So the author's central thesis essentially seems to boil down to that leaked emails were able to be cryptographically verified, because of DKIM and so we should prevent that so people can't use email to blackmail politicians? Ultimately I prefer the more information that we can get on politicians available.
It seems to me that especially when an elected official has something they don't want others to know about that it should be public knowledge.
After all an efficient marketplace only is efficient if all actors have access to as much information as possible.
EDIT: As a follow up, several people point out that it could happen to me or a family member, but this seems even further reason to have DKIM so that if someone attempts to blackmail me based on the contents of my email, checking the DKIM signature makes it even easier to disprove a bad blackmail attempt.
Why is this argument not equivalent to the much-derided “nothing to hide” or “ban encryption by law” arguments?
The way to have transparency into politician’s communications is to require them by law to be made public, and to use law enforcement to make sure that this actually happens. It seems that relying on information going over email (as opposed to eg signal), and getting hacked (perhaps you want it all hacked, perhaps you are more happy while it is the side you don’t like getting hacked, either way I think one must acknowledge that by focusing on what is hacked, one is granting those hackers great control of the narrative) is not really very useful.
That’s a false equivocation. Private citizens having “nothing to hide” in their personal lives is disimilar to public officials having nothing to hide in relation to their official duties. Blackmail related to embarrassing sexual proclivities or anything like that is unfortunate, but kindly asking politicians to be transparent isn’t a realistic answer. Of course they will use official channels and be transparent about everything they _should_ be doing, but it’s exactly the things they want hidden that will go over alternate channels.
What I think is most shocking in this age of political hacks and leaks is the fact that people are outraged by it when it’s their side. Sure, the timing can be unfortunate when it harms their chances of re-election, but I’m surprised that I hear more about that, and calling it election interference, than I do about the actual contents of the leaks. Don’t like it when your side’s dirty laundry hurts their campaign? Solution: nominate candidates with less dirty laundry.
Email and associated protocols apply to everyone, public-individual or private. The same technology works whether you're a politician or an ex-girlfriend.
I also agree with your parent, if there is something we need politicians to do, it needs to be a law that makes explicit what the intended outcome is, rather than hold up an unintended consequence of a protocol feature as "good enough", especially when there's potential for collateral damage.
we have been trying to do things this way for years. The deteriorating condition of our democracy and electorate would suggest that we need a different approach
No. Private citizens are entitled to privacy and their rights to such should be guarded by both law and responsible security practices at the companies they entrust with their information. Private citizens shouldn’t be shielded from privacy violation by hiding behind the plausible deniability of no DKIM verification. The communications of public officials should be subject to traceability and authentication as having actually come from them, even if they have gone rogue and used non-government-approved communication channels. If corruption is suspected because communications are discovered on the receiving end, say at a company that gets audited or something, it should be simple for investigators to verify the authenticity of those emails. Establishing ownership of the sending email address is another issue, but I imagine that’s possible via regular investigative routes.
This has nothing to do with “blackmailing public officials” and for you to imply that I have such a desire is both uncivil of you to say here and says a lot about your world view. Blackmail is when you use evidence of illegal activity in order to coerce someone to do something against their will. Transparency and audit ability of our public servants is not blackmail.
Yes, there it is a valid objective in ensuring that elected officials' conduct is above board. However, abusing a spam-mitigation system for this purpose, drawing in every private individual with the dragnet, is the wrong way to go about it.
One key flaw in your argument is that you seek a system that works, "even if they have gone rogue and used non-government-approved communication channels", which, it should be plain to see, absolutely does not apply to DKIM.
I perhaps read a bit too much into your statement, "Blackmail related to embarrassing sexual proclivities or anything like that is unfortunate, but kindly asking politicians to be transparent isn’t a realistic answer."
In this case, it seems calculated to allow someone to get away with lying to the public about meeting with and knowing nothing about deals with an executives of a foreign state-owned company that has been accused of bribing the US government and corruption.
For local politics this would expose the haggling/threats/backdowns not good for image making very hard to make deals
For international, how do you expect this to work when a politician is getting briefing Or guidances or heads up about dealing with an dictatorship or a unfriendly global power or an foreign company ?
Perhaps have a classification system ? Then everything will be secret classification
To be clear, I’m not particularly advocating for my parent comment’s view that these communications should be transparent. I’m advocating for any such transparency being fair and deliberate rather than due to hacks and a protocol quirk.
> So the author's central thesis essentially seems to boil down to that leaked emails were able to be cryptographically verified, because of DKIM and so we should prevent that so people can't use email to blackmail politicians? Ultimately I prefer the more information that we can get on politicians available.
I don't think Matthew Green is arguing against transparency. What he's observing is that non-repudiation is an unintentional byproduct of DKIM's design. Because it's a byproduct, DKIM's users have made implementation decisions that make it susceptible to weaknesses in the unintentional non-repudiation property.
By 2030, a motivated nation state will probably have the ability to crack the 2048-bit RSA keys that Google is currently using for DKIM. Do you really want someone in 2031 to be able to contrive fake signatures for the emails of politicians in 2021?
A sufficiently powerful adversary will simply steal your emails. That's the actual real threat, not that the adversary will convincingly lie about you. That part they can already do without the benefit of your emails.
An adversary with sufficient impunity will simply lie and make things up.
DKIM without rotation and disclosure provides the capacity to do so with cryptographically provable integrity. Green's paper lists instances in which this has happened (as a proof-of-concept demmostration of the risk), and may have happened.
DKIM key rotation and public key disclosure at least denies adversaries this.
> Do you really want someone in 2031 to be able to contrive fake signatures for the emails of politicians in 2021?
How could it be used for that purpose then if it’s proven to be unreliable?
It would seem that there’s more to gain in the short-term by those that have hacked Gmail accounts by exposing this, so it seems disingenuous, which you have to know, so it seems like people are fake-goading Google, causing others to actually goad Google, maybe to try to expose those that have hacked Gmail...
Well, by 2030 the non-repudiation will be considered lost if that’s the case. Maybe even 2027. But today, in 2020, a verified DKIM is strong indication about the identity of the writer, or that the keys weren’t safely stored.
> Maybe even 2027. But today, in 2020, a verified DKIM is strong indication about the identity of the writer, or that the keys weren’t safely stored.
Except that we're talking about leaks of emails that date back by years: the earliest Podesta emails are from 2010, back when Google was using 512-bit (!) keys for DKIM. Those were leaked in 2016, at which point 1024-bit keys were already considered crackable by a motivated attacker.
This isn't to say that those emails were faked, only that "an email written in 2020 that's verifiable in 2020" is not the target of interest.
..... so? That means in 2016, the DKIM was already deniable. And it made no difference whatsoever.
The DKIM signature is proof only that whoever signed the email possessed the key, nothing more, nothing less. This, in turn, is a suggestion about the identity of the signer and possibly the author - but not proof.
Did DKIM change anything about the podesta emails? Or were they basically acknowledged as authentic regardless, and had a lot of other verifyable info in them?
> ..... so? That means in 2016, the DKIM was already deniable. And it made no difference whatsoever.
Both journalists and investigative groups (and conspiracy theorists) treat DKIM as a sign of authenticity, even when the key material is long past its prime. Wikileaks still prominently displays a "verified" marker next to their archives.
> Did DKIM change anything about the podesta emails? Or were they basically acknowledged as authentic regardless, and had a lot of other verifyable info in them?
That's hard to say, but it's also not the point. The point with being able to crack the key is that a motivated party could intersperse false information with otherwise verifiable information. And, well, what's a conspiracy theorist to do? Only believe the non-juicy parts?
I don't think it's a fascination, it's what the OP is about. We're talking about the subject of a blog post, no?
I think the point boils down to expectation management: journalists (and ...) barely understand non-repudiation, much less why each of the following scenarios pans out:
...and so on. In sum: we're making life harder for the people doing real investigative work (since they're not technical), and we're giving fodder to the people who want to conspiracize. All because we're using a spam mitigation technique to provide properties that it was never intended to provide.
The right solution in this case is to educate journalists - they are up to date on things like deep fakes and should be on DKIM.
The wrong solution is to make previously private keys public to make any reasoning about past data impossible in the name of “hut journalists might get a wrong impression”
The OP is looking for a systemic solution to the problem, somewhat akin to the way establishing a bug bounty program aligns incentives. Your solution is like asking your team to please work harder to not release exploitable bugs.
Agreed, grandparents proposed solution is basically the same as pushing for users to be better trained to protect themselves from phishing, which has shown to be ineffective time and again and is downright masochistic when an easier system solution exists.
What I don't understand is why it is clear to almost everyone but myself that DKIM-truth incentives are different than deepfake-truth incentives.
And yet, the deepfake equivalent to the suggested solution is one of "start showing deepfake as news" or "stop showing any video as news", neither of which anyone would consider a reasonable response to deepfakes. I just don't understand how DKIM is suddenly so revered as truth when almost no one knows what it is.
That is... naive. The incentives for journalists don't necessarily align the the interests of the general public (transparency, thorough research, etc. etc.).
The point is that DKIM can be abused to lend undue credibility to falsified data... not that it can credibly attest true data.
These is absolutely no way you're going be able to educate the general public on the nuances of this. I mean, there are lots and lots of people who doubt the efficacy of vaccines and masks...
> The point is that DKIM can be abused to lend undue credibility to falsified data... not that it can credibly attest true data.
So can deep fakes. What makes deep fakes explainable and DKIM unexplainable?
If the journalists interests do not align about DKIM, how come they align about deepfakes?
I'm not saying journalists have any integrity. I'm just wondering why specifically for DKIM a "throw the baby out with the bathwater" solution is advocated, whereas for things like deep fake it isn't -- where the underlying truth is the same: "You can't trust what you see/hear".
I think what you are referring to is “whataboutism”, but I don’t think it is a case of whataboutism.
I have pointed out that in a similar case (potentially fake evidence), same actors (journalists) seem to have completely different incentives than those you hold so self-evident and I ask for an explanation of the difference - why is it so self evident that journalists have an incentive to not understand DKIM and not inform about it, but the same is not true of another concurrent challenge to evidence authenticity.
To me it sounds like you’re saying “journalists eat cotton candy because they like sweets, but they don’t like chocolate because they care about their teeth”. They might have this preference among cotton candy and chocolate, but the explanation is inconsistent and likely wrong.
> By 2030, a motivated nation state will probably have the ability to crack the 2048-bit RSA keys that Google is currently using for DKIM. Do you really want someone in 2031 to be able to contrive fake signatures for the emails of politicians in 2021?
By this logic, what the article is arguing for is to bring that same truth today: if DKIM no longer offers the same guarantees, but people think that it does, than it can trivially be used to forge emails that people will then wrongly trust, which is obviously worse than the status quo.
Of course, the more likely result is what the article suggests - if the scheme can be defeated, people will stop trusting it, and there will be no chance of forgery (at least not for very much longer).
Other than whistleblowers and activists fighting the dictatorships (and they can work-around this), what is the case where not being able to prove who sent the email would be a good thing?
