ARGH. The whole point of PGP keyrings --- the costliest part of the PGP UX --- is that you don't have to have a single key. If you're terrified of exposing your secret key on your mobile device (which is frankly the most secure device you own), just cut a new key for it.
Any time someone suggests a new application for PGP, people come out of the woodwork saying things like "what, you want me to put my PGP key in my browser?" No. We want you to put --> a <-- PGP key there.
The mobile device is the one most people have the least control over in terms of software (which can be both good and bad) but is also the one they are most likely to lose in a shady part of town.
I agree with the rest of your post though.
If a key has multiple subkeys, are they all used in encrypting a given message?
That's an aspect of PGP/GPG use I'm not clear on despite >15 years use of it.
Really? That's not how I treat my security at all. My phone seems to clearly be the least secure computer I own. Admittedly I run all linux on my non-phone computers, but I'm not totally sure I'd agree with you even if I ran Windows or OSX.
Am I that wrong?
This is orders of magnitude safer than a full-disk-encrypted laptop because people hardly ever shut down their laptops, so keys remain in memory. There is also the possibility of cold-boot attacks, and of course the (retrospectively) insane design wherein any program you run can access all of your data.
iOS applications are always code-signed in a way that is tied to a real person or corporation, thoroughly sandboxed, and subject to review, making malware essentially non-existent. If discovered, it can be yanked at any time. What few remote exploits there have been were national news - and quickly resolved.
iMessage is end-to-end encrypted 100% of the time using a keybag - each device on your iCloud account has its own private key that never leaves the device. You get notified when a key is added to the keybag. This is really incredible, because without even knowing it, huge swaths of the population are using properly end-to-end encrypted messaging just by owning iPhones.
iOS is a tight ship and its attack surface is minuscule compared to that of a commodity computer.
Personally, I have my key on my phone, and I'm fairly comfortable with it - though there are certainly some that aren't.
My understanding was that you can associate a key with your email address, does this just mean you would have two keys associated, one for "me@me.com Desktop" and one for "me@me.com Phone"?
* Totally anonymous (ie no metadata trail) communication seems impossible / impractical. If everywhere is the Tor then we massively increase traffic, (not to mention the trustworthiness of "everyone" is a lot lower per unit than everyone currently running a tor node)
Anyway, even if a encrypted anonymous message arrives for me, just working out who it's from without any metadata seems complex web of double decryption
I do struggle with how anonymity is going to solve all problems with totalitarian states. In the end we need to solve this in the real world of politics and execution squads so we don't mortally worry about letters or emails being read.
* there is a lot more here than my tired brain can handle - but my main concern is a simple human one
- if secure anonymous comms is "impossible", then I could see levels of secure encryption (sent from my iPhone, sent from my PC hardwired at home that has a secure USB boot on my key ring). But this idea demands that as the recipient I work hard to determine from context if the message is secure - aha it's 11pm in the UK and Adam just mailed me a secure note saying we should give everyone an Owl. Chances are high he is pissed and his mates sent it.
Once technology stops helping us make those decisions it's kind of pointless - May as well just keep sending clear text is not an irrational stance.
Be interested in the discussion in the morning - cheers
* lastly - what email client do you guys use that allows gpg on mobile?!
Edit: clean up
It's the conversion that matters to me, there needs to be a solution to this, and for that to happen people need to get engaged.
As for anonymity, I don't think there's a good option there - the spec I'm writing isn't anonymous to the recipient, or to the recipient's server. My focus is on encryption and authentication. There's more metadata exposed than I'd like in my model, but it's a balancing act between competing goals. We'll see that in any standard that replaces email - there are many forces at play with different goals and different requirements. No solution will make everyone happy.
There are issues, metadata being a big one, that the proposal I'm working one doesn't address as well as I'd like. I'm hoping others will try to tackle this issue as well, and come up with other methods that may work better.
When we are ready to release a public draft, it'll just be the first step. We don't expect anyone to just say "Hey, that's perfect, let's replace all the email servers" - that isn't going to happen, and it's not our goal. A lot of review will be needed, changes will need to be made to address different concerns, and maybe it'll progress to a useful system. Maybe somebody else will come along with a different idea, and that one will get the community backing. What I want is a replacement system that is secure - I don't care who's design it is. It's not about ego, not about winning for me - it's about prodding the community into action.
As to the last question, as others have answered, K-9 Mail. It works well enough for my needs.
