From nicola.vitucci@gmail.com Fri Nov 18 01:48:51 2016 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 836D712966B for ; Fri, 18 Nov 2016 01:48:51 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eyGBuMCsGglH for ; Fri, 18 Nov 2016 01:48:50 -0800 (PST) Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC8C81294F7 for ; Fri, 18 Nov 2016 01:48:49 -0800 (PST) Received: by mail-wm0-x22c.google.com with SMTP id c184so4104976wmd.0 for ; Fri, 18 Nov 2016 01:48:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-transfer-encoding; bh=6EMquA/hFbt1wKGddTdqUoc02O+Qs9wM7f6uZi8Aoxo=; b=G5mc74mwvyluPNNUo1ltzJ2znk7sRB+CPAiCgv0a7hTxhA1knvAJERUHsmfZWcp70E rqH7mFXws9KauOhOXkTNH741qzdAu5x2X2Pw0grmcWyTCeZR7z2r5kSc+vaZwnruAH7J hnTPkLG0vC6eVLDZ7QVRQU3+QqhS8mWzDjLnCHaG6Sc+vfvpfvaUPQOhaVwtKr2hS/Bd FXBjY7eo2D6KsdTzPeBjkar0DVkJA3Bo4/7jVu+HR75i7UpeSO9867RxCJXZfQYKolkL j7rJ+SynViPomCOB1RJyd+Md2uLS2q5rQUbZvP5Lu4DgW1vcAmM627VemHTEgPM29YJ2 HJxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:content-transfer-encoding; bh=6EMquA/hFbt1wKGddTdqUoc02O+Qs9wM7f6uZi8Aoxo=; b=T4Bt9iNTEZoS3afO/D1brqD9bvW+E4qWq5AtzDt5ZoJDidCbPQIe253VMi+5TQ4VSB 1jBh1zTgGiRmKgKZfXfMLCtsJUkPh2pO7MGJ29fU7WJUHr7SnMRbZeXy6lyctW+Xn0uF f09ugKRQe+U3mB7r39HcHm0YheV8Bf/aDBElzOcT5lySYp8227+CnqxLNPUbReQATCEo GzN3NOwPnZDuIh205BxPhwJgM6ef76+QAvXfyMZ1G+YVbs2B4tYwYoVpOLGPlEDehUsS LsH5zeNg5l9BHudYHwn1uwfe2jvjWIRTbuNAib0U9c6oODHDX1MM/gH7Vf1XOwHH6a98 0zoA== X-Gm-Message-State: AKaTC02zaFrkIXJUmtVBGsknnew9GppR0qeB8wt44N8msPW9+SDszVAS2pKO8a0EDWiiyg== X-Received: by 10.46.14.10 with SMTP id 10mr3864705ljo.58.1479462528031; Fri, 18 Nov 2016 01:48:48 -0800 (PST) Received: from ?IPv6:2001:7d0:88cb:ff80:caf7:33ff:fe17:426a? (426a-fe17-33ff-caf7-ff80-88cb-07d0-2001.dyn.estpak.ee. [2001:7d0:88cb:ff80:caf7:33ff:fe17:426a]) by smtp.gmail.com with ESMTPSA id 10sm1988509ljo.36.2016.11.18.01.48.47 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 18 Nov 2016 01:48:47 -0800 (PST) Message-ID: <582ECE7C.9020304@gmail.com> Date: Fri, 18 Nov 2016 11:48:44 +0200 From: Nicola Vitucci User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: openpgp@ietf.org Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 7bit Archived-At: Subject: [openpgp] Format of EC key packets X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Nov 2016 09:50:46 -0000 Hi all, I have used a recent keydump from [1] to extract keys making use of ECCs, and I wrote some code to parse key and subkey packets (per [2], [3] and [4]) to show the algorithm, the curve and the parameters they use. I found cases where: - the curve OID is not in the OpenPGP format but includes the first two octets from ASN.1; - the 0x40 compression flag is not included; - when using Curve25519: -- the point is represented using Ed25519 compression; -- the point is represented using Ed25519 compression with reversed byte order; -- the point is NOT represented using Ed25519 compression. Could you explain what the current decisions are? Should these cases just be dropped since they are not included in the RFCs? I am quite new to the subject, so please forgive me if I am misusing any terms or concepts. Nicola [1] https://pgp.key-server.io/sks-dump [2] https://tools.ietf.org/html/rfc4880 [3] https://tools.ietf.org/html/rfc6637 [4] https://www.ietf.org/archive/id/draft-koch-eddsa-for-openpgp-04.txt From nobody Tue Nov 29 01:18:48 2016 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5763129633 for ; Tue, 29 Nov 2016 01:18:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.397 X-Spam-Level: * X-Spam-Status: No, score=1.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_SORBS_WEB=3.297] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SGWduCUup-Ar for ; Tue, 29 Nov 2016 01:18:45 -0800 (PST) Received: from mail.mugenguild.com (mugenguild.com [5.135.189.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03CCD129628 for ; Tue, 29 Nov 2016 01:18:44 -0800 (PST) Received: from localhost (office.xing.com [82.112.107.65]) by mail.mugenguild.com (Postfix) with ESMTPSA id 0E0C65FFF5; Tue, 29 Nov 2016 10:18:41 +0100 (CET) Date: Tue, 29 Nov 2016 10:18:37 +0100 From: Vincent Breitmoser To: openpgp@ietf.org, messaging@moderncrypto.org Message-ID: <20161129091837.GA25812@littlepip.fritz.box> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) Archived-At: Subject: [openpgp] On Signed-Only Mails X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2016 09:18:47 -0000 Hi all, (cross-posting on openpgp and messaging mls) during my work on bringing OpenPGP to K-9 Mail, I found myself reevaluating a lot of things. This time it's about signed-only mails. In short, my conclusion so far is that signed-only mails are very rarely useful, they are holding OpenPGP back as a solution for encrypted e-mail, and in the interest of usability we should not roll them out in email crypto solutions on equal terms with encryption. In some more detail: https://k9mail.github.io/2016/11/24/OpenPGP-Considerations-Part-I.html I received positive as well as negative feedback about this, and I'd love to hear more thoughts about it. - V From nobody Tue Nov 29 01:25:51 2016 