage of email
will ever be signed, let alone encrypted (heck, most people on this list
don't even sign their mail).

I'm certain that only a small percentage of e-mail will ever be
signed, so long as the tools to do that are so hard to use, and the
value added so small.  I find it useful to use encryption all the time
on my private data, but virtually never use it for communications,
because even among cryptographers the setup hassles are too great, and
the value added too small.  What we ultimately need is encryption and
authentication that are:

a.  Automatic and transparent.

b.  Add some value or are bundled with something that does.

c.  Don't try to tie into the whole horrible set of PKI standards in
terms of uniquely identifying each human and bit in the universe, and
getting them to sign legally binding messages whose full
interpretation requires reading and understanding a 30-page CPS.  

If email encryption became as transparent as SSL, most e-mail would be
encrypted.  This would still leave various phishing issues, etc., but
eavesdropping and a lot of impersonation and spam and phishing would
get much harder.  

Peter

--John Kelsey


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-26 Thread John W Noerenberg II
While there is merit in arguing how to simplify the mechanics of 
using public key encryption for sending and receiving email, I cannot 
agree with this assertion:


At 10:44 AM -0800 2/24/06, Ed Gerck wrote:


My $0.02: If we want to make email encryption viable (ie, user-level viable)
then we should make sure that people who want to read a secure communication
should NOT have to do anything before receiving it. Having to publish my key
creates sender's hassle too ...to find the key.


If an individual wants to receive telephone calls, he has to agree to 
publish his phone number.  For many years, we tacitly agreed that our 
phone numbers would be published.  That a phone number was public 
information wasn't perceived as a problem.  But as the number of junk 
calls increases, the number of people who opt out of phone 
directories increases.  Today, more individuals decide that having a 
public phone number is a problem.


In this regard, public keys are just like cell phone numbers.  How 
many people know your cell phone number?  How did they get it?  You 
can't get a cell phone number from directory assistance.  So if you 
want someone to be able to call you on your cell phone, you have to 
give them the key to your cell phone.  If you want someone to send 
you encrypted email, you have to give them your public key.   It's 
the same thing.


Yet cell phones seem to be viable.

--

john noerenberg
  --
   It took long enough in all conscience for realization to come that
   the externals of civilization - technology, industry, commerce, and
   so on - also require a common basis of intellectual honesty and morality.
  -- Herman Hesse, The Glass Bead Game, 1943
  --

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-26 Thread Alex Alten

At 06:09 PM 2/24/2006 +0100, Ian G wrote:

Steven M. Bellovin wrote:

Certainly, usability is an issue.  It hasn't been solved because there's 
no market for it here; far too few people care about email encryption.


Usability is the issue.  If I look over onto
my skype window, it says there are 5 million
or so users right now.  It did that without
any of the hullabaloo of the other systems,
and still manages to encrypt my comms.  By
some measures it is the most successful crypto
system ever.


Actually the usability issue has been solved elsewhere too.  We did it over 
at TriStrata
before the firm crashed in 1998.  We allowed the system security officer to 
select the
default cipher to use in sending emails (DES, 3DES, Blowfish, RC4, etc.). 
The receiver
could use any cipher for decrypting incoming email. A sys admin installed 
some filter
software into the email client, and except for an initial login dialog (and 
we even simplified
that by hooking the OS login dialog), the user never had to do anything 
further.  The local
auth keys that he received during enrollment were encrypted with his 
password on a small

floppy disk, or could be installed on the hard drive automatically.

Last I heard (early 2005) one system was operational over in the nuclear 
engineering
department at Ohio State (for DOE work?).  Of course one old system rack in 
the

dusty corner of a school building does not a market make.

- Alex

--

- Alex Alten


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-26 Thread Ben Laurie
Peter Saint-Andre wrote:
 Ian G wrote:
 
 To get people to do something they will say no
 to, we have to give them a freebie, and tie it
 to the unpleasantry.  E.g., in SSH, we get a better
 telnet, and there is only the encrypted version.
 
 We could just as well say that encryption of remote server sessions is
 rare in everyday use. It's just that only geeks even do remote server
 sessions, so they use SSH instead of telnet.
 
 The thing is that email is in wide use (unlike remote server sessions).
 Personally I doubt that anything other than a small percentage of email
 will ever be signed, let alone encrypted (heck, most people on this list
 don't even sign their mail).

I don't sign mail not because I can't be bothered, but because it is my
policy to not sign mail.

If I signed it, it would be substantially harder to deny I wrote it.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html   http://www.links.org/

There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-26 Thread Ben Laurie
Ed Gerck wrote:
 Ben Laurie wrote:
 Really? I just write Ed Gerck on an envelope and it gets to you? I
 doubt it. Presumably I have to do all sorts of hard and user-unfriendly
 things to find out and verify your address.
 