Toward the end of the blog post, the author points out that while it often is nice to have the ability to authenticate who sent an email, nobody asked for this feature to be enabled by default on all their communications. It seems like a matter of preference, and it isn't clear that people thought about it at all.
People change over time and normal human communications have a natural sunset built in as people forget exactly who said what.
> People change over time and normal human communications have a natural sunset built in as people forget exactly who said what.
It's true, but I'm not sure it's as good thing as you believe. I was born in communism, and then later I lived through the transition and have seen many people use this exact mechanism that you mention to whitewash their biographies. People just don't remember long, and thanks to that all of the sudden everyone was a victim of the regime who fought for democracy, while in fact they were exactly the opposite. Many bad people not just got away, but also gain significant benefits thanks to "people forget exactly who said what" and it did a lot of damage to my country and the society. So, while people do change over time, and we all sometimes have said something stupid that we didn't really mean, IMHO as adults we all should stand behind the things that we say and hold accountable to at least some level for it.
And to protect people from other's misusing their past, perhaps it would be more beneficial to educate the crowd not to be overly judgmental and not to jump to conclusions like everyone on soc. medias just loves to do - rather than forcing individuals to lie about their past to defend of blackmailers.
This isn't likely very viable, though. In particular because most emails won't contain full context. You can't even really tell from digitalized text if a person in an oppressive society believes in what they're writing or are just trying to avoid suspicion, and so on.
It could (at least according to the author) reduce the incentive to steal people's emails for blackmail purpose to begin with. The target of blackmail can simply deny they are authentic and it would be extremely hard for the blackmailer to provide evidence of their authenticity without revealing their own identity.
"Hey Ivanhoe, your buddy from government here. That thing that we discussed, no problem I arranged everything, T says it's cool, just wire us the money and the project is yours."
In my view, if someone is going to blackmail me for some sensitive topic like being HIV positive or dox me in revenge, solution is not that I have to go public and lie that it's not real (and risk to be counter-proven it is) - but to have police put their blackmailing asses in the jail. That's the type of protection of my freedom and privacy that I hope for.
And in the end, who has ever believed people doing public denials? Once the word gets out, by the time you publish the rebuttal majority of folks will already have an opinion on it and that will stick with you for long time no matter what you say later.
>to have police put their blackmailing asses in the jail.
Email is global. You and I are in privileged positions regarding access to capable law enforcement. We're also privileged with what our societies deems acceptable. We are the exception, not the rule.
If you're only thinking about how it affects you and what remedies you would have, then you clearly aren't looking at the big picture.
I'm from Serbia, so no, I'm not really privileged with any of that as we've got oppressive regime in power, inefficient police used to look the other way on crimes, and fairly close-minded and conservative society. Of course, there are places where it's far worse, but I had fairly enough of shit happen to me so far in life (break-up of the country, years of war, living under UN sanctions, hyperinflation, working for $5/month, full-blown dictatorship with secret police killing people, etc.) that I like to think that I actually do have some clue on "a big picture"...
>the solution is [...] to have police put their blackmailing asses in the jail.
But now, you're saying you don't have meaningful access to law enforcement (in this context). So, why did you suggest a solution you know isn't viable? I don't get it.
To my mind, you've just made a strong argument for publishing DKIM keys since you readily admit law enforcement cannot tackle the blackmail problem. Indeed, even in countries with "good" law enforcement, they can't reasonably tackle it since the blackmailers almost always come from overseas (or are un-traceable).
A) Because I'm not focusing on myself here, and realistically majority of people affected by these crimes live in the 1st world countries and will have access to some level of legal protection, and
B) Even though it's not viable for me to do anything to someone in Russia or China or even US for leaking my data, I see that as the only proper way to address this type of situations. If it's not possible now, then we should concentrate on fixing it and making it possible, instead of trying to lessen the impact, but at the same time helping those same blackmailers to easier hide their own steps (and a bunch of other shady characters who'd rather not be linked to their emails, from pedophiles to corrupted politicians). And also I don't see denying as a reasonable move here, as it comes down to basically lying publicly about the origin of your data and can just get you deeper in the trouble, especially if you're in any sensitive position and there're people out there actively looking to dig your dirt. AFAIK all PR handbooks on damage control say the same.
No doctor should be writing that email in the first place; it would be an example of such a flagrantly negligent treatment of PHI that cryptographic signatures and reputability are kind of irrelevant.
Email is used outside of countries with these kinds of protections. For example, I know someone who had an STI test in Thailand and the results did indeed come via email.
Even if this example is imperfect, it's really not that hard to imagine a scenario where some type of compromising information is sent to you. Perhaps even accidentally.
DKIM was not designed to authenticate emails far into the future.
In fact, it does not authenticate any emails without a corresponding public key currently published to DNS. It provides specifically for "empty" or revoked keys to avoid such retro-validation.
Seems the central thesis is that because these messages are patently no longer authenticated by DKIM, we should eliminate any remaining hope of them being construed as authenticated by DKIM.
I am not a lawyer, but I do not believe that DKIM provides repudiation specific to an individual. DKIM provides evidence that email originated on an email provider. The users neither own nor control the server and user accounts get compromised all the time as well as fake accounts created all the time. Google battles this daily. DKIM might be one piece of information, used in combination with a client IP address and some method of proving who was at that client IP address at the time, but I do not believe that DKIM could stand on its own.
For example, I have servers that DKIM sign emails. If a person uses my servers to send a death threat, the FBI is going to want web access logs and smtp logs.
It is even weaker than that. DKIM keys themselves can be stolen - most servers don’t store them in HSMs (and HSMs are also not infallible).
Or factored - Debian had a bug 12 years ago that caused weak SSH keys, a similar thing could happen to DKIM key generation (or has happened, but not yet discovered).
Some study showed many RSA keys in the wild had a common factor. A weakness of this family might be discovered with DKIM keys.
It is supporting circumstantial evidence, not proof of identity.
> The threat is not limited to politicians. Anyone (including you and your family members) could be blackmailed or otherwise publicly embarrassed.
... for what they actually did.
You think the solution is allowing people to be blackmailed or otherwise publicly embarrassed for things they didn't do, while removing their ability to verify that they didn't do them?
Being gay is not a crime, and yet people can be blackmailed with it. It is very easy to open yourself up to blackmail by perfectly legitimate activities.
True, there are things that might ruin someone's life even though there's nothing bad about them, but the list of actual crimes and bad things that people do is WAY longer, and being able to prove it is definitely useful...
The same argument can be used to build a police state. But I suspect that you’re not in favour that either.
We shouldn’t be building technical systems that “trap” people, just because they might be doing something bad and might want to prove that one day.
Additionally you’re also ignoring the whole “people have the right, to not have their emails stolen” argument. DKIM signatures are only useful if the emails are stolen, are you trying to suggest that it’s ok to steal emails from people if they’re bad?
> Additionally you’re also ignoring the whole “people have the right, to not have their emails stolen” argument
No, just the opposite, that is an excellent argument and I think that the privacy should be the real focus when we discuss the freedom, and not the accountability. Because freedom is not to be able to get away for the lack of evidence, freedom is not to put innocent people in that kind of situation in the first place.
Police state doesn't come from the ability to track citizens, it comes from the lack of transparency and government's misuse of the information. Now, reality is that having more data collecting increases the chances of misuse, but I think we're attacking the problem from the wrong side. Rather than killing the option to track emails, there should be much more control and transparency on when and how that data can be collected and used.
> Being gay is not a crime, and yet people can be blackmailed with it. It is very easy to open yourself up to blackmail by perfectly legitimate activities.
Option 1: DKIM keys stay private... "That email was just a joke, I'm not really gay"
Option 2: DKIM keys go public... "That email was just someone else's joke, I'm not really gay"
Not really a difference, and with option 2 you can't prove you didn't send it (as far as you can prove someone didn't crack 2048 bit RSA and use that power to concern themselves with your sex life).
Being able to prove a fascist dictator who was killing people for being gay, was secretly engaging in gay acts themselves, might help your cause of protecting gay people.
> Being able to prove a fascist dictator who was killing people for being gay, was secretly engaging in gay acts themselves, might help your cause of protecting gay people.
Because the DKIM keys were not made public, and a message sent from their account could be confirmed to be authentic.
If the keys were public, they could claim forgery. Regardless they could claim their account was hacked, but they couldn't deny the message was sent from their account.
I'm not asking how the technical mechanism proves the messages may be legitimate. I'm asking how you could use that knowledge in the specific situation you outlined to accomplish anything productive.
People change over time, and normal human communications have a natural sunset as most people don't remember every conversation in exacting detail. It is worth at least considering the fact that we've signed up to have basically all our communications preserved and cryptographically signed in perpetuity. Most people using these services didn't fully weigh the options.
No. Once DKIM keys are published, one can simply deny all emails published "from their account". We currently have a way for an attacker to prove an email's origin years after the fact.
I'm afraid there's also a misunderstanding how the real world works. Cryptographic and real-world plausibility are two entirely different things.
People get blackmailed, shamed, hurt and even killed over mere rumors, speculations and suspicions. As long as people believe in something (because something merely look plausible), there's no need for a fancy crypto to prove some machine sent some email. I'd dare to say most people don't even understand what cryptography is and what digital signatures really are (who signs what and what exactly this means).
I'm yet to hear a story of, let's say, a brave dissident who got out of jail because of cryptographic plausible deniability property making their oppressors unable to prove authenticity of some leaked or intercepted correspondence.
Read up on the Hunter Biden emails. After a DKIM signature was verified, the perception of a large number of people (including right here on HN) went from "this cache of email is probably total fiction" to "they likely do have access to at least some of his emails".
They don’t have plausible evidence anyway. Gmail has had bugs before with SPF/DKIM and will have some again for sure.
Some google employees have direct and indirect access to signing keys or writing emails. Not many, and they have good controls, but still many people with the ability to sign messages.
Not to mention a Trojan infiltration or account takeover, of which thousands (if not millions) a day occur.
The DKIM evidence is, for legal purposes, a good hint but far from proof.
In the court of public opinion, the standard is not "100% proven beyond any reasonable doubt". Hence, blackmail can still be very effective if an accusation is highly plausible.
I am not sure why the DKIM for all emails were not released, or why this did not catch more media coverage by other news organizations I consider more reliable (like NYT).
Thank you for this link, this did not come across my radar.
From your link:
> The only way the email could have been faked is if someone hacked into Google's servers, found the private key, and used it to reverse engineer the email's DKIM signature, Graham, said.
https://www.zdnet.com/article/google-fixes-major-gmail-bug-s... is from Aug 2020 and discusses an SPF/DMARC vulnerability that was in Google since forever (and though reported 4 months before public disclosure, was fixed only 7 hours after public disclosure). The last google DKIM bug I'm aware of was in 2012, so I can't counter the specific claim about DKIM with evidence, but the assertion that "the only way to spoof x is to hack and get the private key" is not any absolute truth.
