Yahoo releases internet standard draft for using DNS as public key server

[Dave Howe]

Ian Grigg wrote:
> Dave Howe wrote:
>> No - it means you might want to consider a system that guarantees 
>> end-to-end encryption - not just "first link, then maybe if it feels 
>> like it"
>> That doesn't mean TLS is worthless - on the contrary, it adds an 
>> additional layer of both user authentication and session encryption 
>> that are both beneficial - but that *relying* on it to protect your 
>> messages is overoptimistic at best, dangerous at worst.
> This I believe is a bad way to start looking
> at cryptography.  There is no system that you
> can put in place that you can *rely* upon to
> protect your message.
No, there are plenty that you can rely on to protect your message while 
still in transit.
If you can ensure that the only possible points of vulnerability are at 
the two endpoints, then you and your correspondent take control of your 
security - it won't be perfect, as you point out - but you won't be 
reliant on the goodwill and efforts of some third party whose most 
economic option is to accidentally or deliberately neglect TLS between 
your local smart host and your correspondent's email spooler, or indeed, 
to supply minimal security to the email spools at smarthost or destination.

> (Adi Shamir again: #1 there are no secure systems,
> ergo, it is not possible to rely on them, and
> to think about relying will take one down false
> paths.)
Secure systems exist - but are rarely worth the effort involved.
Many PDAs can handle PGP or S/Mime traffic these days - certainly, you 
could offload your message (already encrypted) to flash media, insert 
into sending host, receive (from email spool) at the destination and 
transfer to flash media, then insert into decoding PDA.  To compromise 
either PDA would require access - so if you keep it about your person 
(and within sight when you bathe), you should be safe against anything 
but a midnight intrusion with sleeping gas....
But regardless - the level of defence required is proportional to the 
likely threat.  It is entirely possible that it would be worthwhile for 
some hacker to compromise a router between your ISP's mail server and 
your correspondent's spool, or that spool itself. It is less likely that 
it would be worth someone's while to break into your home with exquisite 
timing and tracelessly alter software on your trusted airgapped machine 
while you shower (and if that *is* your threat model, I envy the income 
you must get to justify being in such a position or bow to the value of 
your information to some repressive regime)

> Otherwise, we adopt what military people call
> "tactical security:"  strong enough to keep
> the message secure enough so that most of the
> time it does the job.
Indeed so.

> The principle which needs to be hammered time
> and time again is that cryptography, like all
> other security systems, should be about risk
> and return - do what you can and put up with
> the things you can't.
Again, true. I suspect we differ in what we consider an acceptable risk 
- I don't consider any setup where the security of the channel is 
against the best interests of the people controlling that channel 
acceptable - especially where I have no way to discover if that channel 
was compromised.
I have what I hope is an acceptably secure system at home - and I also 
hope my correspondents do likewise. If our messages are compromised (not 
that they contain anything worth stealing) then it is my fault or theirs 
- not an admin at the isp, or some minimum-wage employee on a helpdesk 
bribed to let someone take a peak at my mailspool. This extra security 
comes free, gratis, not a penny does it cost - beyond the effort of 
learning how to use it - and while I was used to hotkeying my way into 
the current window, my recent switch to Enigmail means I don't even have 
to do that. Why would I settle for less?

> Applying the specifics to things like TLS and
> mail delivery - yes, it looks very ropey.  Why
> for example people think that they need CA-signed
> certs for such a thing when (as you point out)
> the mail is probably totally unprotected for half
> the journey is just totally mysterious.
And indeed I had a conversation with someone who was interested in a 
"secure" mailing list only a few days ago. I suggested he not bother and 
  just set up a HTTPS website with any one of a dozen BBoard systems and 
local certificate support - because that was free and all the complexity 
(and most of the vulnerabilites) are at the server side - while setting 
up a secure email burster would be almost impossible and would rely on 
not only training the end users, but ensuring they have the right 
software installed.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com