September 01, 2007

How S/MIME could suck slightly less with a simple GETSMIME

I've been using S/MIME for around a year now for encrypted comms, and I can report that the overall process is easier than OpenPGP. The reasons are twofold:

  1. Thunderbird comes with S/MIME and not OpenPGP. Yes, I know there are plugins, but this decision by the developers is dominating.
  2. I work with a CA, and it is curious, to watch them work with their own product. Indeed, it's part of the job. (Actually they also do OpenPGP, but as we all know, OpenPGP works just fine without... See reason 1.)

Sadly, S/MIME sucks. I reported previously on Thunderbird's most-welcome improvements to its UI (from unworkable to woeful) and also its ability to encrypt-not-sign, which catapulted the tool into legal sensibility. Recall, we don't know what a signature means, and the lawyers say "don't sign anything you don't read" ... I'd defy you to read an S/MIME signed email.

The problem that then occurs is that the original S/MIME designers (early 1990s?) used an unfortunate trick which is now revealed as truly broken: the keys are distributable with signing.

Ooops. Worse, the keys are only distributable with signing as far as I can see, which uncovers the drastic failings of tools designed by cryptographers and not software engineers. This sort of failure derives from such claims as, you must sign everything "to be trusted" ... which we disposed of above.

So, as signing is turned off, we now need to distribute the keys. This occurs by 2 part protocol that works like this:

  • "Alice, please send me a signed email so I can only get your key."
  • "Bob, here is a signed email that only means you can get my key."

With various error variations built in. OK, our first communal thought was that this would be workable but it turns out not to scale.

Consider that we change email clients every 6 months or so, and there appears no way to export your key collection. Consider that we use other clients, and we go on holidays every 3 months (or vacations every 12 months), and we lose our laptops or our clients trash our repositories. Some of us even care about cryptographic sanitation, and insist on locking our private keys in our secured laptop in the home vault with guards outside. Which means we can't read a thing from our work account.

Real work is done with a conspiracy of more than 2. It turns out that with around 6 people in the ring, someone is AFK ("away from keys"), all the time. So, someone cannot read and/or write. This either means that some are tempted to write in clear text (shame!), or we are all running around Alice-Bobbing each other. All the time.

Now, of course, we could simply turn on signing. This requires (a) a definition of signing, (b) written somewhere like a CPS, (c) which is approved and sustainable in agreements, (d) advised to the users who receive different signature meanings, and (e) acceptance of all the preceeding points as meaningful. These are very tough barriers, so don't hold your breath, if we are talking about emails that actually mean something (kid sister, knock yourself out...).

Turning on the signing also doesn't solve the core problem of key management, it just smothers it somewhat by distributing the keys every chance we get. It still doesn't solve the problem of how to get the keys when you lose your repository, as you are then locked out of posting out until you have everyone's keys. In every conspiracy, there's always one important person who's notoriously shy of being called Alice.

This exposes the core weakness of key management. Public Key cryptography is an engineering concept of 2 people, and beyond that it scales badly. S/MIME's digsig-distro is just a hack, and something like OpenPGP's key server mechanism would be far more sensible, far more scaleable. However, I wonder if we can improve on even OpenPGP, as the mere appearance of a centralised server reduces robustness by definition (TTPs, CVP, central points of attack, etc).

If an email can be used to send the key (signed), then why can't an email be used to request a key? Imagine that we added an email convention, a little like those old maillist conventions, that did this:


and send it off. A mailclient like Thunderbird could simply reply by forwarding the key. (How this is done is an exercise for the reader. If you can't think of 3 ways in the next 3 minutes, you need more exercise.)

Now, the interesting thing about that is that if Tbird could respond to the GETSMIME, we wouldn't need key servers. That is, Alice would simply mail Bob with "GETSMIME" and Bob's client could respond, perhaps even without asking because Bob already knows Alice. Swarm key distro, in other words. Or, Dave could be a key server that just sits there waiting for the requests, so we've got a key server with no change to the code base.

In closing, I'll just remind that the opinion of this blog is that the real solution to the almost infinite suckiness of S/MIME is that the clients should generate the keys opportunistically, and enable use of crypto as and when possible.

This solution will never be ideal, and that's because we have to deal with email's legacy. But the goal with email is to get to some crypto, some of the time, for some of the users. Our current showing is almost no crypto, almost none of the time, for almost none of the users. Pretty dire results, and nothing a software engineer would ever admit to.

Posted by iang at September 1, 2007 07:47 PM | TrackBack

I think you're over-thinking this, which is the whole problem with S/MIME.

If people in crypto didn't over-think so much, companies like Apple would have S/MIME enabled by default to at least *read* signed E-Mails. There is absolutely zero rationale why S/MIME is disabled even to the point of not being able to read the checkmark next to someone's name, even with the "sign: no encrypt: no" setting on the iOS. That makes zero sense-- it means everyone gets an attachment when they read my signed E-Mails, instead of a checkmark, until they enable S/MIME (and I'm not talking about asking them to sign themselves).

Also, judges aren't idiots. They don't conflate "signed" E-Mails with authorization of its contents-- merely that the E-Mail originated from its sender, the actual definition of the instance the word is used for. Also, you don't need to sign an E-Mail with S/MIME to be held liable for having written it-- ask Apple RE: the outcome of their book deal.

Until signature authorities get smart about issuing creds to the point of making partnerships with E-Mail clients like Outlook and Thunderbird, only nerds have them, and lawyers don't even use them most of the time to their individual clients because they don't feel like giving tech support lessons on how to enable S/MIME and avoiding webmail for confidential correspondence.

All in all, if cryptographers just took more valium, E-Mail clients partnered with CA authorities for in-client registration of a certification for personal use, we'd have one-click issuance of CA's, millions more would use them, and the damn iPhone wouldn't needlessly not enable *reading* S/MIME even though it's built-in to the damn thing.

Posted by: Unsigned at August 17, 2013 10:31 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.