(P.S: I have seen no denial nor confirmation about the authenticity of the Hunter Biden data - only claims of Russian involvement. Make of that what you will. The DKIM is circumstantial data until there is confirmation or denial - especially, as you say, it's not all released).
Sure, you raise very important points. I just found it weird that NYPost was happy just releasing the emails and not the DKIM, and when one was validated, it received literally no coverage. I thought it might catch steam after the election, but the literal silence is surprising to me.
I am not insinuating any wrongdoing from anyone, just bringing it to your attention, as you claimed to not know about it.
Thank you. I indeed did not know about it. I do try to read all sides, but this did not come on my radar (Though I did not, before you posted this, google DKIM+Biden, I did read tens of articles about those emails mostly from republican leaning outlets, and it wasn't mentioned in any of those I read).
But it does support my thesis that DKIM or no DKIM is not what gives (or doesn't give) any credence to the authenticity (or lack of it) -- here we have a high profile case, with DKIM validation (which a lot of people on this thread cleim "is considered proof by people who don't understand it") and it seems to make no difference even in the court of public opinion - those who accepted it, accpeted it without DKIM, and those who rejected it as russian disinformation, rejected it even with DKIM.
I just did, and I have less than 15 related results in the first 4 pages, only two of which are sources I've ever heard of before (washingtonexaminer and nypost). I'm logged out of google, but it's been a while since I deleted my cookies.
I've read literally hundreds of pieces on the hunter biden laptop, about half of them from republican leaning outlets, (I try to keep a balanced diet....) and none of them mentioned DKIM validation.
(For the record: I don't live in the US, I don't watch television, but I do try to keep a balanced news diet)
Huh? No one (including yourself), have mentioned anything about "destruction of evidence" so far. If you care to enlighten me about how it's relevant I'm happy to listen.
By making the DKIM keys public, you are converting solid evidence of something that was said into something that was either really said, or someone else pretended that they said.
No, destruction of evidence involves things like making something impossible to analyze and evaluate. Publication of a key doesn't erase the original messages and does not make it impossible to look into their contents to try to establish authencity by external means. Causing ambiguity is not destruction of evidence.
That would be an act of submitting false evidence, where you actively make a false claim regarding who the sample belongs to.
Which is very distinctly different from a passive act of not maintaining evidence of the origin of every single thing. Keep in mind that no data is altered - the equivalent of all collected samples remaining intact.
It's still just as possible to collect email logs, their contents do not magically dissappear. They would have to be actively manipulated by the party which holds the copy that would be provided to the police (either reported to them or confiscated, etc). That same party could already decide to delete the emails or strip signatures and then alter them.
Would you mind taking a look at this explanation I posted a couple days ago? https://news.ycombinator.com/item?id=25130956 It is my attempt to explain why we don't want users to flame each other here, even when the other person is ignorant or wrong. The reason may be different than you think, in which case perhaps it will have some persuasive power for you. I hope so anyhow.
>But there are many different ways to stick up for the truth
Whoa. Dang, I have to say, I feel a little slighted. I'm neither ignorant, nor wrong, and I'm aghast that you would insinuate that.
I've contributed faithfully to this site for a decade. The other commenter has -15 karma because, as you noticed, his comments are largely childish, combative and unsubstantive. It's embarrassing that you are validating him.
His claim was that Google publishing DKIM keys as described in the article would be "destruction of evidence", but that's provably untrue since there would be neither intent or willfull neglect on anyones part.
Literally (yes, I mean literally) no-one else here on HN, or anywhere on the internet, has legitimately attempted to argue this. It just doesn't hold up to basic scrutiny. "Destruction of evidence" is a very specific legal term with very specific meaning [0][1][2]. He seems to be distorting it in a Guilianni-esque fashion - "It's fraud! ....But no, your honor, not in the legal sense. More like in my own made-up imaginary sense!".
I've been restrained and as courteous as possible (under the circumstances), but even after you tried to squash the thread, and I stopped commenting, he's continued to insult me. You seem to be tolerating it.
I would have appreciated it if you enforced sanctions against obviously bad actors and remained completely neutral. That is what you're known for, but I respectful think you've failed in this case. At any rate, I know you have just about the hardest job on the internet, so I'll go ahead and chalk this up to misunderstanding.
> So the author's central thesis essentially seems to boil down to that leaked emails were able to be cryptographically verified, because of DKIM and so we should prevent that so people can't use email to blackmail politicians? Ultimately I prefer the more information that we can get on politicians available.
No matter what you think about politicians, it is a failure of cryptography, or perhaps our common application of it, that the signatures we use to assure our conversation partner of our identity can also be used for our conversation partner (or divers third parties) to prove what we said.
Compare https://en.wikipedia.org/wiki/Off-the-Record_Messaging which solved this problem quite a few years ago. Off-the-Record Messaging allows your conversation partner to know that they are talking to the real you, but does not empower them to prove that to anyone else.
Checking the DKIM key doesn't prove anything with certainty - the keys could have been leaked or stolen, or the mail server hacked. Or, the operator of the mail server could even forge the message. Many possibilities.
The purpose of DKIM is to help prevent spam, not to verify the authenticity of the sender.
If a nation state adversary has hacked the DKIM keys from your email server, they can send fake emails signed with this key. So it doesn't prove that a high value target like a presidential candidate has actually typed and pressed send on that email, it just proves that the first SMTP server that routed the email has sent it.
Even google didn't bother to rotate their DKIM keys as recommended by the standard, so one wonders if the google keys are stored in a cage guarded by lasers and dogs or if there are copies on someones laptop somewhere and any sysadmin with a gambling problem or a secret affair could have leaked them to an unscrupulous journalist or a spy.
> As a follow up, several people point out that it could happen to me or a family member, but this seems even further reason to have DKIM so that if someone attempts to blackmail me based on the contents of my email, checking the DKIM signature makes it even easier to disprove a bad blackmail attempt.
I think his point is that the DKIM signatures could be used to verify that you did, in fact, send something worth being blackmailed over, rather than having the plausable deniability of saying that your DKIM private key from that period is already public and thus could be forged.
Which, to me, sounds similar to the classic XKCD "Theoretically, I use 2048bit RSA encryption and the hackers can't get my data. In Reality, they just beat me with a hammer until I give up the password." Maybe a public DKIM argument would hold up in court, but if we're just talking reputation blackmail among family and friends, it aint it chief.
Hey Google. Please never do this. This would throw thousands of evidence about how Erdogan regime worked with terror organisations, including the e-mails that tried to ban social media to stop these evidences be available to public. And also how they declared innocent people as terror organisations with some companies that offered law support. For example, this one https://wikileaks.org/berats-box/emailid/35540 especially verifies a crime - Turkish Airlines Nigeria Weapon transfer as it marks the event as "Government Secret"; The evidence that they talk on this e-mail involves a call where the ministers talk "I don't know if they will use it to kill Muslims or Christians".
That specific e-mail does not have DKIM signature (maybe because it was sent his own gmail address? or to an gmail address in general?).
I am aware that even if they publish the DKIM secrets, these e-mail will not lose any value since these e-mails was posted before the secrets.
But I think using e-mails as evidence should be a thing in general. As you could receive them to your personal e-mail server and want to authenticate and use it on a court, even years after. If they publish the keys, it would not be possible as you could be the one who forged the e-mail as it were received from somebody else and has been put to your IMAP server manually.
In reality, that would throw forgery of such evidence in the hands of regular people, as opposed to those politically connected, the secret services, and nation-state hacker squads. While I sympathize with your political plight, I don't really understand why you would think that is a good thing in general. For all intents and purposes, it seems even worse, leaving the ability to weaponize public opinion in the hands of those who should most fear it.
Except if you are the actual victim of these e-mails and the politicans who control 95% of the media are able to trick people either making them belive it was fake or it had "national interests" and they did it because of "country".
At least these e-mails are believed to be true in other countries. So does Authenticity of thes e-mails can easily help you when you seek asylum in country from a country where they declared you as a terrorist - internationally.
If you are worried about your ability to validate DKIM signatures tomorrow on emails you own today, you can work-around this by timestamping the emails via something like opentimestamps.org. This would prove that those emails and their DKIM signatures existed today. The next step would be proving that nobody has leaked server's DKIM private keys before the date of timestamping.
I know threads change over time, and it's dangerous to write a comment in response to the perceived gestalt of an HN thread, but, I have to say, it's pretty wild reading a thread on this site arguing so strenuously against the premise of secure messaging.
In messaging cryptography, non-repudiability has for almost 2 decades been considered a vulnerability, not a feature. The OTR protocol[1] takes the step of publishing its used MAC keys --- it releases private key material! --- to ensure that random people can forge messages once participants have authenticated them. Signal came up with a novel deniable AKE[1] that is one of the more famous parts of the protocol; by design, you can forge a Signal conversation from someone's private key even if you've never talked to them before.†
When you think about it in the abstract, it's easy to understand what's going on, even if you don't take the time to read the OTR paper. Once counterparties have authenticated each others messages, authentication has served its purpose. To allow a stranger to authenticate a messages is to concede information to them, and avoiding concessions is the point of messaging cryptography.
If you believe non-repudiable messages are necessary for public policy, it's hard for me to understand how you'd support the rest of secure messaging. Most secure messengers also have "disappearing messages", which have an even more powerful impact on the public's ability to read your (or some disfavored other's) messages. In fact, keeping the public from reading stuff is... kind of the obvious point?
Maybe it's just email, and the belief that email should not just be insecure, but be deliberately insecure? But, you all get how weird it is for me to read that after getting yelled at for writing a blog post about avoiding secure email, right? 547 comments[3]! Many of them very angry!
† I'm always looking for this triple-DH blog post and never able to find it, because it doesn't contai the word "triple", and it never occurs to me to search for "deniable", only "repudiability" (which also doesn't occur in the blog post) so I guess I can thank this thread for fixing my bookmark.
It's easy to see why there are divided opinions on this. When someone sends an email, the recipient often wants to be able to prove that they did so. We think of email as something capable of leaving a paper trail, proof that certain people sent certain emails. It's reasonable for secure messaging to want to fill a different niche, more like private conversation. I've seen messaging apps advertised on the basis that they will delete all messages after a certain time, making them basically equivalent to talking to someone, in terms of non-repudiation and being ephemeral by default. But people frequently want email to be more like letter writing than private conversation. The tradition with letters was to sign your letters to prove that you sent them. People talk about having a certain thing "in writing", so that they can use it in litigation. Insofar as email is supposed to fill that niche, its reasonable to expect it to provide repudiable messaging.
My problem isn't that people have divided opinions on this. My problem is that people who oppose it write as if they're just now discovering that the opposite opinion exists --- in one case on this thread, someone suggested that the only reason Matthew Green held this opinion at all was political.
A serious argument against deniable messaging would start by acknowledging deniability as one of the shibboleths of the field of messaging cryptography, and then tackle the idea. Nobody on this thread has done that, and I think the reason why is that they're simply not aware that there is such a field.