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6029129615 for ; Tue, 29 Nov 2016 01:25:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.697 X-Spam-Level: X-Spam-Status: No, score=-5.697 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.497] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F6tRmsTXMxxo for ; Tue, 29 Nov 2016 01:25:47 -0800 (PST) Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C16F129630 for ; Tue, 29 Nov 2016 01:25:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1480411547; x=1511947547; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=yGQo77Gqf1bywBbX29ClRoN+DzSmQayH/E82VyrFLy0=; b=yo6jymKH+me1YKwmOVXksh+qqTwHqmDUALQvpxZ340lM96DG5jCWCBRS XluLI3TuVRw4nWhqMPKS5Vh73cXLBP2YKTPTpscjz8GW1ryNQ7ic0nr1h LuNtLakX/1oDt2JfMmEUxKjdQAf3h3awtHymE05Nva947kUY9b2inApQM sfqcTgIF0l/YyjMu8MzTHTK9dGoxgrFdb3bBOiJPUKFxNURtPK/D6uHbd Hv9X+B9wsMsfn3pGqhroi6eITkQzQ/fNbYzvt8cMO9kP0mVhs8jm7Jp26 +9tUdjoKzFlW/kWvVeyvD1oNOGmKYut2Hy4Ey2TeJ6E4kwdZBz+MLLq05 Q==; X-IronPort-AV: E=Sophos;i="5.31,715,1473076800"; d="scan'208";a="117777255" X-Ironport-HAT: MAIL-SERVERS - $RELAYED X-Ironport-Source: 10.6.2.5 - Outgoing - Outgoing Received: from exchangemx.uoa.auckland.ac.nz (HELO uxcn13-ogg-d.UoA.auckland.ac.nz) ([10.6.2.5]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 29 Nov 2016 22:25:45 +1300 Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) by uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Tue, 29 Nov 2016 22:25:45 +1300 Received: from uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::e4eb:6def:adaa:5544]) by uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::e4eb:6def:adaa:5544%14]) with mapi id 15.00.1178.000; Tue, 29 Nov 2016 22:25:45 +1300 From: Peter Gutmann To: Vincent Breitmoser , "openpgp@ietf.org" , "messaging@moderncrypto.org" Thread-Topic: [messaging] On Signed-Only Mails Thread-Index: AQHSSiGeoDCj5wadw0iP/6y8V1XsrqDvr59V Date: Tue, 29 Nov 2016 09:25:45 +0000 Message-ID: <1480411542920.18425@cs.auckland.ac.nz> References: <20161129091837.GA25812@littlepip.fritz.box> In-Reply-To: <20161129091837.GA25812@littlepip.fritz.box> Accept-Language: en-NZ, en-GB, en-US Content-Language: en-NZ X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [130.216.158.4] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [openpgp] [messaging] On Signed-Only Mails X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2016 09:25:50 -0000 Vincent Breitmoser writes:=0A= =0A= >In some more detail:=0A= >https://k9mail.github.io/2016/11/24/OpenPGP-Considerations-Part-I.html=0A= >=0A= >[...] Signed-Only Mails are Useless [...]=0A= =0A= Yup, and it's for exactly the reasons given there that the S/MIME WG decide= d=0A= many years ago not to sign messages sent to the list. Courts, similarly, r= ule=0A= on the intent of the signer, not some attached bag of bits (see e.g. Steven= =0A= Mason's excellent "Electronic Signatures in Law"). So while I wouldn't go = so=0A= far as to call them harmful, I'd agree that they're mostly useless, unless= =0A= you're using one to make some special point. Even then, if it's for legal= =0A= purposes, a court will look at almost everything but the signature when=0A= deciding on its effect.=0A= =0A= Peter.=0A= From nobody Tue Nov 29 01:29:53 2016 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35FA1129630 for ; Tue, 29 Nov 2016 01:29:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.397 X-Spam-Level: * X-Spam-Status: No, score=1.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_SORBS_WEB=3.297] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P4j-DdOkmwu9 for ; Tue, 29 Nov 2016 01:29:50 -0800 (PST) Received: from mail.mugenguild.com (mugenguild.com [5.135.189.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EC05129450 for ; Tue, 29 Nov 2016 01:29:50 -0800 (PST) Received: from localhost (office.xing.com [82.112.107.65]) by mail.mugenguild.com (Postfix) with ESMTPSA id D33595FEC4; Tue, 29 Nov 2016 10:29:48 +0100 (CET) Date: Tue, 29 Nov 2016 10:29:47 +0100 From: Vincent Breitmoser To: Peter Gutmann Message-ID: <20161129092947.GA5791@littlepip.fritz.box> References: <20161129091837.GA25812@littlepip.fritz.box> <1480411542920.18425@cs.auckland.ac.nz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1480411542920.18425@cs.auckland.ac.nz> User-Agent: Mutt/1.5.23 (2014-03-12) Archived-At: Cc: "messaging@moderncrypto.org" , "openpgp@ietf.org" Subject: Re: [openpgp] [messaging] On Signed-Only Mails X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2016 09:29:52 -0000 > So while I wouldn't go so far as to call them harmful More specifically, harmful for UX. Dragging them along as a feature does not make UX design easier :) - V From nobody Tue Nov 29 01:36:55 2016 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01BE812963C for ; Tue, 29 Nov 2016 01:36:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.697 X-Spam-Level: X-Spam-Status: No, score=-5.697 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.497] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mvylPd1hIVDc for ; Tue, 29 Nov 2016 01:36:52 -0800 (PST) Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C99341295C4 