[148234] in cryptography@c2.net mail archive
Re: [Cryptography] Dark Mail Alliance specs?
daemon@ATHENA.MIT.EDU (Guido Witmond)
Sun Nov 24 15:10:47 2013
X-Original-To: cryptography@metzdowd.com
Date: Sun, 24 Nov 2013 11:29:42 +0100
From: Guido Witmond <guido@witmond.nl>
To: cryptography@metzdowd.com
In-Reply-To: <F2A3DF7F-7418-4166-84EF-E46749A0D608@lrw.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============6242936182738633333==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="----enig2ALRIUXVLFQSVOGQHNUFS"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
------enig2ALRIUXVLFQSVOGQHNUFS
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 11/24/13 01:20, Jerry Leichter wrote:
> There's a third recent factor, of course: Increasingly, people read
> their email through Web interfaces. There's simply no way to make
> that secure in current browsers. Sure, you can download some
> Javascript to decrypt your mail, but there's no good reason to trust
> it!
Yes, there is a way. Instead of using javascript with its eternal
validation problems, use a browser plugin to do the key handling and
message signing.
> My suggestion is that there are two fundamental problems that need to
> be attacked:
>=20
> 1. The key lookup/distribution problem. It has to be easy and
> straightforward to get keys in the common use cases. In fact, it
> needs to be so easy and straightforward as to be invisible to most
> users most of the time. It's easy to get caught up in difficult edge
> cases that can't be handled easily. This is a case where "the best
> is the enemy of the good". Cover as much as you can cleanly today;
> worry about the hard cases tomorrow. (Many people will never run
> into a need for a solution to a hard case, and those that do may be
> willing and able to do more work.)
Using anounymous client certificates and a GPG-keyserver model (reached
via Tor) you can create a key distrubution mechanism that solves these
issues. You also need to remember the certificates in your address book.
Don't throw away the result of your validation actions, remember them!
> 2. The Web mail problem. I can see only one solution to this: Get
> S/MIME implemented in browsers. HTML/5 already contains tons of
> interfaces (way too many, I'd say, but that ship sailed a *long* time
> ago) to implement various things that simply need to be present
> *everywhere*, generally for performance reasons. (After all,
> Javascript *is* Turing-complete.) While S/MIME or some other secure
> mail protocol *could* be implemented in Javascript, it would have to
> be downloaded each time - and there's no way to guarantee security.
> If S/MIME were built in, you would have exactly as much reason to
> trust it as you would to trust the S/MIME in your conventional MUA.
That's something I've also conquered. My agent module does the
encryption and decryption.
In fact, you can try it out: download the proxy[1], configure your
browser to use it and browse to http :// dating.wtmnd.nl:10443/ (the
proxy does the https to the server).
Create an acccount and send a message to guidow@@dating.wtmnd.nl.
When you use Tor, my server can't even learn your IP-address.
See:
http://eccentric-authentication.org/blog/2013/06/07/run-it-yourself.html
Regards, Guido Witmond
1: http://eccentric-authentication.org/blog/2013/06/07/run-it-yourself.ht=
ml
------enig2ALRIUXVLFQSVOGQHNUFS
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/
iQIcBAEBAgAGBQJSkdUWAAoJEHPd8GglaNRmx3wP/1ecE51ZJETZ5IabTVUd4bb2
Z+PwMnQXVsUcBs7+G6mUIhzpSFbn/xFH9UcEdxBdhl2rgAEkk3V2U2hjI7ErPn8G
/C/QdsXTUQ9TcuTAgyZ8i6fx9meoNrc99N6hl60sifbfbdWWBAMUa7YFT5ZdQp6I
h9l0cqVfKYpMltK/rrVnejtJde25rzsCwNpKrQ1mK2+R5tRug5iuCLJNY3X7anv5
QvAaZeLEKiVPBjzomOWHsyz9jWqmRaQ4QaoTU0ylEBvWl17dvAw/kNQgNXpY6OZF
A415U1Ol7ryBfqIca6urDyurDNszY9szuJo9wlQEqm00WTnYKd8voej109YUO3bE
paJQAxi85k1SGk5XmBld+n2hofE3Zsp0qDKs+u8sM3bV8hZXec2i0rbtdfiV9So1
AcYOGfO5Eo7JR/E94buG+uxuTGbNw1180GnRxLQPCnXOFuBq53+5kkaJSdL2qEG0
Kcpm5b/UzR5yk14X4axXeGYPt5S3NUwR/cr5qxWSsJ4n4yNdxFOIP83I3qbLjSx1
vQ7S1Qn8D1KgrWbsYxMOtUTKZmoDix4ldveNVb6DZy5elCtwOqEsczQyxRHYTjnM
4xHpBlk04P/0U7o8jfLRrCRdBcrFWQTcNIl3kmldKWNtVSCk94Z6WW9FS2fDZD7i
ZUPw1UjJxe9yeX5EB+cp
=uxWO
-----END PGP SIGNATURE-----
------enig2ALRIUXVLFQSVOGQHNUFS--
--===============6242936182738633333==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============6242936182738633333==--