 Perhaps I wasn't clear -- with postal mail you just write my name and
 address
 in YOUR envelope and it gets to me. With PGP and PKI you have to ask for MY
 envelope first; further, MY public-key creates the secure envelope
 that you
 now need to trust with YOUR secret...

I totally don't buy this distinction - in order to write to you with
postal mail, I first have to ask you for your address.

Apart from content of the blob handed over, the two transactions are
identical.

 If you handled your keys properly I would not need to ask you for
 anything. 
 
 My $0.02: If we want to make email encryption viable (ie, user-level
 viable)
 then we should make sure that people who want to read a secure
 communication
 should NOT have to do anything before receiving it. Having to publish my
 key
 creates sender's hassle too ...to find the key.

So you think people can use the post to write to you without you
publishing your address?

 BTW, users should NOT be trusted to handle keys, much less to handle them
 properly. This is what the users themselves are saying and exemplifying in
 15 years of experiments.

I think users are perfectly capable of handling keys. The problem they
have is in choosing operating systems that are equal to the task.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html   http://www.links.org/

There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-26 Thread Ian G

Peter Saint-Andre wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ian G wrote:



To get people to do something they will say no
to, we have to give them a freebie, and tie it
to the unpleasantry.  E.g., in SSH, we get a better
telnet, and there is only the encrypted version.



We could just as well say that encryption of remote server sessions is
rare in everyday use. It's just that only geeks even do remote server
sessions, so they use SSH instead of telnet.

The thing is that email is in wide use (unlike remote server sessions).


Well!  Within the context of any given application,
we can learn lessons.  Just because SSH is only used
by geeks is meaningless, really, we need to ground
that criticism in something that relates it to other
areas.  The fact is that SSH came in with a solution
and beat the other guy - Telnet secured over SSL.  It
wasn't the crypto that did this, it was the key management,
plain and simple.

Telnet was in widespread use - but was incapable of
making the jump to secure.  Just like email.  So if
the SSH example were illuminating, we would predict
that some completely different *non-compatible* app
would replace email.

Hence, IM/chat, Skype, TLS experiments at Jabber, as
well as the OpenPGP attempts.

There are important lessons to be learnt in the rise of
IM over email.  Email is held back by its standardisation,
chat seems to overcome spam quite nicely.  Email is hard
to get encrypted, but it didn't stop Skype from doing
encryped IMs easily.  Phishing is possible over chat,
but has also been relatively easy to address - because
the system owners have incentives and can adjust.

The competition between the IM systems is what is driving
the security forward.  As there is no competition in the
email world, at least at the level of the basic protocol
and standard, there is no way for the security to move
forward.

iang

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-26 Thread Ed Gerck

Ben Laurie wrote:

I totally don't buy this distinction - in order to write to you with
postal mail, I first have to ask you for your address.


We all agree that having to use name and address are NOT the problem,
for email or postal mail. Both can also deliver a letter just with
the address (CURRENT RESIDENT junk mail, for example).

The problem is that pesky public-key. A public-key such as

[2. application/pgp-keys]...


is N O T user-friendly.

Arguments that people give each other their cell phone numbers, for example,
and even though there isn't a cell phone directory people use cell phones
well, also forget the user's point of view when comparing a phone number with
a public-key.

Finally, the properties of MY public-key will directly affect the 
confidentiality
properties of YOUR envelope. For example, if (on purpose or by force) my 
public-key
enables a covert channel (eg, weak key, key escrow, shared private key), YOUR
envelope is compromised from the start and you have no way of knowing it. This 
is
quite different from an address, which single purpose is to route the 
communication.

That's I said the postal analogue of the public-key is the envelope.


Ed Gerck wrote:

My $0.02: If we want to make email encryption viable (ie, user-level
viable)
then we should make sure that people who want to read a secure
communication
should NOT have to do anything before receiving it. Having to publish my
key
creates sender's hassle too ...to find the key.


So you think people can use the post to write to you without you
publishing your address?


I get junk mail all the time at two different postal addresses, without ever
having published either of them. Again, addresses and names are user friendly
(for better or for worse) while public-keys are not -- in addition to their
different security roles (see above).


Ed Gerck wrote:

BTW, users should NOT be trusted to handle keys, much less to handle them
properly. This is what the users themselves are saying and exemplifying in
15 years of experiments.


I think users are perfectly capable of handling keys. The problem they
have is in choosing operating systems that are equal to the task.


That's another notorious area where users can't be trusted -- and that's why
companies lock down their OSes -- or, should a company really allow each user
to choose their desired OS? Apart from compatibility issues, which also do
not allow users to  freely choose even the OS in their homes (Junior wants
to play his games too scenario).

