[messaging] Axolotl for email

[Jeff Burdges]

On Thu, 2016-06-09 at 11:16 -0700, Wei Chuang wrote:
> Would it make sense to apply Axolotl for email encryption?

Do you know about Pond?  https://github.com/agl/pond
Adam has taken pond.imperialviolet.org down, but you can read more at
http://archive.is/iiF5f

An Axolotl based messenger would normally decrypt the message only once
and stores the decrypted message locally after reencrypting it with
another local key.  This provides deniability and improves
forward-secrecy.  

If you want this, then you cannot integrate with email clients the way
GPG does.  Instead, you must provide POP proxy or something.  And ask
the user to set up full disk encryption.


On Thu, 2016-06-09 at 21:15 +0200, Vincent Breitmoser wrote:
> The obvious place to put the data is the mailbox. Mail servers via
> imap are pretty okay at synchronizing immutable blobs of data, so it
> should be possible technically to achieve synchronized state among all
> MUAs.

You mean using separate pairwise ratchets amongst your different MUAs?
I suppose that's what OMEMO does.

> But I think there's a catch: We can never reliably *delete* data from
> the server. This essentially breaks the properties we gain from key
> erasure ("forward secrecy") in the first place.

Yeah, anything that goes through SMTP gets recorded by some adversary.
In fact, I doubt it's worth attempting to fix email beyond minor
improvements to GPG integration because the metadata leakage sucks too
badly. 

That said, your Axolotl header encryption could be a wide block cypher
that encrypted the body too.  At least then the adversary must record
the whole message attachments and all. 

Jeff

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20160609/94bd0b5b/attachment.sig>