for ; Tue, 29 Nov 2016 01:36:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1480412210; x=1511948210; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=wMhE5iMY5P/3URY4wMDtOTnY2lOyqmXRzoFirqAYSgc=; b=jD8Mw+XW7uWllBsuKYzgdiUnBiN7EI5/Vk1HDcIyKtvqp6Eo1doBHP68 3rfWY3Y1g359xKxNs5SqgQ6/inJuepMyfTKAbeF95MxrC2luMCyUjcxDc /e+1+2i4ALKe12A02Sl/xvtbNpVEKIFT5sWjawZaLDHG9a+8hF6HF79H6 mPf90kVk91p8fOfJVvTh5zbzevQvR314iNX5D9zr+0cJAXo9E/jI23d8M fiPIhHsDjUioh6y88dA/1zZztVfbjMOSkKOEnzqHr8ES+t4JO2PVG4UwO x28Q3sKKVwy+9YtR+H0ZS/fdkV0nvT5fwfYTWEIZxa/Ay26dKkTzrAXTm w==; X-IronPort-AV: E=Sophos;i="5.31,715,1473076800"; d="scan'208";a="117778372" X-Ironport-HAT: MAIL-SERVERS - $RELAYED X-Ironport-Source: 10.6.3.2 - Outgoing - Outgoing Received: from smtp.uoa.auckland.ac.nz (HELO uxcn13-tdc-a.UoA.auckland.ac.nz) ([10.6.3.2]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 29 Nov 2016 22:36:49 +1300 Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) by uxcn13-tdc-a.UoA.auckland.ac.nz (10.6.3.2) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Tue, 29 Nov 2016 22:36:43 +1300 Received: from uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::e4eb:6def:adaa:5544]) by uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::e4eb:6def:adaa:5544%14]) with mapi id 15.00.1178.000; Tue, 29 Nov 2016 22:36:43 +1300 From: Peter Gutmann To: Vincent Breitmoser Thread-Topic: [openpgp] [messaging] On Signed-Only Mails Thread-Index: AQHSSiGeoDCj5wadw0iP/6y8V1XsrqDvr59V//8ocICAANvA2Q== Date: Tue, 29 Nov 2016 09:36:42 +0000 Message-ID: <1480412200411.7394@cs.auckland.ac.nz> References: <20161129091837.GA25812@littlepip.fritz.box> <1480411542920.18425@cs.auckland.ac.nz>, <20161129092947.GA5791@littlepip.fritz.box> In-Reply-To: <20161129092947.GA5791@littlepip.fritz.box> Accept-Language: en-NZ, en-GB, en-US Content-Language: en-NZ X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [130.216.158.4] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Cc: "messaging@moderncrypto.org" , "openpgp@ietf.org" Subject: Re: [openpgp] [messaging] On Signed-Only Mails X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2016 09:36:53 -0000 Vincent Breitmoser writes:=0A= =0A= >More specifically, harmful for UX. Dragging them along as a feature does= =0A= >not make UX design easier :)=0A= =0A= Ah, yes, in that case it's definitely harmful.=0A= =0A= Peter.= From nobody Tue Nov 29 01:58:56 2016 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 635E912964B for ; Tue, 29 Nov 2016 01:58:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.935 X-Spam-Level: X-Spam-Status: No, score=-1.935 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sumptuouscapital-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AjJIoro3ktg2 for ; Tue, 29 Nov 2016 01:58:49 -0800 (PST) Received: from mail-lf0-x22d.google.com (mail-lf0-x22d.google.com [IPv6:2a00:1450:4010:c07::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6195129470 for ; Tue, 29 Nov 2016 01:58:48 -0800 (PST) Received: by mail-lf0-x22d.google.com with SMTP id t196so117624515lff.3 for ; Tue, 29 Nov 2016 01:58:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sumptuouscapital-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to; bh=J/8RjHw0S2VAky5ciwniFryEJx0yHlziIQ4Xks3UG0I=; b=PDb+R9nHNArF1jJpGr0YPzr+zNjybqpYbwZnqa2Y9/uaMfMui6A7M/O7imckfo9dUC hO/mvRLaYH7joYz2J87qZPgHzF+8t9VL1bXgzr4FhcRsqMjxFWBOM/9r7fof3j0OKOfu AS8ns8MwpTJ5yQGIeZQJn/u786M6nxeeywO3Fay4Z43PQwQ3t7RS5OdjYrgG8JPF/2gZ akdwmzvDl45olBp97rmBf6ASyzEE89YvkteuxJvExhbJ/U85pTciNjZfn0YVhv0f3jix GhSptbEHkqnv5OQ3Yf/Bs+TkefV6UUbwnWXwPmGzIepjTuSv1EfJ4prG5lGiPCMeMWFz H5kA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=J/8RjHw0S2VAky5ciwniFryEJx0yHlziIQ4Xks3UG0I=; b=bxc7Gw9zswjoDfAn1Y3pOxOeXtC1DmjlnyAttE48TTSSETVfUbBn9JHMJN6ms8908x PGZ6ZKGJciKpUG6nnnH3Y6Gz/WHp5lQ6BggYLibf0G4T2TaWdhWeIHI1zAeOXGM8qijT cM5mjR15hVadzaEm9skkj59W2W0tdAbromAq3ATHhnpTxMHpAd97RPkcejLCKQyiMlxb GWeMj5Ig6urhyCJKttEmnpcO2b/XQBVq6yUJl+vZsik9CpGXMktIBmMK1Ul00JiKl8oH wFvu6UN6qy5TI6iX6CSU8kwfPURlG2i6+tW+2CmCJh5dAtpA/3BKMPN85lwh+N/1nxH2 ZWTQ== X-Gm-Message-State: AKaTC02a6TaVi4Hik92kWj9n4J2xHDU5sGw7MrlJx/kGFJzQ3Ot5GMeYIMOKWoiFTQ004A== X-Received: by 10.25.137.87 with SMTP id l84mr10541255lfd.144.1480413526991; Tue, 29 Nov 2016 01:58:46 -0800 (PST) Received: from [10.201.199.36] ([88.151.161.13]) by smtp.googlemail.com with ESMTPSA id v26sm13581130lja.30.2016.11.29.01.58.