Cheers,
Ed Gerck

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-26 Thread Ben Laurie
Victor Duchovni wrote:
 On Fri, Feb 24, 2006 at 01:44:14PM +, Ben Laurie wrote:
 
 Ed Gerck wrote:
 Paul,

 Usability should by now be recognized as the key issue for security -
 namely, if users can't use it, it doesn't actually work.

 And what I heard in the story is that even savvy users such as Phil Z
 (who'd have no problem with key management) don't use it often.

 BTW, just to show that usability is king, could you please send me an
 encrypted email -- I even let you choose any secure method that you want.
 Sure I can, but if you want it to be encrypted to you, then you need to
 publish a key.
 
 More strongly, if we've never met, and you are not in the habit of
 routinely signing email, thereby tying a key to your e-persona, it
 makes no sense to speak of *secure* communication to *you*. Which you
 would that be, the one who sent me all those exciting zip files of W32
 executables, or the one I think is posting to this list?
 
 The only identity you (who hypothetically do not garnish each message
 with a signature) have is your mailbox. I can bootstrap that (with
 questionable initial security) to a key via a private unencrypted
 email message, and over a time as the key is consistently used grow to
 associate the key with an on-line persona.

Don't forget that the ability to decrypt is just as good as a signature
to prove association of the key.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html   http://www.links.org/

There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-24 Thread Ed Gerck

Paul,

Usability should by now be recognized as the key issue for security -
namely, if users can't use it, it doesn't actually work.

And what I heard in the story is that even savvy users such as Phil Z
(who'd have no problem with key management) don't use it often.

BTW, just to show that usability is king, could you please send me an
encrypted email -- I even let you choose any secure method that you want.

Cheers,
Ed Gerck

Paul Hoffman wrote:

At 1:56 PM -0800 2/23/06, Ed Gerck wrote:
This story (in addition to the daily headlines) seems to make the case 
that
the available techniques for secure email (hushmail, outlook/pki and 
pgp) do

NOT actually work.


That's an incorrect assessment of the short piece. The story says that 
it does actually work but no one uses it. They briefly say why: key 
management. Not being easy enough to use is quite different than NOT 
actually working.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-24 Thread Paul Hoffman

At 4:31 PM -0800 2/23/06, Ed Gerck wrote:

Usability should by now be recognized as the key issue for security -


Fully agree.


namely, if users can't use it, it doesn't actually work.


We disagree on the meaning of the phrase actually work.


And what I heard in the story is that even savvy users such as Phil Z
(who'd have no problem with key management) don't use it often.


Phil *does* have a problem with key management. He knows how to do 
it, but his communications partners are not as good as he is.



BTW, just to show that usability is king, could you please send me an
encrypted email -- I even let you choose any secure method that you want.


Yes, I could. But I won't bother. :-)

--Paul Hoffman, Director
--VPN Consortium

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-24 Thread Ben Laurie
Ed Gerck wrote:
 Paul,
 
 Usability should by now be recognized as the key issue for security -
 namely, if users can't use it, it doesn't actually work.
 
 And what I heard in the story is that even savvy users such as Phil Z
 (who'd have no problem with key management) don't use it often.
 
 BTW, just to show that usability is king, could you please send me an
 encrypted email -- I even let you choose any secure method that you want.

Sure I can, but if you want it to be encrypted to you, then you need to
publish a key.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html   http://www.links.org/

There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-24 Thread Philipp Gühring
Hi,

 And what I heard in the story is that even savvy users such as Phil Z
 (who'd have no problem with key management) don't use it often.

 Phil *does* have a problem with key management. He knows how to do
 it, but his communications partners are not as good as he is.

Phil Z doesn´t know how to do it himself, at least with PGP. 
He told me that he doesn´t sign people´s keys who ask for it, simply because 
it would pollute his keyring on his computer, and he couldn´t work with a 
keyring with thousands of people on it anymore. 
So PGP obviously has a usability and scalability problem.
So he only signs the keys of his friends because of that.
I wonder now, why he didn´t tried to solve that usability/scalability problem 
himself yet, but gave up instead.

Best regards,
Philipp Gühring


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-24 Thread Ed Gerck

Ben Laurie wrote:

Ed Gerck wrote:

Paul,

Usability should by now be recognized as the key issue for security -
namely, if users can't use it, it doesn't actually work.

And what I heard in the story is that even savvy users such as Phil Z
(who'd have no problem with key management) don't use it often.

BTW, just to show that usability is king, could you please send me an
encrypted email -- I even let you choose any secure method that you want.