That really isn't the problem. If onion routing works for anything it works for email. Text is low bandwidth. You make the email servers relay for each other so it scales: More email servers, more relays. And if you're willing to have your emails delayed by e.g. half an hour you can get a much stronger level of anonymity than you can with realtime systems like Tor because random delays between hops on high traffic nodes in combination with padding to power-of-two size boundaries makes traffic analysis extremely difficult.
> Anyway, even if a encrypted anonymous message arrives for me, just working out who it's from without any metadata seems complex web of double decryption
Every message to you should be encrypted against your public key, so you decrypt it with your private key and immediately learn who it's from. The issue is if you have multiple public keys and you don't want the message to identify which one to use in any way. There could be some interesting cryptographic solutions to that I'm not aware of, although in the worst case you could just try all of them until one works.
I went off on one thinking how do I find which public key Of my 4000 contacts is the right one ... When no-one will encrypt a secret message with their own private key !
Sorry - total brain fart. Apologies to others down thread too.
Anyway, even if a encrypted anonymous message arrives for me, just working out who it's from without any metadata seems complex web of double decryption
Anonymity is hard if not impossible - it's why I don't think evoting can work and why this seems laudable but hard
As I said in the article, my goal is to get people talking about potential solutions. I have little hope that the solution I propose will be accepted and used as is - but if it gets more people talking, and discussions going about something that will work, then it was worth the effort.
I agree that change has to start somewhere, and, to be clear, I don't mean anything against you, but rather against the likelihood of any success: I think that we're stuck with a broken legacy system until something radical, by which I mean "all existing infrastructure is destroyed"-type radical, forces a ground-up re-start.
Nonetheless, there seem to be at least two competing objections to trying to start the change here:
- My point of view: It seems unlikely that the eventual solution (if there is one) will come from a large group carrying a large and representative collective weight, not an individual (or even a small, self-selecting community like HN, or—probably, and with no offence meant—the readership of your blog) with a necessarily specialised viewpoint; and that a large group is more likely to buy in to "let's create a new standard!" than "let's use my / my community's standard that I / we created without your viewpoints or input!"
- Alternatively, if one believes (as it seems you do) that the solution will start with an individual, then surely the thing to do is to deliver a product, not a promise. I don't know about anyone else, but my reaction when I see assurances of delivery RSN is automatic scepticism.
No reason why this couldn't be bolted on top of email (send the actual message as an attachment like with pgp/mime). It would probably create a new set of metadata (requests to the recipients "half-key" service/server (locating which could be delegated to SRV records or something similar, with domain derived from the email address) -- but I'm not aware of any other schemes for generating ephemeral keys in a reasonable manner compatible with (semi)asynchronous communications.
It does seem like "true" off-line message composition wouldn't be possible (the email client (or client service) needs to go online in order to encrypt/pack up the final message. This means that drafts/messages "in transit" would be possible to recover from the senders device in the case of eg: several mails being written on a flight w/o net access, and a search/seizure before mails could be encrypted to the receiver).
All in all, this sounds like a tricky problem... Anyone know of any recent bright ideas in the field of PFS for asynchronous messaging?
- goals of the "new email" should presumably be to reduce the ability of state actors and major comms providers to collect sufficient metadata to conduct mass surveillance for tyranny or profit.
as such we can try either
- Vast citizen owned mesh networks (ie every smartphone is a ISP)
- Anonymity over traditional large ISPs / backbones
Anonymity is hard. We could encrypt entire message and then round robin decrypt each incoming message, this would cripple all metadata apart from the TO: field and mean any listener would need to own most entry points to catch the first uptake. It seems difficult - webs of trust, guessing the encryption key.
Add in other constraints - all messages in transit and at rest are encrypted - gmail becomes no more than S3 - and we see the end of free email, and weirdly a return to POP3 as the client must store all my mail.
If this does exist however, why restrict it to emails - every message format seems similar - MQ and Facebook can all go this way.
Mesh networks have even greater barriers to uptake ...
My immediate intuitions are that 1.) this is a very hard problem to solve and 2.) if it's going to be solved in any reasonable amount of time, it needs to be bootstrapped into existing, popular methods of communication (such as e-mail). Adding some sort of PKI into the existing e-mail spec would probably be a good start, since it's just not something that people are used to dealing with.
There are a ton of problems to solve before one of these actually works, javascript crypto being the least (since HN likes to discuss it...). Backwards compatibility with old email protocols and insecure service is clearly a weak-link in any hypothetically secure service.
It would be nice to see a more distributed protocol...where the bulk of the world's email is holed up in a few company's data centers.