[messaging] confidentiality trumps authenticity was: OpenPGP Trust is broken Was: On Signed-Only Mails
holger at merlinux.eu
Thu Dec 8 06:09:11 PST 2016
On Thu, Dec 08, 2016 at 08:10 -0500, Phillip Hallam-Baker wrote:
> There are two sets of problems identified relating to signed emails.
> CIA: Confidentiality, Integrity, Availability.
> The first, most important consideration in virtually every system is to
> protect the availability of the data. The second most important is
> integrity. Confidentiality is the least important concern.
> A bank that is hacked and customer bank details are disclosed is in trouble
> but a bank that is hacked and has money stolen is in worse trouble and a
> bank who loses its account data and cannot recover it from backups is a
> All documents should be signed but only confidential documents need to be
> or should be encrypted.
Humans are not banks ... i am not sure this analogy is very helpful.
People who are targetted and easily imprisoned say in Turkey or Egypt
certainly care a lot about confidential communications and might be able
to assert authenticity by other means than digital signatures.
I currently agree with RFC7435 "Opportunistic Security" [*] which
values encryption higher than authentication if it helps to defend against
passive attackers. Conversely, if preventing active attacks makes a
system more complex so that its adoption goes down and most people are
thus not even safe against passive attacks we have failed.
The ultimate measure of success is the actual collective outcome for
people not how well some protocol follows a particular principled view or
btw thanks for an interesting discussion so far,
[*] see https://tools.ietf.org/html/rfc7435#section-1.1
for the source of my interpretation.
More information about the Messaging