Sure I can, but if you want it to be encrypted to you, then you need to
publish a key.


This IS one of the sticky points ;-) If postal mail would work this way,
you'd have to ask me to send you an envelope before you can send me mail.
This is counter-intuitive to users.

Your next questions could well be how do you know my key is really mine...
how do you know it was not revoked ...all of which are additional sticky points.
In the postal mail world, how'd you know the envelope is really from me or
that it is secure?

Cheers,
Ed Gerck

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-24 Thread Ben Laurie
Ed Gerck wrote:
 Ben Laurie wrote:
 Ed Gerck wrote:
 Paul,

 Usability should by now be recognized as the key issue for security -
 namely, if users can't use it, it doesn't actually work.

 And what I heard in the story is that even savvy users such as Phil Z
 (who'd have no problem with key management) don't use it often.

 BTW, just to show that usability is king, could you please send me an
 encrypted email -- I even let you choose any secure method that you
 want.

 Sure I can, but if you want it to be encrypted to you, then you need to
 publish a key.
 
 This IS one of the sticky points ;-) If postal mail would work this way,
 you'd have to ask me to send you an envelope before you can send me mail.
 This is counter-intuitive to users.

We have keyservers for this (my chosen technology was PGP). If you liken
their use to looking up an address in an address book, this isn't hard
for users to grasp.

 Your next questions could well be how do you know my key is really mine...
 how do you know it was not revoked ...all of which are additional sticky
 points.

For revocation, keyservers again. If I cared whether it was really yours
(I don't), then I'd check the signatures, or verify the fingerprint
out-of-band.

 In the postal mail world, how'd you know the envelope is really from me or
 that it is secure?

I don't.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html   http://www.links.org/

There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-24 Thread Steven M. Bellovin
In message [EMAIL PROTECTED], Ed Gerck writes:

This IS one of the sticky points ;-) If postal mail would work this way,
you'd have to ask me to send you an envelope before you can send me mail.
This is counter-intuitive to users.

I assumed that that was your point, which is why I figured you were 
trolling.  But of course, your analogy is precisely wrong -- I can look 
people's addresses, physical and electronic.  People who want to engage 
in secure communication publish their keys.  I haven't checked Paul's 
home page; Ben and I both have links to our PGP keys from our web pages.
You don't.

Your next questions could well be how do you know my key is really mine...
how do you know it was not revoked ...all of which are additional sticky point
s.
In the postal mail world, how'd you know the envelope is really from me or
that it is secure?

Of course, you know even less about such things in the physical world.  
But you know that, too.  So what is your point?

Certainly, usability is an issue.  It hasn't been solved because 
there's no market for it here; far too few people care about email 
encryption.  And they're right -- their email is insecure, but given 
the environment of the typical desktop system would crypto do any good? 
We've already seen tailored worms stealing corporate information; we've 
also seen keystroke loggers and e-theft programs that watch for a login 
successful screen from your financial provider.  How would encrypting 
email help a businessman in an environment like that?  (I know -- have 
a separate machine used only for encrypting and decrypting files, and 
use a flash drive to carry ciphertext back and forth.  Talk about 
usability problems)

Yes, I can and do send encrypted email.  Statistically, I don't do it 
very often.  In all of last year, I sent four such messages, comprising 
exactly one conversation.  My effective security is locked-down hosts,
in particular the machine where sensitive inbound mail sits until I 
pull it down to my laptop.  This way, I don't have to trust my 
employer, my ISP, etc.  And I use SSL or SSH -- with checking of the 
far-side certificates -- for transport.

--Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-24 Thread dan

   Usability should by now be recognized as the key issue for security -
   namely, if users can't use it, it doesn't actually work.


% man gpg | wc -l
1705

% man gpg | grep dry
-n, --dry-run   Don't make any changes (this is not completely implemented).


I rest my case.

--dan


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


NPR : E-Mail Encryption Rare in Everyday Use

2006-02-23 Thread Ed Gerck

This story (in addition to the daily headlines) seems to make the case that
the available techniques for secure email (hushmail, outlook/pki and pgp) do
NOT actually work.

http://www.npr.org/templates/story/story.php?storyId=5227744

Cheers,
Ed Gerck


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-23 Thread Paul Hoffman

At 1:56 PM -0800 2/23/06, Ed Gerck wrote:

This story (in addition to the daily headlines) seems to make the case that
the available techniques for secure email (hushmail, outlook/pki and pgp) do
NOT actually work.


That's an incorrect assessment of the short piece. The story says 
that it does actually work but no one uses it. They briefly say why: 
key management. Not being easy enough to use is quite different than 
NOT actually working.


--Paul Hoffman, Director
--VPN Consortium

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]