I appreciate the re-framing of this comment and its parent. Personally I found the original article's argument to feel more like "people shouldn't be accountable for their correspondence" than "the default mode of email should be more of private secure messaging". Both are advocating for the same changes but only one seems reasonable to me. That may just be my flawed reading of the blog post, but regardless, I can better understand the positions now.
Speech has consequences. Given the good done in holding rogue "politicians" accountable, not seeing that as axiomatically desirable is at least a little bit suspicious...
Private emails are not speech. Are you suggesting all private conversations should be public? That seems absurd to me. Do you subscribe to the "surveillance isn't bad if you have nothing to hide" concept?
But emails are meant to be accountable. They are the digital equivalent to sending letters. They should leave paper trails. Just like you have written before, secure messaging should be left to secure messaging apps, not email.
Woh, the idea that private letters shouldn't be private is WAY far away from the privacy standards that have been around in liberal democracies for centuries.
Mail being secure from surveillance is a foundational freedom.
I have no idea where you are getting the idea that we all should have to answer for what we send in private correspondence.
Letters and emails are private. DKIM does not change that.
This discussion about DKIM is about non-repudiation and the ability to prove that a certain person sent the email.
If you send me a letter, I (or someone else who gains possession of that letter) should be able to prove that you sent the letter and hold you accountable for the contents. DKIM does that for emails.
If you want to transfer assurance of the authenticity of an email to someone else, you can do so without DKIM; just sign a timestamp or something. The problem with current DKIM configurations is that it provides that assurance to everybody, including strangers who have no business having it. Which is why the ask here is for Google to do with DKIM what OTR does with MAC keys: burn them periodically, so that only people who have explicitly arranged to share authentication do so.
That seems less usable for the average email recipient. Most people who need to prove authenticity to a third party (eg of politically sensitive or offensive messages) aren't techies.
Too, it's easy to imagine not knowing you need proof until some time after you receive an email.
If it isn't usable and enabled by default, it won't be used in practice - for the same reason almost nobody uses PGP.
It's already common to use unsigned documents in court, as long as you can show provenance is legit or if the counterparty is willing to acknowledge authencity.
In fact, it's quite common that the issue over unsigned documents in court is the interpretation, not authencity.
I think the issue of having to teach users how to opt in to signing emails in potentially controversial cases is preferable to having to teach them how to handle email communications that are permanently provable (for starters, never ever again leave out a quote and never ever write ambiguously).
The author's suggestion, as I understood it, doesn't prevent this, it only prevents them from doing it beyond a certain point in the future.
If you got an email that warrants "holding someone accountable", you would have plenty of time before the keys are released. So if you receive an email and call the police, nothing would change.
What you couldn't do it save it for years and keep it as blackmail material / until it's politically opportune to use. Of course it's not as clear cut as that, and an email may look harmless at the time, and only later, with more context, you might realize it contains evidence of misdeeds. So even a good faith actor might unknowingly sit on evidence.
I think the reason there's so much controversy about this post is because it was written in the context of a recent political controversy around which tribes have formed unusually strong opinions. It's hard to have a quality technical discussion when so many of the participants are being driven more by tribal emotions than by rational discussion.
> To allow a stranger to authenticate a messages is to concede information to them, and avoiding concessions is the point of messaging cryptography.
Whilst I agree with you that email messages should be repudiable , I have a feeling you're trying to pass something off as axiomatic that isn't. For example isn't a confidential business agreement basically exactly, by design, an authenticated non-repudiable message that can be authenticated by third parties (such as courts)?
And they have much better mechanisms than DKIM available which they should use instead.
In fact, with reliance on DKIM you create the distorted incentive that one company might want to fake getting hacked to claim an email they sent is not authentic.
As a matter of fact, they might even be so sneaky as to send individual emails without DKIM signatures, with a policy set for the recipients to not reject those emails. Since most email clients do not display this discrepancy in a lack of a DKIM signature, the recipient might not notice and then the sender can later claim forgery.
So then let's not rely on something so unreliable if you need reliable authentication.
Has this kind of repudiation ever been tested in the real world? It's hard to imagine a court throwing out email evidence because it lacked a DKIM signature. And on a personal level seeing a chat transcript that had cryptographic non-repudiation would make me likely to believe it, but seeing one that lacked it would probably not weigh heavily in how I came to that determination.
> Has this kind of repudiation ever been tested in the real world? It's hard to imagine a court throwing out email evidence because it lacked a DKIM signature.
They're more likely to ask their expert witness to testify about the evidence, and the deniability of the DKIM signature could be brought up by the expert witness as a reason to distrust the evidence. I wouldn't expect lawyers to discover this argument from first principles.
I would expect any half decent prosecutor to focus on how the emails were acquired when a verifiable DKIM signature is missing. Then the defense doesn't even need to bring that argument up, just challenge the provenance of the evidence.
The problem of deniability and "disavowing keys" is subjective and requires technical skill to understand,
that average person will not find this "equalization of legit and forged data" intuitive and will believe that keys/signatures/encryption on content adds authenticity on equal level with "legit data" - instead of "repudiation" you have a 'weak proof of authenticity' that could be disproved later(the burden of proof shift here is important psychologically since keys/encryption are perceived as legitimizing content).
Email fills a different niche than secure messaging protocols though. Email has come to be used much like mail, including for legal purposes. Non-repudiation is actually a useful feature for a lot of those use-cases.
Obviously the conflation of a bunch of different use-cases into this one protocol is a problem, but I don't know that just making email more secure is a solution.
Non-repudiation is of course a needed property for many systems, but it is not a property a system, especially an everyday messaging system like email, should have by accident - even "weak" non-repudiation such as DKIM. It is a violation of privacy. The suggestion the author makes of course doesn't completely get rid of it, but at least makes it time-limited.
Excuse my ignorance but how does someone else signing my message prove that I sent the message? Moreso if the body of the message is not being signed at all?
On one hand we have the Utilitarianist view of security. If increased security results in "more good" than evil, it is inherently ethical and thus acceptable. In this view, the idea that a good person may be blackmailed is perfectly acceptable, as long as it exposes political malfeasance.
On the other hand there's the Kantian view. If you have to lie, it it hurts someone, or it wouldn't work if it applied to everyone, then it's unethical. This doesn't seem to work at all, because we have to allow lying (non-repudiation). But non-repudiation could prevent someone from being hurt. And applying it to everyone would allow for the least harm, rather than the most good.
In the end Utilitarianism usually reigns because it's easier. But it does ignore the edge cases, which we should consider. Perhaps the way forward is not to pick one or the other, but actually re-make the world to embrace the good and avoid the bad. Sadly, that's probably the most difficult choice of all; when's the last time we replaced a working standard just because it had crappy outcomes?
I honestly don't care about this Sophomore Dorm Room stuff, as long as we can all at least acknowledge the role of deniability in messaging security. If you want to argue that email isn't messaging, that's fine, I disagree, but at least you'll be vindicating my "never use encrypted email" argument.
I was more pointing out that the choice of how to move forward isn't simple, and that the premise is probably flawed due to bad design, but that we probably won't fix the design because it works.
The problem with the author's paper is that his assumption (and that of, apparently, media organizations, Wikileaks, and others) of DKIM "ensuring non-repudiation of emails" is simply wrong.
>DKIM provides a life-long guarantee of email authenticity that anyone can use to cryptographically verify the authenticity of stolen emails, even years after they were sent.
No, it doesn't. It simply offers an assurance that, at around the time of sending, a given email was mostly likely sent from the server that signed it. It can't prove _anything_ about who actually sent it, because it can't guarantee the ownership of the email account.
>For better or for worse, the DKIM authenticity stamp has been widely used by the press, primarily in the context of political email hacks. It’s real, it’s important, and it’s meaningful.
There's no _better_ there -- only for worse. It would be better to dispute the validity of using DKIM for non-repudiation of emails than to propagate the lie and ask server operators to publish their expired secret keys.
For certain scandals just losing control of an email address is enough to cause serious concern.
Willfully admitting that control was lost could be a story in and of it's self.
Email is not a reasonable means to conduct business, qwerty is a terrible keyboard layout, different countries driving on different sides of the road seems like a really silly thing to do.
Just because something isn't reasonable doesn't really hold much sway when it comes to will people use it.
I don't think it needs to be all server operators;
It is not difficult for me to believe a Judge could find it "unlikely" that a 2013 email was forged containing a valid Google signature, and I would not want to rely on you being on my jury. If Google were to publish their private keys, I could produce a forgery of my own in my defence.
Of course it would be great if people were smarter than they are, but they're not, and I wrote some perl today, so it is hard to tilt at this particular windmill.
> It simply offers an assurance that, at around the time of sending, a given email was mostly likely sent from the server that signed it. It can't prove _anything_ about who actually sent it, because it can't guarantee the ownership of the email account.
Not on it's own, but it's a critical step in this chain:
1. DKIM verifies that a message was sent by Gmail.
2. We assume Gmail is careful with its keys.
3. We assume Gmail doesn't forge addresses.
4. Find evidence that links me to that address.
Most people will readily grant #2 and #3. Now we just need #4, which can be easy.
No, it's not cryptographically verified end-to-end, but it's good enough to convince a court or to convince a respectable news organization to run a story.
Spot on! I use to work for a company that helped Yahoo on the RFC (We were in the email spam space). DKIM is not meant to prove the payload is authentic/un-tampered, merely the person sending the email was authorized to use the domains SMTP server in question. Thats it. DKIM is a one bit in preventing spam.
Lets just say it. The emails that sparked all this are looking for something that simply isnt there. They see what they need to see to fit a world view
Interesting/educational read but I'm still not convinced that this unintended side effect is a bad thing - it seems like a desirable property to have authenticated emails. Matt argues this might lead to regular folks (as opposed to politicians) getting blackmailed, but:
1) it seems unlikely this cryptographic proof is needed (he acknowledges this criticism in the post), and
2) what seems more likely to me is that politicians would intentionally _not_ opt in to any alternate solution and use that deniability for their own advantage. (Also as an alternate he proposes GPG, which I know Matt knows is laughable).
If you had access to a public key for every email address then why stop at authentication - you could encrypt all email on the web. But we don't, so we can't.
Authentication in this context doesn't need to be end-to-end. Instead of a custom protocol, we could probably just use SSL client certificates authenticating the sending domain to achieve the same effect.
Put the company you work for in your threat model, and this becomes relevant to you.
The corporate world is mired in zero-sum competition, and some of your colleagues are willing to do things that will shock and appall you if it increases their chance of "winning".
Try working in defense, finance, or security as a closet anarchist. Have a few Chomsky books in your Amazon purchase history? Good luck climbing the Amazon corporate ladder.
You might want to validate your emails more than a few months out.
Regardless of if your emails are valid or not, blackmail is still a crime. Not being able to have your emails validated doesn't protect you from blackmail. The power of blackmail is often in the social cost of the accusation itself. The thing that protects you from blackmail is not getting involved in things you can be blackmailed for.
