[148223] in cryptography@c2.net mail archive
Re: [Cryptography] Dark Mail Alliance specs?
daemon@ATHENA.MIT.EDU (James A. Donald)
Sat Nov 23 19:06:25 2013
X-Original-To: cryptography@metzdowd.com
Date: Sun, 24 Nov 2013 06:33:57 +1000
From: "James A. Donald" <jamesd@echeque.com>
To: cryptography@metzdowd.com
In-Reply-To: <alpine.LFD.2.02.1311231318220.6481@laptop.kerry-linux.ie>
Reply-To: jamesd@echeque.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 2013-11-23 22:30, Ralf Senderek wrote:
> Yes, but it's about time we do something about that. Do we *exactly know
> why* it is such a failure?
Key management.
Need no-click key management.
Assume that secure email/IM addresses look like user#example.com
(Since we are breaking compatibility, we need to distinguish our addresses)
The user#example.com logs on to the mail transport agent at example.com
using a zero knowledge password protocol.
This generates a transient shared secret between the client and the mail
transport agent, which changes every logon, and also generates a durable
client secret, which depends on a strong per client secret maintained by
the mail transport agent and the user password.
If the user password is weak, whoever controls example.com can find it
by dictionary attack, and thus find the durable client secret, but no
one else can, except they first attack the mail transport agent on
example.com.
If the end user is exceptionally paranoid, he uses a strong password or
makes sure he controls example.com
The durable client secret gives rise to a durable client public key,
which is published by example.com.
The corresponding client secret key is recreated every logon, and, all
being well, is known only to the client.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography