Work in progress, but comments welcome! (e.g. use gnupg-devel@).
According to user story T1 in EasyGpg2016/VisionAndStories we want to find a single certificate for a given email address even if there has not been previous email exchange. It has to work without user interaction. In T2 and T3 we think about what happens if the communication partner is not ready for this communication.
Assuming both partners have already been set up, we have to solve the following problems reliably without user interaction:
- How can I get the cert for the email address? ("Discovery", "cert distribution")
- How I can gain I gain some basic level of trust that this is the current cert the owner of the email address wants me to use ("building trust" or "validation").
Within the EasyGpg-contract we are attempting a solution that is comparatively easy to implement to raise chances that it will actually widen the user base. The design idea is to use the already existing relation of an email address owner to his or her mail service provider (MSP). It is an inherit common interest of both parties to actually provide a verified relationship so that only the owner can connect to their email storage.
The drawback of this design idea is that an man-in-the-middle attack by the MSP is a lot easier compared to the web of trust approach where several external parties are involved and users must explicitly argument about trust relations. The idea is that users with a higher security interest (like Annika or Bob) will build additional trust using advanced methods.
TODO Terminology: the OpenPGP community uses the term 'key' or 'public key'. Some draft text sections here try how "certificate" or "cert" for the same thing will read, coming from an idea with the Gpg4win Compendium to have a distinction between public and secret key-pair-element, unify the concept with the CMS world and be more reader-without-crypto-friendly.
How to find the cert?
We propose the following steps
- Ask the mail service provider of the recipient email address.
- If the MSP does not support the request: Ask a central fallback server for all email addresses. [ I do not like that approach because it shifts the responsibility from the mail address provider to some 3rd party. This raises all kind of problems and requires a central system for all users for all non-supportive mail providers. There are also legal problems with that, in particular in Germany -- Werner Koch 2016-05-04 16:12:19 ]
- If the fallback server fails, we may resort to trying a classic web of trust "cert server" (aka "key server"). [ This does not help in any way to find a key associated with a mail address ]
Mail Service Provider
An email account owner has already trusted their email service provider to accept, deliver and possibly store her communication. Technically the connection will be done with TLS secured protocol variants of something like IMAP (receiving, access to storage), SMTP (outbound sending) or HTTP in case of an web application. In each case the user will have to authenticate to use the service.
All we need to use this trust relation is to find
- a protocol to ask the MSP for the certificate of a specific email address
- a way for email applications to give, update, request deletion of their cert from the MSP. [ There is no need for deletion - if the mail address is taken out of service the key will vanish anyway. -- Werner Koch 2016-05-04 16:12:19 ]
Some design criteria:
- they are easy to implement for a mail service provider, especially the larger it gets. Because that raises the chance of adoption.
- In addition they should not reveal the existence of email-addresses [ You can't avoid that ].
- They are better if they are revealing less about who want to communicate with whom.
GnuPG 2.1.12 has experimental support for an upcoming draft "Web Key Directory key location service" based on the HTTPS query idea.
Drawbacks of DNS are:
- DNSSEC ist not fully deployed everywhere
- It is unclear if DNS can really handle millions of email addresses [ Nope: DNS can handle arbitrary amounts of data; the size of a data item is limited but not their numbers. -- Werner Koch 2016-05-04 16:12:19 ]
- The decentral nature of DNS may leak more information than necessary. (Question could I protect email addresses with DNS?)
An advantage of DNS is that there already exits implementations (GnuPG 2.1) and some real world deployments.
The 2016 design idea is to use a well-known URL via an HTTPS request. https://example.org/.well-known/openpgpkey/hu/XXXXX
Advantages for HTTPS are:
- well understood how to scale high
- no time-out delays
- request details protected by TLS connection, only leaks the information that user may want to communicate with some user of this domain.
- can also be used on the potential fallback server.
- (expected:) adding one more URL to a webservice can be technically separated nicely from other service, DNS may be couple more deeply. So it may be easier to convince MSP to try the HTTPS for a while than to add a very dynamic system to their DNS service which will be mission critical.
Two ideas exist here, which need to be discussed and decided in finer detail:
- also use an HTTPS interface together with authentification
- use an email submission interface
Implementation ease on the server site probably depends on how easy it is to couple mail service credentials to the HTTPS or SMTPS service or insert some crypto processing for incoming emails. On client side the email handling interface also means the crypto component has to be able to send and intercept handling emails. [ Given that the whole thing is for MUAs, this is not a problem at all. -- Werner Koch 2016-05-04 16:12:19 ]
HTTPS may provide a faster feedback if my crypto setup is ready because of the online connection. [ Nope: Email verification requires sending and receiving of emails - regadless how it was initially triggered. -- Werner Koch 2016-05-04 16:12:19 ]
TODO further discussion.
Central fallback server
What if some mail service providers are slow on the uptake of this concept?
Would our archetype users consider switching to another email provider? Bob probably would, but the others?
The idea of a fallback server is to enable users to participate in the concept without direct support of their mail service provider. This is a main advantage to provide first value quickly to many email users.
But it comes at a number of potential drawbacks:
- A central service requires extra interaction for building the connection between email owner and corresponding cert. It basically becomes some sort of 'validating keyserver' which all of its security problems.
- The more percentage of certs it holds, the more valueable it becomes making it more and more a target for attacks, a single point of failure and harder to operate.
- It may dimish the motivation of MSP to implement the part of the service on their side, because it is already working.
Thus it is an open decision how to deal with a fallback server.
One path of action proposed by -- bernhard 2016-05-04 12:59:37 is to:
- operate the fallback server to bring value faster to people and show that the user experience side works on a wider scale.
- Publish statistics about the number of email addresses from certain mail user providers on the corresponding website.
- Approach mail service providers repeatedly if their email usage is growing over certain numbers.
- Put public limits in for the service in numbers and time. E.g. 2016-11-16: now that 100k user from example.com use the fallback server, we will provide access to them for another three month and after one month warning them of the discontinuing of the service. [ You missed the :-) ]
- Publicly announce mail service providers that are now offering the service on the same website.
- Help mail service providers to make it really easy to implement their part, e.g. by providing software components and migration support from the fallback server.
- (For being able to inform fallback server users of a change of service, there must be provisions when signing the users up that it is okay to do so later.)
Classic "key" (aka cert) servers
If we are back to this point, our of course this means our unattended use for sending the email will not work. It would be by pure chance that only one public user id will be found on the public servers ("discovery") and that it carries a signature from a cert that I already "trust" to sign others ("validation"). Our choice is to offer the user the change to go to a more complex full-blown certificate management handling or to offer hints to contact the communication partner to adopt the scheme proposed here.
However asking cert servers can be a good idea to sometimes find revocation certificates for certs I already know. This is important if the earlier stages fail which is always a possibility in the distance future. So a cert-server check is part of our proposed steps.
Future other services?
TODO , e.g.