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 29 Nov 2016 01:58:45 -0800 (PST) To: Vincent Breitmoser , openpgp@ietf.org, messaging@moderncrypto.org, openpgp-email ML References: <20161129091837.GA25812@littlepip.fritz.box> From: Kristian Fiskerstrand Message-ID: Date: Tue, 29 Nov 2016 10:58:43 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: <20161129091837.GA25812@littlepip.fritz.box> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="9OH7KuUNegWAgAO3dkvnkjsmEalWwUVjS" Archived-At: Subject: Re: [openpgp] On Signed-Only Mails X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2016 09:58:55 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --9OH7KuUNegWAgAO3dkvnkjsmEalWwUVjS Content-Type: multipart/mixed; boundary="hl7buMj3rSpf35sgUwUku4eVd3xSI1gVg" From: Kristian Fiskerstrand To: Vincent Breitmoser , openpgp@ietf.org, messaging@moderncrypto.org, openpgp-email ML Message-ID: Subject: Re: [openpgp] On Signed-Only Mails References: <20161129091837.GA25812@littlepip.fritz.box> In-Reply-To: <20161129091837.GA25812@littlepip.fritz.box> --hl7buMj3rSpf35sgUwUku4eVd3xSI1gVg Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 11/29/2016 10:18 AM, Vincent Breitmoser wrote: > In some more detail: > https://k9mail.github.io/2016/11/24/OpenPGP-Considerations-Part-I.html >=20 > I received positive as well as negative feedback about this, and I'd > love to hear more thoughts about it Confidentiality is not a requirement for a number of my use cases, but integrity control (including authentication) is. Clearsigned messages can make archiving easier, and allow for sharing of information across groups, while still maintaining it is in non-modified form from an authorized party. Incidentally I do request confirmation through signed media on a context-dependent basis in the event of receiving non-signed email. --=20 ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk ---------------------------- Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 ---------------------------- Nosce te ipsum! Know thyself! --hl7buMj3rSpf35sgUwUku4eVd3xSI1gVg-- --9OH7KuUNegWAgAO3dkvnkjsmEalWwUVjS Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEtOrRIMf4mkrqRycHJQt6/tY3nYUFAlg9UVMACgkQJQt6/tY3 nYVc3Qf8DcfL55rEyQpT4bIUSYidFRSufoypTvd/gqR9IJJPKKQ/ypHjUAhu6sGL Hm/e5fWovfLeoyo9GtfYsj56m9LFsSehX972ohpOQzaten1O70RrdqDzG6E1gX5S LNz865/aONktz8HjkrPjgh7Vgv1WweqvGQUmSirWQ6hnxcuFwYBYw5SYWwCWzKdV 2/XvbSdxy7g4mPu0Q4+zY4Z0CWHf/I5Dn3/XhN3+StGpwgGbycd4rdTz0T8MPEa3 Tj24mStgWpyexhSWbH3e7EDNk4SSN/HlCefiYhVZWMOk7yrnvFWkgSylNBzQMtdf Gz/I3GFXBQo5ExmrbqgMk8U2/TTAlQ== =sQ5R -----END PGP SIGNATURE----- --9OH7KuUNegWAgAO3dkvnkjsmEalWwUVjS-- From nobody Tue Nov 29 02:18:59 2016 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3696129645 for ; Tue, 29 Nov 2016 02:18:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.397 X-Spam-Level: * X-Spam-Status: No, score=1.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_SORBS_WEB=3.297] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Swuo5xbAgRE1 for ; Tue, 29 Nov 2016 02:18:52 -0800 (PST) Received: from mail.mugenguild.com (mugenguild.com [5.135.189.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5099B129663 for ; Tue, 29 Nov 2016 02:18:50 -0800 (PST) Received: from localhost (office.xing.com [82.112.107.65]) by mail.mugenguild.com (Postfix) with ESMTPSA id 4B9D25FBFE; Tue, 29 Nov 2016 11:18:49 +0100 (CET) Date: Tue, 29 Nov 2016 11:18:45 +0100 From: Vincent Breitmoser To: Kristian Fiskerstrand Message-ID: <20161129101845.GA9995@littlepip.fritz.box> References: <20161129091837.GA25812@littlepip.fritz.box> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Archived-At: Cc: messaging@moderncrypto.org, openpgp@ietf.org, openpgp-email ML Subject: Re: [openpgp] On Signed-Only Mails X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2016 10:18:58 -0000 > Clearsigned messages can make archiving easier, and allow for sharing > of information across groups, while still maintaining it is in > non-modified form from an authorized party. Incidentally, this aligns with a thought Bjarni brought up just recently: https://github.com/mailpile/Mailpile/issues/1693 - V From nobody Tue Nov 29 11:12:47 2016 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9350D129BED for ; Tue, 29 Nov 2016 11:12:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.198 X-Spam-Level: X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xSxBfGxZSe9D for ; Tue, 29 Nov 2016 11:12:45 -0800 (PST) Received: from prod-mail-xrelay05.akamai.com (prod-mail-xrelay05.akamai.com [23.79.238.179]) by ietfa.amsl.com (Postfix) with ESMTP id 4CA5112946D for ; Tue, 29 Nov 2016 11:12:45 -0800 (PST) Received: from prod-mail-xrelay05.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 50FD1433406; Tue, 29 Nov 2016 19:12:44 +0000 (GMT) Received: from prod-mail-relay11.akamai.com (prod-mail-relay11.akamai.com [172.27.118.250]) by prod-mail-xrelay05.akamai.com (Postfix) with ESMTP id 3AA154F09C; Tue, 29 Nov 2016 19:12:44 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1480446764; bh=qo8r8b3Znh+0uElDChd604SNiQrproC5ZjEYBpLo0gc=; l=1515; h=From:To:In-Reply-To:References:Date:From; b=V6CvE4QM43Jku4YlKXvynghwxl6evfIhPvfIKYZJ3Afhk/o52zcPbHR8t4vOilWgx huJcCNxFyEu8aJ3Hmr0jn7yGSo2wvvL3U2X45xguZyPJZdlgwqAzxp+VdxCM+pVKzz hmwm4zuxune28B8qOvdnuz9x3PfZ34OG/pxzyKwo= Received: from bos-mpeve.local (unknown [172.19.46.87]) by prod-mail-relay11.akamai.com (Postfix) with ESMTP id 280E71FC90; Tue, 29 Nov 2016 19:12:44 +0000 (GMT) From: Brian Sniffen To: Vincent Breitmoser , openpgp@ietf.org, In-Reply-To: <20161129091837.GA25812@littlepip.fritz.box> References: <20161129091837.GA25812@littlepip.fritz.box> Date: Tue, 29 Nov 2016 14:13:18 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain Archived-At: Subject: Re: [openpgp] On Signed-Only Mails