This is like saying don't lock your doors so that nobody can break and enter into your house.
> The thing that protects you from blackmail is not getting involved in things you can be blackmailed for.
This is incorrect, because the things that someone can be blackmailed for is not the same as the set of immoral or unethical acts. You can be blackmailed for being gay, or for having a serious medical condition that's undisclosed. Neither of those situations is a "well just don't do that" kind of thing.
The defense against blackmail is to make blackmail difficult (eg release DKIM keys), severely punish people who engage in blackmail, and guard your secrets effectively.
> This is like saying don't lock your doors so that nobody can break and enter into your house.
This is like saying the latch on your fence is a security mechanism. Nobody intended that fence latch to keep your safe or secure and hiding behind it won't make you safer. Rip away the false pretense.
No because it's not on us to make moral distinctions between someone who is gay and doesn't want to make that information public, and someone who isn't gay and is being falsly blackmailed.
Publishing the DKIM keys makes both cases harder because you no longer have authenticity claims. Neither claim has authenticity value and instead is just a "their word versus yours" situation.
Humans are terrible moral adjudicators, and acting off of universals leads to repugnant ends. The truth can absolutely do terrible damage and still be the truth, but being the truth doesn't remove value from privacy. Put another way - would it be moral to publish your full medical records in the public? After all, they are the truth...
It is on us to make moral choices. You are suggesting we do so by making email repudiatable in order to protect a hypothetical person from being outed via stolen email verified with dkim.
So far as I can tell this has never happened in history and logically neither blackmail nor public harm via exposure of sexual orientation particularly requires dkim verification.
It looks like you are asking us to give up DKIM verification which could and has aided us to verify politicians leaked emails in search of a purely hypothetical gain that may never materialize by suggesting that we both must and must not make moral determinations.
When an angry mob goes after suspected homosexuals, do you think they stop to authenticate DKIM signatures of emails? I'll give you a hint: no. In fact, it's hard to imagine any scenario where anybody goes through the trouble of authenticating e-mails of a "normal person" who is persecuted of something other than crimes.
Nobody is telling you to not be gay.
If you being gay is a secret, then don't send that secret over _plain fucking text email_.
Do you send your social security number to people in emails?
Email has never been privileged communication and the problem isn't one of validation but one of not understanding one's level of privacy and risk. It uses relays without end-to-end encryption and there's no guarantee that what you sent is not totally out in the open.
This is every bit as much about email you receive as email you send, and you are not in control of email you receive.
If your doctor slips up and emails you about your AZT prescription, it doesn't matter how careful you were about not disclosing your HIV status over email you sent.
> Not everyone is law savvy. Not everyone understands legalese. Not everyone makes rational choices all the time.
> Does that mean everybody should suffer the consequences of an arguably unintentional side effect of the technical implementation of law?
Thankfully this is not law, but people should understand the things that can get them in serious trouble. A lot of legal concepts follow from basic principles and history.
Privacy concepts are the same way. It's simply not sufficient that we don't educate everyone about these things anymore. Ignorance isn't going to protect anyone from the fallout of misuse of technology.
The solution isn't to coddle people, it's to provide better technology that does the thing the way people intend to use it.
Okay, but what about a topic that is legal and acceptable in today's society but not in the society 20, 30 or 40 years down the line? What if being gay becomes socially unacceptable again? Or supporting the second amendment? Or [literally anything]?
The problem is that what is socially and legally acceptable changes over time. Just 30 years ago, the standard for social acceptable commentary was wildly different in the areas of gender identity, sexuality, and race for instance.
Yes, you should absolutely think about everything that you commit to public record.
Yes, you might be totally fine now. You might be hanging out and get photographed with this creepy billionaire named Jeffrey Epstein who is just
another creepy billionaire at your creepy billionaire parties. Then 20 years from now we find out he's running pedophile island and people start looking into your associations.
We are not teaching people to be cautious about their public data and in fact there's an entire industry out there encouraging everyone to detail their whole lives in public record.
Get off of social media _today_. Yes, it's probably too late.
The other option is to be such a big celebrity that your entire life is public and you have the defense of scrutiny.
Side note: Somebody from my high school class is a famous criminal. I regularly receive requests for interviews on the basis of that association alone despite having nothing to do with the person for decades.
Using the billionaire pedophile example is a disgusting trick. You're trying to set me up for appearing to support that.
Why not use more neutral examples? Like being gay or supporting certain political causes? What if those later become controversial or illegal? What then?
Do you want to live in a world where you have to guard everything you say in semi-private conversations, just in case it one day becomes controversial? That sounds like an oppressive nightmare.
The social media argument is tangential but I do agree with you there.
I'm illustrating the severity of the identifiable public record.
When the Nazis started rounding up people to put in camps, they looked at the _extremely detailed_ Christian Parish records saying who was what and where they lived.
They were thought to be innocuous and important records to keep at the time. Actually I think in the Scandinavian countries the state Church is still responsible for recording all marriage & death records. They stopped tracking births for the previously mentioned reasons. (Hey, we just learned the importance of separation of Church and State, too!)
Nobody knows how important privacy is. Until they do.
>I'm illustrating the severity of the identifiable public record.
This is an argument in favor of emails being non-verifiable, so now I'm confused.
Previously you seem to be supporting the idea that email should be verifiable. Now you seem to be arguing the opposite. Everything you wrote above correlates with the opinions I've expressed so far.
You also wrote:
> If you live in a [country where homosexuality is illegal] and secretly a homosexual, do not send emails indicating that you're a homosexual.
As if that's an acceptable state of affairs and a reasonable compromise for the purpose of catching the occasional bad actor. It isn't.
a) email being verifiable is fine
b) nobody should be so stupid as to use email for anything personal. it is not privileged communication and potentially permanent public record.
c) if you want to use email, you'd better encrypt it and only for recipients that you trust.
As you well know, people use email for things they shouldn't. Why not make email slightly better? What's the harm? Isn't greatly reducing the chance of blackmail unequivocally positive?
So far, you've just been repeating disparaging comments on less technically minded ("stupid") people. You've not presented an argument for why this change would be detrimental.
We can continue educating people about the inherit insecurity of email while still improving it for those that (a) will never get it and (b) simply don't have access to alternatives.
You can argue improving email shouldn't be a priority, but the proposal in the article has zero cost. It's a free improvement.
I have to say you've failed to articulate why making email better (while we work to come up with a better solution) is an inherently bad thing. Especially when we can make it better for free.
I think this is a shameful argument. Non-repudiation over time is a truly powerful property of DKIM'd email for a great many uses outside of blackmail.
Calling for the ability to remove it during the years 2016-2020 in order to "protect politicians from blackmail" is not only of deeply questionable value but of suspect motivation. Who is the author interested in protecting?
Among messaging cryptographers, it's not even an argument. Serious secure messengers have been designed to avoid non-repudiation since OTR. Non-repudiation is a vulnerability: once counterparties have authenticated each other's messages, the legitimate need for authentication is gone; allowing random strangers to authenticate messages concedes information to them.
> once counterparties have authenticated each other's messages, the legitimate need for authentication is gone; allowing random strangers to authenticate messages concedes information to them.
As you know, there are many legitimate needs to authenticate messages of strangers.
For example, when you order products over the internet, an e-mail of your purchase is often the only proof of what was agreed in the purchase. If there is later a dispute between the buyer and the seller, the email can be used to repudiate lies. In particular, if a third party (like a court) can authenticate the message, the honest party can convince the third party that the dishonest party is being fraudulent.
You are exaggerating when you claim that there is no legitimate need to authenticate messages as a third party.
As you know, there are many legitimate needs to publish naked pictures of your body to the entire internet, but most people want to keep them private. Defaults matter.
What makes this hard is that email is responsible for too much crap. No single user interface should carry:
1. Party invites
2. Private messages to your spouse, therapist, pastor, etc.
3. Marketing messages
4. Password recovery requests
5. Financial transactions
We've just shoved them all into email because it's there.
I agree that e-mail is horrible, and I would prefer if contracts (like purchase receipts) moved off e-mail to something else, but that's tangential to the point. If Google started to publish and rotate DKIM keys, the world wouldn't suddenly move away from email.
In the real world it doesn't matter which cryptographic protocols are theoretically available for use. What matters is which protocols everyone else is using. For example, in the case of receipts for purchases on the web, literally everyone is using email. You will not be able to get amazon to sign a receipt with gnupg.
If you want to embark on a path of convincing the world to move away from email, that's great, good for you. Just don't pretend like removing non-repudiation from e-mails is a quest on that path. It's not.
Which is why, when email providers can do very simple things that improve privacy for all their members, even though email is irretrievably insecure, they should do so, as harm mitigation. Your mail spool will eventually get owned up. The least they can do is make it deniable.
> As you know, there are many legitimate needs to authenticate messages of strangers.
I agree with you here. However, EMail was never designed to do this. Eg if you order products over the internet, how do you know that your opposing party keeps their DKIM key safe?
> I agree with you here. However, EMail was never designed to do this. Eg if you order products over the internet, how do you know that your opposing party keeps their DKIM key safe?
I get that email and DKIM was never designed for this, it's a side effect. Fingers were not designed for finger print evidence, but it's still nice to have evidence from finger prints, as a side effect from touching things. And the problem of key storage / keys leaking will not disappear even if you change to some different protocol.
The point was that you pointed out a use case for some sort of cryptographic signing, not for (ab-) using DKIM for this purpose rather than what it was designed for.
I don't understand enough about all the issue to really know how I feel about it, but clearly there are trade-offs here that at least argue against expanding the scope.
> His point was that you pointed out a use case for some sort of cryptographic signing, not for (ab-) using DKIM for this purpose rather than what it was designed for.
First, thank you for the clarification.
Second, to answer tptacek's point, I understand that authenticating emails as a third party is an unintended side effect of the DKIM protocol. I understand that cryptographers would like people to move onto using other protocols for purposes like this. However, the suggestion that Google should periodically publish and rotate their secret keys, does not achieve this goal in any way. If Google were to do this, the webstore that you purchase items from, would not suddenly start using different protocols to authenticate purchase receipts, they would continue to send regular email... but those emails could no longer be authenticated. Or if we go back to the example in OP, the politician that's admitting to crimes over email, they're certainly not going to switch over to another method of documenting their crimes.
Edit: I was incorrectly using GPG as an example. I removed the incorrect example and let the point stand without it.
It's just really clear that people in this thread are trying to approach this from first principles without any engagement in the field that they're discussing. That's a fun thing to do as, like, a game or a way to pass the time, and I guess that's what HN is, but it's still crazymaking, because essentially every paper written about messaging cryptography refutes this comment. Cryptographers would like to move people onto GPG? The fact that GPG is non-repudiable and shouldn't be is one of the 2 motivating use cases for OTR, and later Signal. Nobody is trying to get people to use GPG.
