--On Monday, February 03, 2014 09:05 -0500 Theodore Ts'o <tytso@xxxxxxx> wrote: > On Sun, Feb 02, 2014 at 06:44:58PM -0600, Pete Resnick wrote: >> I agree that authentication is irrelevant in this context. But >> that's leads me to agree with Dave on a central point (hence >> the little I-D we've been banging on and submitted to the >> STRINT folks): The problem with PGP and S/MIME is that they >> require authentication in order to start using encryption, >> and since authentication is both irrelevant to this *and* a >> pain to do... > > We should be a bit careful about our terms here. If we don't > care about authentication at all, one solution is to just do > hop-by-hop diffie hellman (or TLS with completely unchecked > certificates). That's actually pretty easy, and it's not a bad >... > As a specific example, if all you want to do is make sure that > someone really controls the e-mail address named in the PGP > key identity, then you could do an web-automated version of > "CAFF" (Certifying Authority Fire and Forget)[1]. > > [1] http://manpages.ubuntu.com/manpages/hardy/man1/caff.1.html > > So imagine a web service, running on tools.ietf.org, (a) which > makes someone prove that they have control over a specified > e-mail address, by mailing them a URL with a one-time code > embedded in it, then (b) asks them to upload a PGP key, and > then (c) it sends back to that e-mail address their PGP key > signed with a registry key --- but the signature is encrypted > so only someone with the private key of the PGP key can > decrypt it. This basically proves that the submitting entity > has control over both the e-mail address and the private key > of the PGP key that they are requesting be certified. > > If this is being done via https, and you trust that the CA for > ietf.org is doing a competent job, and *all* CA's and sub-CA's > trusted by your browser are doing a competent job, then this > will basically do what you want, and it doesn't require people > to show up at a PGP signing party. The user experience > becomes that which is needed when you sign up for a Google, or > Yahoo, or any other web site which demands that you prove that > you have a valid e-mail address. Right. Very weak authentication of individual identity but, given the above assumptions, decent-or-better authentication of ownership of keys, addresses, and identity-persistence. Whether that is good enough depends on one's concerns and attack scenarios -- for the IETF list, I'd imagine almost no one would care. And, of course, the requirement of competence by "*all* CA's and sub-CA's trusted by your browser" doesn't pass a laugh test these days unless one is paranoid and geeky enough to edit browser CA lists down to those one actually has reason to trust. That is why I think it is worthwhile to tease out what we really want and need, not say blanket things like "no authentication needed" as Pete's note seemed to. john