On Sun, Feb 02, 2014 at 06:44:58PM -0600, Pete Resnick wrote: > I agree that authentication is irrelevant in this context. But > that's leads me to agree with Dave on a central point (hence the > little I-D we've been banging on and submitted to the STRINT folks): > The problem with PGP and S/MIME is that they require authentication > in order to start using encryption, and since authentication is both > irrelevant to this *and* a pain to do... We should be a bit careful about our terms here. If we don't care about authentication at all, one solution is to just do hop-by-hop diffie hellman (or TLS with completely unchecked certificates). That's actually pretty easy, and it's not a bad thing to do whether or not we do anything else, since it makes pervasive monitoring more expensive by requiring the attacker to forgo passive eavesdropping and have to do active M-I-T-M attacks. If instead what we are saying is that we don't really care about tieing a particular encryption key to a specifically named human being, but to some other property, then this starts addressing the "do we really need to have geek-friendly-but-scares-the-civilians PGP key signing party" problem. Instead you might want to say, "I don't care whether this really is Mr. John Doe from Lower Elbonia, but I do want to know whether this is the same entity who has been corresponding for the last two months on the wg mailing list --- or is the author of a particular I-D". As a specific example, if all you want to do is make sure that someone really controls the e-mail address named in the PGP key identity, then you could do an web-automated version of "CAFF" (Certifying Authority Fire and Forget)[1]. [1] http://manpages.ubuntu.com/manpages/hardy/man1/caff.1.html So imagine a web service, running on tools.ietf.org, (a) which makes someone prove that they have control over a specified e-mail address, by mailing them a URL with a one-time code embedded in it, then (b) asks them to upload a PGP key, and then (c) it sends back to that e-mail address their PGP key signed with a registry key --- but the signature is encrypted so only someone with the private key of the PGP key can decrypt it. This basically proves that the submitting entity has control over both the e-mail address and the private key of the PGP key that they are requesting be certified. If this is being done via https, and you trust that the CA for ietf.org is doing a competent job, and *all* CA's and sub-CA's trusted by your browser are doing a competent job, then this will basically do what you want, and it doesn't require people to show up at a PGP signing party. The user experience becomes that which is needed when you sign up for a Google, or Yahoo, or any other web site which demands that you prove that you have a valid e-mail address. - Ted