X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2016 19:12:46 -0000 Vincent Breitmoser writes: > In short, my conclusion so far is that signed-only mails are very rarely > useful, they are holding OpenPGP back as a solution for encrypted > e-mail, and in the interest of usability we should not roll them out in > email crypto solutions on equal terms with encryption. > > In some more detail: > https://k9mail.github.io/2016/11/24/OpenPGP-Considerations-Part-I.html Perhaps you don't see the use cases, but I see many every day: signed e-mail messages for e-mail based manipulation of databases (e.g., bug trackers, auto-builders, deployment systems). Clearsigning is particularly useful because it lets me CC others (they see the command language, have an opportunity to learn it, question my action---the social setting of e-mail works very well for interaction with this sort of command language). I suppose I could just clearsign a region of a text e-mail, but (a) that means I need an even more complex UI on mobile devices, and (b) I don't trust my mail chain not to screw up the formatting---which is part of why we have PGP/MIME in the first place. The next-best alternative is a web interface, but that removes the ability to manage it through mail---with all the threading and conversation conventions that come with it. I'm also curious about the UI: do you expect to only offer (encrypted+signed) and (plaintext)? If there are separate toggles for encryption and signature anyway, what's the UI benefit? -Brian From nobody Tue Nov 29 19:04:19 2016 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B274128DF6 for ; Tue, 29 Nov 2016 19:04:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.498 X-Spam-Level: X-Spam-Status: No, score=-3.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=crustytoothpaste.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ADxyr2diZa4E for ; Tue, 29 Nov 2016 19:04:16 -0800 (PST) Received: from castro.crustytoothpaste.net (castro.crustytoothpaste.net [75.10.60.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6649129CC0 for ; Tue, 29 Nov 2016 19:03:38 -0800 (PST) Received: from genre.crustytoothpaste.net (unknown [IPv6:2001:470:b978:101:254c:7dd1:74c7:cde0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by castro.crustytoothpaste.net (Postfix) with ESMTPSA id 73E49282B7 for ; Wed, 30 Nov 2016 03:03:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=crustytoothpaste.net; s=default; t=1480475017; bh=Dkyz/+EryhLxjNi4qkVrfh+fejstoezX24nc2Uf5VHU=; h=Date:From:To:Subject:References:In-Reply-To:From; b=Kf0cYBh/ZuSqsouuoCdrXIOV0CcwxbXSNz45LMa5pl/Ctv+Y6kOm1d6rDRJuqtPla 0RpYEAzh9n2/y3L7yufAnFX0F43Y6OvYlBh6kM+ulWsadcNL8csYP0kdH46CFI2zvo bwtWeBag6bkqkuxVqLuB/mUrKkgAxldB5snofrEz59PRRLtkmmFZm7Hn0Wdaq/KV2z vJHH9Tl+ymApLh81w7IL6RfnwUZo1TfSeLSGPuclJZif8qIwJtuzLIbzRpDnDCbKhC iB6bp73PEnMDls/h2nU/gs7QwI7QfIugE9prC4gtfUt2HbYAsCfM0jMvnB/2+YrhjH JWABv8yuQ5eCEKBqaO+jYJHCrOEkzeoZiTU1BeCyMCgZuf81IK38ukzhGx/XmeoL5Z S7+RUZBs4Cnrr39KD2HZasuJIdWMC1ORZbePomOe5W6/LeQLo/7nehKDxSAFOymUZA p+PobBL1XNhkL45xdggyBFmLLyXutaKS2mvO8VzU52sG9AykOB1 Date: Wed, 30 Nov 2016 03:03:33 +0000 From: "brian m. carlson" To: openpgp@ietf.org Message-ID: <20161130030333.72yj7jrva7gbp432@genre.crustytoothpaste.net> References: <20161129091837.GA25812@littlepip.fritz.box> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="z7355oubydrcavoh" Content-Disposition: inline In-Reply-To: <20161129091837.GA25812@littlepip.fritz.box> X-Machine: Running on genre using GNU/Linux on x86_64 (Linux kernel 4.7.0-1-amd64) User-Agent: NeoMutt/20161104 (1.7.1) Archived-At: Subject: Re: [openpgp] On Signed-Only Mails X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2016 03:04:18 -0000 --z7355oubydrcavoh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 29, 2016 at 10:18:37AM +0100, Vincent Breitmoser wrote: > Hi all, >=20 > (cross-posting on openpgp and messaging mls) >=20 > during my work on bringing OpenPGP to K-9 Mail, I found myself > reevaluating a lot of things. This time it's about signed-only mails. >=20 > In short, my conclusion so far is that signed-only mails are very rarely > useful, they are holding OpenPGP back as a solution for encrypted > e-mail, and in the interest of usability we should not roll them out in > email crypto solutions on equal terms with encryption. >=20 > In some more detail: > https://k9mail.github.io/2016/11/24/OpenPGP-Considerations-Part-I.html >=20 > I received positive as well as negative feedback about this, and I'd > love to hear more thoughts about it. I work for a company where all mail needs to be signed. If someone wants me to install an SSH public key on a server, I need to be certain that the person is who they say they are. Furthermore, if one of the system administrators sends an announcement email to the all-users list, encrypting it to all possible employees at the company is not practical. Signing it is still useful, especially if it includes something like a Wi-Fi configuration file that people might use on their systems. I use K-9 Mail for personal and work purposes, and I rely immensely on the