Re: Authentication and email

[Paul Hoffman / VPNC <paul.hoffman@vpnc.org>]

At 9:19 PM -0500 2/10/03, Derek Atkins wrote:
> Paul Hoffman / VPNC <paul.hoffman@vpnc.org> writes:
>
> >  At 4:44 PM -0500 2/10/03, Derek Atkins wrote:
> >  >Yea, and look how secure our email system is....
>  > Well, yes, let's look. Security is available where the two end-users
> >  want it, and is available where any pair of servers want it. Few
> >  people turn it on in either step, but those who want it use it almost
> >  invisibly.
> But it generally requires both sides to agree, because it's not
> ubiquitous.
Which is a good indication of how few people want to use it.

>   If I wanted to encrypt this email, I couldn't.  Why?
> Because there is no way I could -- there is no guarantee that you
> could even read it (let alone have a key I could encrypt with).
Of course you could. If you and I agree that you should encrypt a 
message for me, it is trivial for us to agree to (particularly if we 
are using S/MIME).

> So, I couldn't encrypt this email _even if I wanted to_.  That's the
> problem.
Hogwash. Find my S/MIME cert or PGP key and encrypt. If I don't make 
them available to you, you can't encrypt, but it also means I don't 
want you to.

> I want a system where, if I want to encrypt a message, I can
> be guaranteed that you can read it.
If I have an S/MIME certificate out there with an encryption key, I 
can read what you encrypt with. The same is true for a PGP key.

>  > >   The IESG has already
> >  >stated that optional security is bad (because optional security means
> >  >no security).  Let's not revisit that rathole.
> >
> >  We fully disagree here. Forcing visible security where none is needed
> >  leads to most people not wanting to use security. If security is free
> >  or very low-cost, it should be required. When it is any more expensive
> >  either in processing time or in user hassle, it should be optional and
> >  easy to implement if used.
> Who has the right to decide where security is needed and where it is
> not?
The user of the protocol? Naaah, that's not the IETF way.

>   Your idea of when it is needed is not the same as mine, and I
> bet that neither of us would completely agree with some human rights
> worker in Africa.
Fully agree.

>   The reason I agree with the IESG is that by forcing
> implementers to include security it means that users always have the
> choice and don't have the problem I do with this email.
The IESG forces implementers to include security? In which universe 
does that happen? Implementers leave out the security part of lots of 
protocols that have security specified. In fact, you will find that 
most email clients have good, interoperable end-to-end security built 
in even though it is optional and rarely used. Your polemic above is 
just plain silly: anyone who wants you to send them encrypted mail 
using Internet standards can do so, usually quite easily. And 
voluntarily, too!

--Paul Hoffman, Director
--VPN Consortium