Thank you for offering your insights over the years here. I can very much understand how frustrating it can be and you articulated it spectacularly so I just wanted to tell you that you personally have posted many things over the years that I gained from. Thank you
Ok, my GPG example was wrong. And yes, you got me, I'm not a professional cryptographer. But can you address the point? You said "once counterparties have authenticated each other's messages, the legitimate need for authentication is gone". I provided a counter-example to demonstrate that your statement was an exaggeration. You clearly dispute some part of this, but it's unclear to me what the disputed part is.
Edit: Hacker News doesn't allow me to post replies to the posts under this post, so I will answer by editing this comment. I'm addressing the following comment:
> Which counterexample is that exactly? Your counterexample involving a store is incorrect -- the store's email would still be authenticated for a smaller amount of time which would allow your server to verify that it is a valid email that came from the store's servers.
If you actually read my counter example, you will see that I wrote: "if a third party (like a court) can authenticate the message".
Yes, my email server can authenticate the email when it arrives, but that will be of little help later when I try to dispute claims in court. If the court can authenticate the email, that will be helpful to the honest party in the dispute.
> I provided a counter-example to demonstrate that your statement was an exaggeration.
Which counterexample is that exactly? Your counterexample involving a store is incorrect -- the store's email would still be authenticated for a smaller amount of time which would allow your server to verify that it is a valid email that came from the store's servers.
EDIT: Since you responded with an edit, I suppose I should as well. Btw, you can reply to comments below, but you have to click on the comment's permalink/timestamp (the thing that says "1 hour ago") first.
I didn't see the comment you are referring to because it was a very high up ancestor. I only saw the comment I replied to which doesn't mention courts nor third-parties, which is why I asked you for an explanation. Please don't jump immediately to the conclusion that I did not read your comment.
Regarding the content, hamburglar's sibling comment is spot on. Non-repudiability shouldn't just be an afterthought. Accidental non-repudiability can have negative consequences itself. For one, relying on the kind of poor man's non-repudiability that DKIM gives you leaves powerful central entities with the ability to forge email while convincing almost everyone that it is legitimate.
From reading everything that you wrote, I think that your thesis is that email, specifically, ought to be non-repudiable. That might be a worthwhile idea, but it should be presented as such at the forefront. If others agree that this is a valid and useful concept, then a non-repudiability mechanism could be added to email explicitly, just as DKIM was added. But don't use DKIM for this, since it is a poor substitute.
Non-repudiability makes perfect sense in a bunch of different financial cryptography settings. People really have trouble with the idea that all cryptography isn't the same, and that it's specialized to different problem domains. It's part of the reason we still have janky old PGP.
> Accidental non-repudiability can have negative consequences itself. For one, relying on the kind of poor man's non-repudiability that DKIM gives you leaves powerful central entities with the ability to forge email while convincing almost everyone that it is legitimate.
I fully agree.
> From reading everything that you wrote, I think that your thesis is that email, specifically, ought to be non-repudiable. That might be a worthwhile idea, but it should be presented as such at the forefront. If others agree that this is a valid and useful concept, then a non-repudiability mechanism could be added to email explicitly, just as DKIM was added. But don't use DKIM for this, since it is a poor substitute.
If the choice was between "DKIM for non-repudiability" and "a better mechanism for non-repudiability", of course I would support the better mechanism. But that's not the choice here. The proposal here is to remove this accidental, partial non-repudiability mechanism that currently exists, and replace it with nothing. That would leave the world worse off, not better. DKIM protects innocent people from being framed for saying horrible things, and DKIM protects innocent people from guilty people who do horrible things. And sure, sometimes DKIM might be used against innocent people in some way, but the balance seems heavily in favor of DKIM (from the perspective of innocent people).
> Ok, my GPG example was wrong. And yes, you got me, I'm not a professional cryptographer. But can you address the point? You said "once counterparties have authenticated each other's messages, the legitimate need for authentication is gone". I provided a counter-example ...
I think the person you're talking to thinks this is very obvious and thus isn't stating it explicitly, but in the special case where you want an email to include non-repudiation, such as for a purchase receipt, the sender should just add non-repudiation to it in the form of a signature that's intended for that. Simple.
> the sender should just add non-repudiation to it in the form of a signature that's intended for that. Simple.
Ok, but this does not magically happen if Google publishes and rotates their DKIM keys. People will continue to use email for everything, but now emails can no longer be authenticated by third parties.
I think the entire point is that non-repudiation shouldn't just magically happen unless intended, so yes, this is by design, and anyone who wants to send a signed email should explicitly send a signed email.
> I think the entire point is that non-repudiation shouldn't just magically happen unless intended, so yes, this is by design, and anyone who wants to send a signed email should explicitly send a signed email.
Let's not pretend that the world would move away from email if Google made this change. We both know that's not going to happen. Given that, can you explain why you think the world would be a better place when emails can be repudiated? When emails can be not be repudiated, innocent people can be framed for saying/doing things that they didn't do. DKIM protects innocent people from being framed. DKIM also protects innocent people against guilty people who commit frauds or other crime.
Nobody's talking about the world moving away from google. We're talking about the world simply not having non-repudiation built into email. A sender of an email doesn't owe you non-repudiation as a feature. Sorry if you think otherwise. Senders can add non-repudiation as a feature if they want to, which satisfies your purchase receipt scenario.
> Nobody's talking about the world moving away from google. We're talking about the world simply not having non-repudiation built into email. A sender of an email doesn't owe you non-repudiation as a feature. Sorry if you think otherwise. Senders can add non-repudiation as a feature if they want to, which satisfies your purchase receipt scenario.
Please explain to me how I can make Amazon (or any other webshop) add non-repudiable contracts to their order flow? That's right, I can't. And no, I don't think that Amazon "owes" me non-repudiable emails, but now that we have non-repudiation by accident, it's certainly nice to have, and the world would be worse off if we removed that feature and replaced it with nothing.
You can't force their DKIM signatures to be good forever either. You're basing some sense of security on a cryptographic property that simply isn't true. Would the world be worse off if you couldn't rely on DKIM signatures indefinitely? I don't know, are we worse off? Because whether you accept it or not, that's the exact situation we're in now.
So if something does not provide a perfect guarantee, it's "nothing"? You realize that handwritten signatures on a paper contract do not provide a perfect guarantee either? Signatures can be forged. And the paper is not going to remain in perfect condition forever, at some point in the future the paper is going to decay. Does that mean we can never know anything about anything? No. Of course we can have evidence about events which occurred in the world, even if the evidence doesn't provide a 100% guarantee of something, indefinitely. For example, a handwritten signature on a paper can be imperfect evidence that the contract took place, or a DKIM signature on an email can be imperfect evidence that the email is not a forgery.
First, "innocent people can be framed" is not that simple.
Without non-repudiation, you don't automatically get to frame someone for whatever. You need to provide the usual (non-DKIM) evidence of whatever you're claiming.
And even with non-repudiation, you can still try and frame someone. Not having the DKIM signature might be suspicious in some circumstances, but it doesn't eliminate the possibility.
Yes, I agree we should have secure private messengers. But that has nothing to do with this discussion. First off, email is not a secure private messenger. Second, email would not become "more secure" by removing the accidental, partial non-repudiation that DKIM provides. Third, this comment chain that you are replying in right now, is about whether there exists any legitimate need for a third party to authenticate emails with DKIM after the emails have been sent. tptacek claimed that no such legitimate need exists. I've been arguing against this with a specific counter-example.
"with DKIM" is the part of your argument you've failed to back up. Yes, you have a counter-example that requires authenticated emails. You don't have one that requires authenticating emails with DKIM.
> "with DKIM" is the part of your argument you've failed to back up. Yes, you have a counter-example that requires authenticated emails. You don't have one that requires authenticating emails with DKIM.
That's because we aren't discussing a proposal to switch from DKIM authentication to a different method of authentication. We're discussing a proposal to abandon the partial non-repudiation property that's accidentally provided by DKIM, and replacing it with nothing.
> I'd argue that we currently have that "nothing" and are just trying to be explicit about it.
If you want concrete examples of how the partial non-repudiation property provided by DKIM is not "nothing", you have to look no further than the examples provided in OP.
And yet all of those examples go poof very, very easily, based on something that's not in your control. So yeah, I think they're nothing.
Let me give you a scenario to consider. At my old company, there was a mail server that would DKIM-sign everything that was passed through it. Anybody who wanted to on the internal network could write an email with tampered headers (say, backdated, or "From:" someone else) and send it through this server. This was acceptable because the SOLE PURPOSE of this signing was improving SMTP deliverability. It tells other mail servers "yes, this SMTP payload actually originated from this company. Please do not treat it as spam." So given one of these signed messages, what can you argue about the contents? Nothing, other than "these did not come from a random spammer posing as this company."
You run risks when you assume a signature means something that the signer does not actually intend it to mean.
You gave a example of a 'need' to do X that is specifically not legitimate. I'm not sure (and decline to speculate) whether you're confused or malicious or some other problem entirely, but you are wrong.
> You gave a example of a 'need' to do X that is specifically not legitimate.
The example was that two parties are disputing a contract, the court is attempting to resolve the dispute, and the court has a need to authenticate the contract. Can you explain why you think that this is not a legitimate need to authenticate a document?
> I'm not sure (and decline to speculate) whether you're confused or malicious or some other problem entirely, but you are wrong.
You "decline to speculate", and then proceed to speculate anyway? Ok. Well, it's certainly easier to resort to calling me names, than actually defending your position with arguments.
> Can you explain why you think that this is not a legitimate need to authenticate a document?
Because it is not legitimate for a court to treat something that was not intentionally (ie, with something other than DKIM) signed as a signed contract. If one party did not sign that contract, a DKIM 'signature' doesn't change that. Conversely, if you have a argument that the document should be treated as a valid contract despite not having been signed, the lack of DKIM 'signature' is obviously irrelevant.
> Because it is not legitimate for a court to treat something that was not intentionally (ie, with something other than DKIM) signed as a signed contract. If one party did not sign that contract, a DKIM 'signature' doesn't change that. Conversely, if you have a argument that the document should be treated as a valid contract despite not having been signed, the lack of DKIM 'signature' is obviously irrelevant.
Not legitimate where? In Finland, where I live, there is no restriction on the form that a contract must take. A contract can be scribbled on a napkin, a contract can be oral, and yes, a contract can be written in email. You're claiming that a document should not be treated as a valid contract if it has not been signed, but Finnish law is pretty clear that a signature is not required for a contract to be valid. Furthermore, you claim that if a signature is not a requirement for a contract to be valid, then the lack of signature is "obviously" irrelevant. This is not obvious at all, and in fact is not true at all. As you surely know, sometimes the parties to a contract dispute what was agreed upon. Having a written contract is superior to an oral contract, because it is harder to dispute what was written, than it is to dispute what was said orally. In the same vein, it is harder to dispute a written contract with signatures, than a written contract lacking signatures. And in the same vein, it is harder to dispute an email that is DKIM validated, than an email that is lacking any sender validation.
> You're claiming that a document should not be treated as a valid contract if it has not been signed
No, I'm claiming that a document should not be treated as signed if it has not been signed. And drawing attention to (not "claiming") the fact that attaching^Whaving some third party such as Google attach a piece of networking metadata to it, does not constitute signing.
> No, I'm claiming that a document should not be treated as signed if it has not been signed. And drawing attention to (not "claiming") the fact that attaching^Whaving some third party such as Google attach a piece of networking metadata to it, does not constitute signing.
It sounds like you think that a "signed document" carries some sort of significance that an "unsigned document" does not carry, other than the value of the signature as evidence of a contract. I'm not aware of any such significance, at least not in the context of Finnish legislation. Perhaps if we are emailing a draft of a contract back and forth, the signature on a document can be used to specify which version is the agreed-upon contract as opposed to draft. But a similar proof could be attained without a signature, for example by recording audio of a verbal agreement which specifies the agreed-upon version of the contract. The signature does not carry any special significance.
In any case, no, I do not think that a DKIM signature is comparable to a handwritten signature. I would rather compare DKIM signature to fingerprints on a physical document. You might say "I've never seen this piece of paper in my life!" to dispute the validity of a paper contract, but your fingerprints on that paper would constitute significant evidence against your statement. DKIM signature of an email could be used in the same fashion.
Here is the actual quote: "once counterparties have authenticated each other's messages, the legitimate need for authentication is gone". Yes I used quotes in the "do X" sentence, but nobody will mistake it for a literal quote, because it contains "X" in place of the actual thing. Anyway, do you think there is something wrong with my characterization of that statement?
> Yes, because it ignores the sentence that precedes it.
This sentence? "Serious secure messengers have been designed to avoid non-repudiation since OTR." I don't see how this sentence supposedly alters the meaning of the sentence that comes after it? At this point it seems like you just want to sow confusion. If I had misinterpreted your words in some way, you could have clarified the misunderstanding like 10 times by now. Instead, you choose to reply in snarks like saying I'm confused, or asking me to read your comment again. I don't think there's any misunderstanding. You took an extreme position that didn't hold up to scrutiny, and you don't want to defend your position or back down, so you just reply in snarks instead. If there is some kind of misunderstanding, please do go ahead and explain what the misunderstanding is.
> "once counterparties have authenticated each other's messages" is the omission that changes the meaning of the quote.
No, it doesn't. The dispute isn't about the need for counterparties to authenticate each other. Yes, we all agree that it's good if email receivers can validate the authenticity of the sender. That's not at dispute. The question is, is it good if third parties also have the ability to authenticate the sender of an email at a later point in time (using DKIM specifically). tptacek claimed that there is no legitimate need for such a thing, and I provided a counter-example to that.
It just feels like the baseline expected behavior of a communications system to me that makes no explicit claims otherwise.
Legal signatures are heavily ritualized (blue/black ink only, initial here and sign there etc.) in most societies for good reason – it makes the signer stop for a moment and reconsider what they are doing, if the document they are signing is truly aligned with their intentions and so on.
As another analogy/food for thought: We have the technical means to record every conversation we ever have, digital or analog, public or private. Should we? If not, why not?
> It just feels like the baseline expected behavior of a communications system to me that makes no explicit claims otherwise.
Why do you feel like email "makes no explicit claims" about the authenticity of emails? Laypeople are not even aware of the possibility of spoofing the sender field in emails. Technical people can check the "explicit claims" of a protocol like e-mail, SPF, DKIM, etc. to understand what it claims to do. In other words, email makes both implicit claims, and explicit claims about the verifiability of the sender field.
Yeah the man-off-the-street expects that if you have an email in your inbox it's proof positive that it was received like that. They don't know that you can upload counterfeit emails using imap or anything like that.
Introducing non-repudiation would violate everyone's expectations and create a total mess.
I'm saying this as someone who often and deliberately uses deniable messengers.
> Yeah the man-off-the-street expects that if you have an email in your inbox it's proof positive that it was received like that. They don't know that you can upload counterfeit emails using imap or anything like that. Introducing non-repudiation would violate everyone's expectations and create a total mess.
If the "man-off-the-street" expects email to have non-repudiation property, then how exactly would "introducing non-repudiation" violate their expectations?
FWIW, I am pretty sure I agree with you/OTR, but the IETF Messaging Layer Security (MLS) people disagree for not-always-trivially-dismissible reasons (indirect link because I am lazy).
The problem isn't any one individual who is/isn't involved, it's the consensus mechanism. If you bring in a great sous chef and ask them to make you an omelet, they will make a great omelet. If you bring in a committee of people -- some sell omelet pans, some run hotel chains where free omelets are part of the package, some want you to adopt their vegan egg substitute -- you are not going to get a great omelet spec. Adding one omelet expert to the committee doesn't add anything over just asking an omelet expert to make some eggs.
They would absolutely not love to have me, and I keep away from their mailing lists as much as a favor to them as to my own sanity. I'm not alone in the wilderness on this opinion that IETF process produces abysmal cryptography, by the way; Bernstein beat me here by 2 decades.
Cryptographers don't have some sort of monopoly on what is right or what makes sense. Deniability is actually a good example of this. The idea of deniability as some sort of desirable feature in messaging came out of nowhere. It wasn't anything that anyone asked for or worried about before the OTR proposal suggested it. It is a cool idea but it has little practical value. That is particularly true when it depends on falsely claiming some sort of forgery when you know you actually said something embarrassing.
I do have a question though, as a relative amateur. It’s more on a sociological level.
Suppose you are in an organization, and it needs to figure our whether an employee was saying a Bad Thing such as giving out company secrets or cursing people out “off the record”.
Yes, even with end to end encryption, Facebook and others can still let you prove the other person sent the messages when you need. The question is whether that is a good thing:
Email is not a "serious secure messenger." It is the equivalent of writing a letter and signing your name to it. Email is useful for when you want a paper trail. Otherwise, you would use a secure messenger instead.
Why not just rotate them frequently? Like weekly? Or daily even?
ProtonMail makes you setup 3 CNAMEs for DKIM just so they can frequently rotate without your intervention or disruption. Sendgrid uses 2 for the same thing.
What's stopping someone from recording each public key as it is entered into service and providing a DKIM authentication service with it? There are already such things for domain data.
Please read the whole article before jumping into a conclusion about the author, Matthew Green. He sighted two examples where incorrect crypto science affected both a Democrat and a Republican. He is not trying to protect any particular side. He is simply articulating a method by which the key can be invalidated after its intended life time. If you have a technical argument, please explain that.
"An accident of the past few years is that this feature has been used primarily by political actors working in a manner that many people find agreeable — either because it suits a partisan preference, or because the people who got “caught” sort of deserved it.
But bad things happen to good people too. If you build a mechanism that incentivizes crime, sooner or later you will get crimed on."
People who are protected from blackmail by email repudiation are by definition people who have incriminating emails. Maybe everyone had skeletons in their closet, but if you have email proof of skeletons I'm starting to wonder if you're such a good person.
Also there's an argument that "good people" can be blackmailed for INVENTED misconduct, but wouldn't such fake emails be more convincing without the ability to verify their origins? Making real emails and fake emails more similar protects people who have their incriminating emails leaked, but it also harms the defence of people who have fake emails targeting them "leaked".
There's a high bar for obfuscating truth and I don't believe this argument meets it.
Ah yes, the good old, “If you haven’t done anything wrong, you’ve got nothing to hide” argument. The authoritarians favourite argument for a police state.
I guess you’re the type of person that would happily hand over all your personal files to the police on a regular basis as you have nothing to hide.
To be clear, the reason I was presenting that is that the OP says the opposite, essentially "You have to fear being blackmailed, even if you have done nothing wrong". I'm suggesting that non-repudiation is actually a good defense against blackmail for people who have "done nothing wrong". thinkharderdev provides a more concrete example of one of the problems that arises in the police state, in that "wrong"-ness is not consistent, and you could be persecuted for things you say or who you are based on a backwards interpretation of what is "wrong".
Personally I am fine with the idea (as represented in this comment https://news.ycombinator.com/item?id=25115654) that email is providing something similar to a "paper trail", and when you send an email you can expect that people can prove you sent it, should they get their hands on the email. However, I totally understand the position that private secure messaging is important and that email should default to that.
In the authoritarian argument, "you've got nothing to hide", is followed by "you are now forced to reveal all", in my execution it would be "you are accountable for all emails you send, forever, should they be released". I am ok with that specific lack of privacy in that context, but I can understand the position that non-repudiability should be opt-in, and privacy the default.
> that email is providing something similar to a "paper trail"
because paper doesn’t provide non-repudiation and never has done.
The whole point of a “paper trail” is the “trail” bit, as it provides providence of a sequence of actions or communications that logically fit together. Hopefully providing evidence for your side of a dispute.
There’s no need for email to be non-repudiatable to achieve this. In fact I serious doubt a court would care if an email is DKIM signed. Very rarely are disputes so simple and straightforward that proving a single email was sent is enough to produce an outcome.
In short DKIM non-repudiation by default gives up everyones privacy, to protect a tiny group of individuals engaged in extra edge case disputes, where the entire outcome of the disputes hangs on the validity of a single email.
Not OP. But I would give all my data to the police/government... in an encrypted manner that has guarantees in place that only valid criminal investigations can decrypt. Heck, we do it on some level all the time anyways when it comes to things such as filing taxes, getting married, running companies, enforcing contracts and various other day-to-day benign interactions.
At this point, I'm more inclined to believe that "democratic" and "noble" governments and agents are the ones maliciously pushing for "privacy" because it suits their power-maintaining agenda. I'm struggling to find compelling and valid reasons why we can't pursue a general solution that involves us giving all this "private" data to a government entity for legitimate investigations, fraud prevention and crime-solving whilst keeping that data free from abuse.
> I'm struggling to find compelling and valid reasons why we can't pursue a general solution that involves us giving all this "private" data to a government entity for legitimate investigations, fraud prevention and crime-solving whilst keeping that data free from abuse.
Because that's not logically possible. It would be nice if it were, but just think about it: if you give data to the government, humans can look at it. Can we ensure that the humans who look at it are good humans? No. Is there some mathematical way of signing and encrypting such that only good humans can look at it? No.
Okay, so it's logically impossible to keep bad people out mathematically, but maybe it's a practical problem and it doesn't matter in practice? Except no, there are tons of evil governments (CCP being the most obvious, but pick your poison), and even good governments are subject to the problem that people can bribed and secrets can be stolen if there is sufficient motivation. It's just not compatible with human nature to say "collect all this information on people, but only use it For Good Purposes."
But, the message you are replying to points out governments already have piles of information about you -- your taxes for example. They can easily add to this (in appropriate legal situations), by reaching out to banks in your country for example.
While I understand the problem of evil governments, I broadly trust mine. I want them to have the power to investigate me, and my fellow citizens, for crimes. I don't want to love in a lawless country.
The level of information we are talking about is not comparable.