ability to send signed-only emails, often to mailing lists. I think that's an extremely common and important use case that we shouldn't forget about. Integrity is important even in cases where confidentiality is not. --=20 brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: https://keybase.io/bk2204 --z7355oubydrcavoh Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.16 (GNU/Linux) iQIzBAABCgAdFiEEX8OngXdrJt+H9ww3v1NdgR9S9osFAlg+QYUACgkQv1NdgR9S 9osDYg/8D2Y7B3VtrTOw4vgQHKaEBU0Z79Ys4VP3Lj8gfDumevu2T3Wqr7ZTRAHD zgLjYr0LmDNG9+DPna9fQmQrkkDASqj8fkeYDth1tR4SMB6Smsq8Bm2yURB818D4 1h212uwGbz0pPfbvmv/meVN1Lejko7qUO2MV5ghQWPJqXYgWc2N9mGTml0QL9E+b JUZ/2ZaTXFevk+ACKf6R/3P3mBcDwHnPmfDKiee9g+ahf9RLjQDbDgW/fYDNT3B2 PHOU26FALriHBnUOJBIuKbz3N8wHd1KFIicpqrM61ywE/xE7tPBAXYNNybjVPYZz 3bE9z5/92cAwPmmOOJKhSWwlolTy50AMT+QLduQASlqfBFXSRT8JTIy6ry3gRzIZ Imgsy+WL2jJqQeFHnY+j5kA0TGgLsWMDp3NeiJ9DbJfC7VL2DL1SndTjusE2xuw8 wWp3poxZtwleH9T2tKbQ+l4tSHk+6WkUpzvOKM9PuixaGYNbSIKCPlEtuGiWEOaj unMZ8r154Wd6N1r+rs7hOiU70UnYPhd0yRpUGj36s4H3zex+HzpKiwSPyZFVn47r P3F0z5DzSX54BBTeZRsJzMQllTy72lExZ8PJEuUaSOQlzeI96t0amS8UmHMSj1wR 7TBckV71VqQvejqLY3Y6R89p/0YBUwto/p7bqMpPd2We01KtviY= =eLtN -----END PGP SIGNATURE----- --z7355oubydrcavoh-- From nobody Wed Nov 30 01:03:22 2016 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6F2212961A for ; Wed, 30 Nov 2016 01:03:21 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cV1wjWh6EPxR for ; Wed, 30 Nov 2016 01:03:20 -0800 (PST) Received: from giepa-cn-bar.giepa.net (giepa-cn-mail.giepa.net [193.110.207.71]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05EBC12960A for ; Wed, 30 Nov 2016 01:03:18 -0800 (PST) X-ASG-Debug-ID: 1480496596-061b9a0ebb706b90001-H8Anin Received: from DVWIGUPEX2013.intern.giepa.de (8204110193.giepa.de [193.110.204.8]) by giepa-cn-bar.giepa.net with ESMTP id YtZgtiLZwQydZ9uC (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 30 Nov 2016 10:03:16 +0100 (CET) X-Barracuda-Envelope-From: Alexander.Strobel@giepa.de X-Barracuda-Effective-Source-IP: 8204110193.giepa.de[193.110.204.8] X-Barracuda-Apparent-Source-IP: 193.110.204.8 Received: from [172.30.129.7] (172.30.129.7) by DVWIGUPEX2013.intern.giepa.de (172.30.128.107) with Microsoft SMTP Server (TLS) id 15.0.847.32; Wed, 30 Nov 2016 10:03:14 +0100 To: X-ASG-Orig-Subj: Re: [openpgp] On Signed-Only Mails References: <20161129091837.GA25812@littlepip.fritz.box> From: Alexander Strobel Openpgp: id=095BD69C7AC365895AC57EA9874D04CCA111C47B Message-ID: Date: Wed, 30 Nov 2016 10:03:13 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.5.0 MIME-Version: 1.0 In-Reply-To: <20161129091837.GA25812@littlepip.fritz.box> Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: 7bit X-Originating-IP: [172.30.129.7] X-ClientProxiedBy: DVWIGUPEX2013.intern.giepa.de (172.30.128.107) To DVWIGUPEX2013.intern.giepa.de (172.30.128.107) X-Barracuda-Connect: 8204110193.giepa.de[193.110.204.8] X-Barracuda-Start-Time: 1480496596 X-Barracuda-Encrypted: ECDHE-RSA-AES256-SHA X-Barracuda-URL: https://193.110.207.71:443/cgi-mod/mark.cgi X-Barracuda-Scan-Msg-Size: 1405 X-Virus-Scanned: by bsmtpd at giepa.net X-Barracuda-BRTS-Status: 1 X-Barracuda-Spam-Score: 0.00 X-Barracuda-Spam-Status: No, SCORE=0.00 using per-user scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=1000.0 tests= X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.34831 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- Archived-At: Subject: Re: [openpgp] On Signed-Only Mails X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2016 09:03:21 -0000 Am 29.11.2016 um 10:18 schrieb Vincent Breitmoser: > Hi all, > > (cross-posting on openpgp and messaging mls) > > during my work on bringing OpenPGP to K-9 Mail, I found myself > reevaluating a lot of things. This time it's about signed-only mails. > > In short, my conclusion so far is that signed-only mails are very rarely > useful, they are holding OpenPGP back as a solution for encrypted > e-mail, and in the interest of usability we should not roll them out in > email crypto solutions on equal terms with encryption. I don't think signed only emails are useless. In my personaly opinion I would love to see all companies sending out signed emails that contain invoices. If any company would change their email addresses or someone from another department sends me an email, I would know that this is (presumably) not a phishing attack. (At least was sent from someone within this company which gives me some more trust in the reliability of its contents.) At the moment I receive an email with a sender address that might or might not belong to the company. How can I know? Sure, the company had to put the fingerprints of their key(s) on their website or tell it on the phone and I would have to check it, but that's not a very big problem. Maybe I miss something but, in this case signing seems a good idea to me. Best regards Alex Strobel www.gpg4o.com From nobody Wed Nov 30 01:07:56 2016 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2FFE129D49 for ; Wed, 30 Nov 2016 01:07:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.697 X-Spam-Level: X-Spam-Status: No, score=-5.697 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.497] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rAx8H6WUGa8k for ; Wed, 30 Nov 2016 01:07:45 -0800 (PST) Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EBDA129D3C for ; Wed, 30 Nov 2016 01:06:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1480496783; x=1512032783; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=Cczc8uR2SkfwRo74zOGcbi+0Y/VZmojtIeBrS2TeEKs=; b=mNn7ywb+m4l5XoH9jSH5tzyjC0wf9apJOYe+iFnkR/T3rt5vxO59nNnG nyS1OhgMqI+yyISFui/e97FsCLyEIxdhHUHNJ53kz/L9WFg84MV4claEs Ugxh83tGCWsvJexhIOniEIc5Yy4my8kQhLpLYKgJ9y0qRUgCHmZRdjd8K rY3HkrxLtqLlkaCl9Lv+FQx0I+Prq+86lAdIU4VyQKtp1FC9yvqEsnbjJ 3zQguBdaLHI81Um6BletM/XFn8VvBrSwPXzfxNFEprbx/wjxy+M+iu2F8 84L+04Tp5KcOtCj6JjaiBBBfO5s05azjG6BdhJuO2IPHdr6K30dsY4a7a w==; X-IronPort-AV: E=Sophos;i="5.31,573,1473076800"; d="scan'208";a="118003990" X-Ironport-HAT: MAIL-SERVERS - $RELAYED X-Ironport-Source: 10.6.3.5 - Outgoing - Outgoing Received: from uxcn13-tdc-d.uoa.auckland.ac.nz ([10.6.3.5]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 30 Nov 2016 22:06:21 +1300 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.25) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Wed, 30 Nov 2016 22:06:20 +1300 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1178.000; Wed, 30 Nov 2016 22:06:20 +1300 From: Peter Gutmann To: Brian Sniffen , Vincent Breitmoser , "openpgp@ietf.org" Thread-Topic: [openpgp] On Signed-Only Mails Thread-Index: AQHSSnXrOkVV9KGpgUG1FKe72d4DVqDxPRCm Date: Wed, 30 Nov 2016 09:06:20 +0000 Message-ID: <1480496776340.83335@cs.auckland.ac.nz> References: <20161129091837.GA25812@littlepip.fritz.box>, In-Reply-To: Accept-Language: en-NZ, en-GB, en-US Content-Language: en-NZ X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [130.216.158.4] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [openpgp] On Signed-Only Mails X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2016 09:07:49 -0000 Brian Sniffen writes:=0A= =0A= >Perhaps you don't see the use cases, but I see many every day: signed e-ma= il=0A= >messages for e-mail based manipulation of databases (e.g., bug trackers,= =0A= >auto-builders, deployment systems).=0A= =0A= That isn't really signed email though, that sounds more authenticated EDI-= =0A= style messaging...=0A= =0A= Peter.= From nobody Wed Nov 30 01:42:39 2016 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 581B3129EB5 for ; Wed, 30 Nov 2016 01:42:36 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.334 X-Spam-Level: X-Spam-Status: No, score=-1.334 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=inurbanus.nl Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id smIX8R81tf_9 for ; Wed, 30 Nov 2016 01:42:34 -0800 (PST) Received: from mail-ua0-x235.google.com (mail-ua0-x235.google.com [IPv6:2607:f8b0:400c:c08::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C112129D6D for ; Wed, 30 Nov 2016 01:40:17 -0800 (PST) Received: by mail-ua0-x235.google.com with SMTP id 51so207311129uai.1 for ; Wed, 30 Nov 2016 01:40:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inurbanus.nl; s=google-inurb; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=W7kEiGMuSBHjqz1LOmdSwgIzcbYb0l/WCEFoxoMRtbg=; b=X86B7aahjY+ktdMgX4RO80rujltY5xLA35P5JvkA2jtpdkJvl7znmco+Vqs7blxipo W82oZMJzOh3nLnH5uGCC+oIKKPhxUsLvPdBdM09/uOne27Fqp3UpIwoNyzAvMHpK0CDA 8T0YTfHh3r4fvgAcih5hH1ov8vNuPoMefQ15o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=W7kEiGMuSBHjqz1LOmdSwgIzcbYb0l/WCEFoxoMRtbg=; b=l3zz9GB8Tdo5y0i+p7wLbSTMbXusrgP0hVxnW2t+K+mCcBUlOm+BSTqScS+01XTK6o JYRvjhgS/hHqpsxaDS95FuRAV0C6dj7pXtHj2KaztbrPvF7E9JqqHkOH3rnTjKx0JHyZ iW1YA1mRaeDaIOWOhzyHj7CSEh3gUuVeKKQ2ZuZWfG2AbZdrqfcmlu8+gqpADFGJeVIe 6CxP15uk+75SIGeevpeTCAkQNrod5KTWFwZLnb+v0Qa11KD/ZRk7otBYg8pRrjkH3yRC 9GeOMDwd49SkktByI6+sU3h3a0MxuFTJ5mQA/QqFpKrwkj2XpuQmsqjsZewk7EHE4fZ+ Yvug== X-Gm-Message-State: AKaTC0321Z47jpTXTRs6r4Fqtp+aGwdsHbLcUzxkLLGhDWVZKSm0jkzavLSkSFwCJEMoN/3vKXF0/633ozeAHg== X-Received: by 10.176.80.169 with SMTP id c38mr23584856uaa.61.1480498815865; Wed, 30 Nov 2016 01:40:15 -0800 (PST) MIME-Version: 1.0 Received: by 10.103.21.67 with HTTP; Wed, 30 Nov 2016 01:40:15 -0800 (PST) In-Reply-To: References: <20161129091837.GA25812@littlepip.fritz.box> From: Thijs van Dijk Date: Wed, 30 Nov 2016 10:40:15 +0100 Message-ID: To: Alexander Strobel Content-Type: multipart/alternative; boundary=94eb2c1901f802dffe0542817e6b Archived-At: Cc: IETF OpenPGP Subject: Re: [openpgp] On Signed-Only Mails X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2016 09:42:37 -0000 --94eb2c1901f802dffe0542817e6b Content-Type: text/plain; charset=UTF-8 On 30 November 2016 at 10:03, Alexander Strobel wrote: > Am 29.11.2016 um 10:18 schrieb Vincent Breitmoser: > > Hi all, > > > > (cross-posting on openpgp and messaging mls) > > > > during my work on bringing OpenPGP to K-9 Mail, I found myself > > reevaluating a lot of things. This time it's about signed-only mails. > > > > In short, my conclusion so far is that signed-only mails are very rarely > > useful, they are holding OpenPGP back as a solution for encrypted > > e-mail, and in the interest of usability we should not roll them out in > > email crypto solutions on equal terms with encryption. > > I don't think signed only emails are useless. In my personaly opinion I > would love to see all companies sending out signed emails that contain > invoices. > If any company would change their email addresses or someone from > another department sends me an email, I would know that this is > (presumably) not a phishing attack. [... snip ...] > Sure, the company had to put the fingerprints of their key(s) on their > website or tell it on the phone and I would have to check it, but that's > not a very big problem. > Maybe I miss something but, in this case signing seems a good idea to me. > Yes, conceptually this is a very good case for signing e-mails. In fact, many companies already do this with more light-weight DKIM signatures. As an added bonus, users (or UI makers) are saved the hassle of manual key management because the signing keys are simply available in DNS. -Thijs van Dijk --94eb2c1901f802dffe0542817e6b Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On 3= 0 November 2016 at 10:03, Alexander Strobel <Alexander.Strobel@= giepa.de> wrote:
Am 29.11.2016 um 10:18 schrieb Vincent Br= eitmoser:
> Hi all,
>
> (cross-posting on openpgp and messaging mls)
>
> during my work on bringing OpenPGP to K-9 Mail, I found myself
> reevaluating a lot of things. This time it's about signed-only mai= ls.
>
> In short, my conclusion so far is that signed-only mails are very rare= ly
> useful, they are holding OpenPGP back as a solution for encrypted
> e-mail, and in the interest of usability we should not roll them out i= n
> email crypto solutions on equal terms with encryption.

I don't think signed only emails are useless. In my personaly op= inion I
would love to see all companies sending out signed emails that contain
invoices.
If any company would change their email addresses or someone from
another department sends me an email, I would know that this is
(presumably) not a phishing attack. [... snip ...]
Sure, the company had to put the fingerprints of their key(s) on their
website or tell it on the phone and I would have to check it, but that'= s
not a very big problem.
Maybe I miss something but, in this case signing seems a good idea to me.

Yes, conceptually this is a very good ca= se for signing e-mails. In fact, many companies already do this with more l= ight-weight DKIM signatures. As an added bonus, users (or UI makers) are sa= ved the hassle of manual key management because the signing keys are simply= available in DNS.

-Thijs van Dijk=C2=A0<= /div>

--94eb2c1901f802dffe0542817e6b-- From nobody Wed Nov 30 07:57:44 2016 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA15A1295C3 for ; Wed, 30 Nov 2016 07:57:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.198 X-Spam-Level: X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KKEM8LZIXoPJ for ; Wed, 30 Nov 2016 07:57:37 -0800 (PST) Received: from prod-mail-xrelay07.akamai.com (prod-mail-xrelay07.akamai.com [23.79.238.175]) by ietfa.amsl.com (Postfix) with ESMTP id C9E311294EB for ; Wed, 30 Nov 2016 07:54:58 -0800 (PST) Received: from prod-mail-xrelay07.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 5460943341A; Wed, 30 Nov 2016 15:54:58 +0000 (GMT) Received: from prod-mail-relay10.akamai.com (prod-mail-relay10.akamai.com [172.27.118.251]) by prod-mail-xrelay07.akamai.com (Postfix) with ESMTP id 3DE70433413; Wed, 30 Nov 2016 15:54:58 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1480521298; bh=LSWRWtPJz9skCq8cf6D5ZfJ0umc8vGwFZhr+d6rYYvs=; l=722; h=From:To:In-Reply-To:References:Date:From; b=ENbbIy8zh78/DBvHBsP/gd0nvY9Lb00EMPJ1CW98B2Ap+uc+3AXYyvJlROfQaHU4B Yv03B+T7mGFZnMs9Gw/a6mJ/Yjgc6i2yq1JbHAnD/8YuozwKKtOhDjUQQazzCW+uC9 4oRaDcBx+2nJEQwCxSYHydCXQk1xxhs2p6CQPA68= Received: from bos-mpeve.local (unknown [172.19.42.228]) by prod-mail-relay10.akamai.com (Postfix) with ESMTP id F32E21FC8E; Wed, 30 Nov 2016 15:54:57 +0000 (GMT) From: Brian Sniffen To: Peter Gutmann , Vincent Breitmoser , "openpgp\@ietf.org" In-Reply-To: <1480496776340.83335@cs.auckland.ac.nz> References: <20161129091837.GA25812@littlepip.fritz.box> <1480496776340.83335@cs.auckland.ac.nz> Date: Wed, 30 Nov 2016 10:54:57 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain Archived-At: Subject: Re: [openpgp] On Signed-Only Mails X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2016 15:57:42 -0000 On Wed, Nov 30 2016, Peter Gutmann wrote: > Brian Sniffen writes: > >>Perhaps you don't see the use cases, but I see many every day: signed e-mail >>messages for e-mail based manipulation of databases (e.g., bug trackers, >>auto-builders, deployment systems). > > That isn't really signed email though, that sounds more authenticated EDI- > style messaging... I do mean signed e-mail, where every message is to and from humans---but sometimes CC's a robot. The bugs.debian.org system is a good, publicly available, example of what I mean. -- Brian Sniffen Information Security: Safety, Adversarial Resilience, Tools, Compliance /(* Akamai - Faster Forward