Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!ucbvax!hoptoad!gnu From: gnu@hoptoad.uucp (John Gilmore) Newsgroups: comp.protocols.kerberos Subject: Re: using kerberos for secure mail Message-ID: <6949@hoptoad.uucp> Date: 10 Apr 89 07:53:13 GMT References: <8904040318.AA01052@OSIRIS.MIT.EDU> Organization: Grasshopper Group in San Francisco Lines: 26 Jeffrey Schiller proposed a scheme for secure mail. At first reading it strikes me that the mail key transmission service will be contacted many times per message (once by the sender and once by each recipient) and will get a full list of who is sending the mail and who all the recipients are. To me this sounds like a perfect place to do traffic analysis ("intelligence gathering" in which an adversary finds out who is talking to who). It would not even be necessary to break into the MKS, most of what you need is in the addresses in the packet headers. I would prefer a protocol where local systems can cache the private keys of the people who they talk to often, and could generate their own session keys if required, so that a central key server would only be able to track a small fraction of the traffic. Mr. Schiller's proposal also seems to require: * that the full list of recipients be divulged to each recipient (including bcc's) * that the recipients must contact the mail key server to decrypt the received message *from the addressed machine*, that is, if they have their mail forwarded elsewhere, they will be unable to decrypt it since their new location is not on the "recipient list". -- John Gilmore {sun,pacbell,uunet,pyramid,amdahl}!hoptoad!gnu gnu@toad.com "Use the Source, Luke...." Copyright 1989 John Gilmore; you may redistribute only if your recipients may.