--On Sunday, February 02, 2014 18:44 -0600 Pete Resnick <presnick@xxxxxxxxxxxxxxxx> wrote: > The problem with PGP and S/MIME is that they require > authentication in order to start using encryption, and since > authentication is both irrelevant to this *and* a pain to do, > I don't think it's likely that mechanisms that require > authentication to get started are good candidates to address > PM, let alone be a terribly good demonstration that we can do > encryption. Pete, Perhaps I'm missing something, but it seems to me that, if one is willing to rely sufficiently on the email system to say "this will get to the intended person (or at least mailbox), and, if it does, the person who opens it will either have the relevant key to be able to read it or not and, if they don't that is ok", then all that is needed is a self-signed key (or self-signed X.509 cert). That is basically "key but no authentication". Put differently, we _always_ rely on authentication -- if I send mail to "presnick@xxxxxxxxxxxxxxxx", I'm making a whole series of assumptions that it is you, that such mail will reach you and only trust-able others, and so on. Those assumptions are fairly weak and certainly don't involve independent certification, but that is about the strength and quality of the authentication, not whether authentication is assumed or not. Put differently, unless my 30 second approximation to a threat analysis missed something, it provides about the same level of authentication as "I can buy a domain name without showing any identity evidence other than the ability to make payment, I can get a certificate issued on the basis of being able to set a mailbox and appropriate DNS records to receive mail at that domain and/or can publish keys as part of that domain record". Like those [other] domain-based approaches, it is going to be pretty good in practice unless an attacker has the ability to either subvert a registrar [1] or, perhaps, to intercept and divert (or copy) traffic en route [2]. Again, with either PGP or S/MIME (and X.509) with a self-signed cert or key, authentication is not needed to start using encryption, only a (perhaps implicit) belief on the part of the sender that, if the recipient can advertise a public key, it probably has the private one and that the key-advertiser is not the proverbial entity-in-the-middle. Of course, those of us who prefer a somewhat higher degree (and/or out of band) of assurance than the entity we are communicating with is the intended one will need authentication and authentication strong enough to be convincing for our purposes. That is, as you suggest, a separate issue and more of a pain. It may be inconsistent with legitimate anonymity. For those who want it, bringing people together for key signing may be helpful. It may be especially helpful for anyone who believes that "appears to be human, has a face, registered for IETF, and can find the room in which a key-signing is to occur" [3] is a better minimal credential than "was able to obtain a domain name" [4]. best, john ----------------- Snarky notes: [1] While there are clearly exceptions, there is considerable evidence that "Honest and Careful Registrar" is an oxymoron and even that a complete lack of scruples, or at least aggressive and deliberate ignorance about registrant credentials, are encouraged by ICANN policies. If that be the case, then authentication methods that ultimately depend on the identity-quality of domain "purchase" and registration are effective only to the extent to which an attacker is lacking in motivation... unless one knows the domain of the relevant individual and server with some independent certainty (that notion of independent authentication again) and that the FQDN string is spoof-proof. [2] Of course, if the attacker cannot, or isn't willing to invest the resources to, intercept and capture or divert an in-transit data stream (or fake DNS records) then I don't quite understand the threat model that unauthenticated (or very low quality authentication) encryption protects against. [3] If someone shows up at a key signing whom I've never seen before and hands around a passport that says "Republic of Lower Slobbovia" on the cover and has a picture and name inside, whether a potential signer knows more about that individual's identity than "appears to be human, etc.". Few of us have ever seen a Lower Slobbovian passport much less know how to authenticate one. So, again, authentication and quality of credentials covers a broad spectrum. The question isn't "authentication or no authentication", it is what sort of credentials are good enough for an intended purpose (and in context with other methods). [4] Note too that any sort of credential that draws on the DNS for authenticity or key integrity and binding works a lot better for domain-per-individual or domain-per-activity than it does for domain-per-group-or-enterprise because, to some extent, such methods depend on one's trusting everyone who is either a legitimate user of the domain or who can compromise it.