Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

IETF Action on Secure Email

Early last week I emailed a group of IETF Area Directors, for the Security and Applications areas, asking them to start the process of creating a new Working Group to address the issues around email security. (Thanks Adrian Farrel for the prodding!)

Today, the first result of the effort has been completed – the new endymail mailing list. An IETF venue to discuss how these issues can be addressed, hopefully laying the groundwork updated standards to improve email as we know it today, and eventually standardizing a replacement to SMTP and related protocols. Here’s the description that the group came up with for the new list:

There is significant interest in improving the
privacy-related properties of Internet mail. One focus of
current efforts is on the per-hop (connection-based)
protections provided by TLS. However a wide range of other
work has a focus on end-to-end protection, at the Internet
scale of billions of end users and perhaps millions of
operators. Such work typically involves new forms of mail
header or body protection, new public key management
(compared to S/MIME or PGP), and security mechanisms more
appropriate for mobile/web user-agents. Other
security-relevant approaches may be discussed if needed.
Various proposals and development efforts on this topic are
underway outside the IETF. This mailing list provides an
IETF venue for discussion of elements that might be commonly
needed by such efforts and to identify work that the IETF
could do to aid in achieving better end-to-end security
deployed for Internet email.

While the creation of another mailing list is far from groundbreaking, it’s the necessary first step in standardizing a solution to a decades old problem.

I encourage everyone interested in email security and privacy to join the list, and participate in the discussions that will lead to new standards. (Though please wait a bit for people to subscribe before starting discussions.)

A big thanks to Stephen Farrell, Joe Hildebrand, and Pete Resnick for their enthusiastic support for this effort.

Adam Caudill


Related Posts

  • SMIMP at the DEFCON Crypto Village

    Last week I gave a lighting talk at the DEFCON CryptoVillage on SMIMP. The talk went over the basics of why the project is needed, and how the specification works. Here are the slides: Here is a rough transcript of the talk: Slide 1: I’m Adam Caudill, I’m a developer and security researcher; I work on a number of different things, but my recent work has been around privacy and secure messaging.

  • The Sinking Ship of E-Mail Security

    E-Mail, the venerable old standard for internet text messages, dating back to the early 1980s – and back to the early 1970s in other forms, has long been the “killer app” of the internet. While so many companies try to make the next great thing that’ll capture users around the world – none of these compare to the success of e-mail. It is likely the single most entrenched application-layer protocol used today.

  • 30 Days of Brave

    Brave is a web browser available for multiple platforms that aims to provide additional security and privacy features – plus a novel monetization scheme for publishers. I gave it 30 days to see if it was worth using. I switched on all platforms I use to give it a fair shot, I normally use Chrome which made the switch less painful, though the results were very much mixed. There are some things I honestly liked about it, some things I really disliked, and at least one thing that just made me mad.

  • On Strong Identity Management

    Alice wants to send an encrypted message to Bob; she knows his address, but doesn’t know the public key that goes with that address. Using GPG, Alice would look up his address on a key server, the issue is of course that anyone can upload a key associated with Bob’s address. Using the “web of trust” model, Alice would look at the different keys and see which ones are signed, and if any of them are signed by people she knows.

  • Security By Buzzword – Why I don’t support Ensafer

    Update: I had a call with Ensafer’s CTO, Trygve Hardersen to discuss the issues I brought up, and what they can do about it. First, they updated the site so that downloads are now over HTTPS. He stated that the infrastructure that powers their service is separate from the website, and everything is over HTTPS. They are working on making documentation available, and hope to have the first documents available soon.