[cryptography] [Cryptography] Email is unsecurable

Stephen Farrell stephen.farrell at cs.tcd.ie
Wed Nov 27 13:02:08 EST 2013

Hi Nico,

On 11/27/2013 05:42 PM, Nico Williams wrote:
> On Mon, Nov 25, 2013 at 09:51:41PM +0000, Stephen Farrell wrote:
>> New work on improving hop-by-hop security for email and other
>> things is getting underway in the IETF. [1] Basically the idea
> I see nothing in the proposed charter you linked to about hop-by-hop
> security.

Isn't the "Using TLS" part enough? At least for the applications
listed. Could be worth adding a sentence to the charter though
I guess.

> I could imagine something like Received headers to document how each
> SMTP (and SUBMIT) end-point was authenticated (if they were) along a
> mail transfer path.  This would be of some utility, particularly for
> *short* paths (MUA->MSA->MTA->mailbox); for longer paths this loses its
> utility.

Not sure I get the utility there, at least as in scope for
this proposed WG. Do you mean the receiving MUA would display
the message differently or something?

There might be an idea there though if some of the hops used
e.g. anon-DH and someone developed a generic witness protocol
to help try spot MITM attacks on that, and if the MSA and MTAs
DKIM-sign messages, then a message header field containing the
inbound & outbound witness-protocol PDUs that was included in
the DKIM signature could be good.

That sounds like it'd be a bit out the scope for UTA but if
that's  what you meant (or similar) but I'd say a mail to
apps-discuss on that would be useful.

But I don't think we'd want the UTA WG to be the one to
develop a protocol for how to post-facto spot a MITM on anon-DH
or other TLS sessions though. (Anyone got suggestions for that
btw? Probably a different thread though.)

(And yes, the above would depend on DKIM public key records in
the non-DNSSEC DNS, so a DANE like thing and DNSSEC would be
stronger, but given that lots of large and small mail services
already do DKIM and don't change their keys that often, even
the non-DNSSEC thing might be good enough.)


> Nico

More information about the cryptography mailing list