First of all, tax information in the United States was in fact abused by Richard Nixon, so it's not just a hypothetical possibility. It's a thing that already happened and requires safeguarding to prevent recurring. If there were a way of collecting taxes without the possibility of abuse, we would use it, but there's not, so we do what we can to balance things. FWIW, I think actually a lot of government records should be stored on paper and not in computers because hackers can steal 300m records overnight, but even very enterprising thieves can only steal one or two truckloads of physical records per hour.
Second of all, this information is just on another level. My tax information is basically not interesting to anyone except that it has my SSN on it, and SSNs are only interesting because the US has bad laws around "identity theft" and we don't properly punish corporations for giving out loans based on nothing but an unverified SSN. Could someone embarrass me by releasing my tax info? I guess if they really dug into my charitable deductions and found an embarrassing cause (a la Brendan Eich?) or that I was giving too little? For me, an average American, there is little or no reason to fear having my taxes used against me.
Email is just not like that. There are certainly emails I have send and received which I hope no one else will see. It's just not comparable at all. It's the difference between having $100 in your wallet (might be stolen but probably not) and $6m in your wallet (will absolutely be stolen if people know about it).
Should the government be able to investigate me? Of course! But investigations have happened for centuries before emails existed. Investigation does not require pre-surveillance of emails or covert surveillance. The simplest thing the government can do is arrest me on suspicion of X charges and then go through all my computers. That is 100% the government should be able to do! If they catch me destroying evidence, I should be charged with destruction of evidence. But that is different from empowering the government to secretly look at email. The part where the government collects my email should be public action that I am well aware, not a secret action done passively by breaking encryption.
I'm not clear what you are arguing for? Do you not want a functioning, effective police force now, in case they become evil in the future (or already are evil, depending on your point of view)?
If a government turns full evil, they don't need evidence against you, they can just lock you up without charge.
I think it's perfectly reasonable to take a non-absolute position here. You can want a somewhat functioning, somewhat effective police force, but not one that is more functioning or effective than the one we have in reality; or, in fact, you can want one that is less functioning and effective than the one we have now, without being completely dysfunctional and ineffective.
(One could imagine a police force that is effective enough to stop murderers, but not effective enough to stop dissidents. Such a police force would be more useful for a society that wants no murder than for one that wants no dissent.)
Some people want to be more private than current (for example, this discussion of email keys). As more things move online, it is worth thinking where the balance should be (we probably agree on that), I think the balance should be less privacy (I'm sure you don't agree with that, a full discussion on that won't fit well in a ycombinator thread).
You’re right on you final points. My two rebuttals for advocating for less privacy online is that being online naturally makes you less private, not more.
Previously if someone, government or otherwise, wanted to learn about you, they would need to physically follow you, tap your phones, intercept your post etc. Warrants for searches were built around this.
Online, you can dig into the private life of someone on the other side of the plant who you’ve never met. With the application of computers you can dig into the lives of hundreds of people you’ve never met. All without leaving the comfort of your desk.
The opportunity for fishing expedition is unprecedented at the moment, and it always easy to justify a fishing expedition if you pick a horrific enough crime (child pornography seems to be the favourite right now).
Finally privacy is the strongest bulwark we have against government overreach. That doesn’t mean some top down conspiracy of a totalitarian-elect government. It can be normal everyday government administrators who decide to step outside their bounds for personal reasons, or belief of moral superiority.
Simply put, there’s no better deterrent for bad behaviour than hard work. Privacy makes bad actors work hard for their lunch. It makes the good actors work hard as well, but the solution to that isn’t less privacy, it’s more funding and resources for good actors.
> in an encrypted manner that has guarantees in place that only valid criminal investigations can decrypt
What constitutes a valid criminal investigation, who decides? Do you, does a prosecutor, a judge, the police?
Is it a valid to decrypt your data just see if you were at a specific location at a specific time? What about so the police can check a theory? How about to see if you joined an unsanctioned protest, smoked a joint, speed while driving, downloaded a movie?
Speeding and copyright theft are both criminal, are you saying that your happy to make it trivial to investigate you for these crimes an prosecute you for them?
It used to be criminal to engage in homosexual behaviour, and in some parts of the world. Once upon a time that would be a valid criminal investigation in the US. For a short while it was looking like abortions might become criminal in the not too distant future.
Privacy is a fundamental tool for allowing society to progress and change, and for avoiding totalitarianism.
>"What constitutes a valid criminal investigation, who decides? Do you, does a prosecutor, a judge, the police?"
Some sort of formal process with reasonable oversight the necessity of multiple points of compromise and/or collusion in order for the data to be abused for non-governmental use. Bottom line, I can't say I've "solved" the problem and have the perfect answer to your question. But I'm sure we, collectively as a society filled with smart people that want to move us forward, could put down some (fundamental?) tools/rules/processes that would negate the potential for abuse up until a certain point. Maybe we can't do 100%, but we could do 95 or 98%?
>"Is it a valid to decrypt your data just see if you were at a specific location at a specific time? What about so the police can check a theory? How about to see if you joined an unsanctioned protest, smoked a joint, speed while driving, downloaded a movie?"
Yes, very much so Yes! Especially the location based stuff as it's perfect for investigations without revealing details. "List all people that were within 50m of this crime location during this timespan." <-- that is so unbelievably powerful as a crime-solving tool, that I am baffled that we're avoiding it out of privacy concerns. As for the speeding example: That's probably another example of us already giving the data (car's black-box) to government (and private insurance companies) in order to facilitate an investigation.
But to your point about drug-use, speeding and copyright infringement. If we don't want something prosecuted then we shouldn't have it as a crime. But as it stands now, a bunch of what you mentioned is a crime. That represents an implicit agreement by all of us in society that says we deem those things punishable. We can't hide behind lack of capability to police said crimes, but still label them as such. That is ripe for offical-power abuse. For all we know, if we lived in a society where we had such strict enforcement of laws as I suggest, we'd potentially have greater churn and change in our laws to match the opinions of society as it changed and evolved.
> "Privacy is a fundamental tool for allowing society to progress and change, and for avoiding totalitarianism."
I disagree. I'm not seeing it. There is just way too much going wrong today in 1-st world countries whilst we have really good privacy for it to be the case. We're downright descending into totalitarianism and thought/opinion control territory, all whilst our "privacy" is mostly maintained and respected. Are you saying we need more of it? What would that look like to you?
Here is an example of how location data can be abused, accidentally or otherwise [0]. If you go down this road, then smart criminals will just take steps to avoid carry location tracking devices. What do you do then? Force everyone to carry and maintain a GPS tracker? Arrest them if they fail to charge it properly, because they could use that window to commit a crime without being tracked?
> We can't hide behind lack of capability to police said crimes, but still label them as such.
Most laws are written with the implicit assumption it’s not possible to perfectly enforce them. That provides some natural wriggle room to interpret the laws, avoids the need to write a long list of when it’s ok to speed for example.
Perfect enforcement breaks all of that. A knowledgable police officer could almost certainly stop you on any day the week and find you guilt of some obscure and ancient crime that’s no longer relevant.
> For all we know, if we lived in a society where we had such strict enforcement of laws as I suggest, we'd potentially have greater churn and change in our laws to match the opinions of society as it changed and evolved.
How do you imagine society would evolve its opinions and change them in a world of perfect enforcement? How the gay community show the world there nothing wrong with their way of life, if they simply couldn’t live it?
How would society change its views on smoking weed, if it was impossible to smoke it?
It’s impossible for a society to change its view on existing laws, if it’s completely unable to experiment with ignoring, or re-interpreting them.
It would be like expecting a child to ask for food they had never eaten, and never seen anyone else eat. How could they possibly know it existed, much less if it was good or bad for them?
> I disagree. I'm not seeing it. There is just way too much going wrong today in 1-st world countries whilst we have really good privacy for it to be the case. We're downright descending into totalitarianism and thought/opinion control territory, all whilst our "privacy" is mostly maintained and respected
Hahahaha, seriously. You complain of thought control, but advocate for world where the government can watch your every move, and perfectly enforce every law. Have you read 1984? I see little difference between world in that book, and the one your advocating for.
> Are you saying we need more of it? What would that look like to you?
Yes I am. How can you control someone’s though and opinions if you don’t know what they are? How can a totalitarian government rule with an iron fist if they don’t know where their citizens are, or what they’re doing?
Totalitarian governments come into existence because people want control and order, and they’re great if you fit into that governments view of what control and order look like. If you don’t, we’ll there are plenty of genocides that can be studied.
I don't think the implication that only "bad" people can be blackmailed is valid. You could be blackmailed for being a homosexual in many parts of the US still or doubting the existence of god or having unacceptably conservative political views. We do all sorts of things that are not at all wrong but may carry a significant social or economic cost if they were to be exposed publicly.
I think people are overlooking this. It can even be worse in other countries. Some of those things (among numerous other things) can lead to death in a few countries.
The world isn't entitled to knowing whether something I'm alleged to have said or done really happened or not.
For the people who lack imagination: suppose I'm a public official, and a photograph comes out depicting me doing some kind of "dirty" sexual act. Maybe it's real; maybe it's a deepfake; but if confirmed to be real it certainly would do reputational damage. Non-repudiation by definition prevents me from disavowing it, to no social benefit, and it's an anti-feature, in the sense that the large majority of users would prefer to have the ability to repudiate certain message contents than not.
Please read the whole article. If it only takes a "few hours" to create incriminating "evidence" (read, something that didn't exist) - it must be clearly proclaimed as such to the world.
I believe you are referring to this quote (correct me if not):
"In fact, in the early DKIM configurations were kind of a joke: mail providers chose DKIM signing keys that were trivial for motivated attackers to crack. Back in 2012 a security researcher named Zachary Harris pointed out that Google and several other companies were using using 512-bit RSA to sign DKIM. He showed that these keys could be “cracked” in a matter of hours on rented cloud hardware, and then used these keys to forge emails from Larry and Sergey.
Providers like Google reacted to the whole “Larry and Sergey” embarassment in the way you’d expect. Without giving the implications any serious thought, they quickly ramped up their keys to 1024-bit or 2048-bit RSA. This stopped the forgeries, but inadvertently turned a harmless anti-spam protocol into a life-long cryptographic authenticity stamp — one that can be used to verify the provenance of any email dump, regardless of how it reaches the verifier."
Note that the "few hours" attack here is only relevant if they were using easily crackable 512-bit keys. The author of this article suggests (and I agree) that the 1024 or 2048 bit RSA keys are not easily crackable. (see https://crypto.stackexchange.com/a/42830)
Maybe you are suggesting that someone could sign emails using the old crackable 512-bit keys. And they could, although we should disregard this as "not verification" given the weak keys. The article links to https://github.com/robertdavidgraham/hunter-dkim#short-dkim-... - which verifies an email using a since-rotated 2015 key (which was 2048 bits), although that github erroneously states that Google was using 1024 bit before that (they were using 512).
I would concede that the notion of "sometimes we should disregard some DKIM verifications based on the key length" is not easy to grasp and that email verification stories in the media could become muddier and harder to present. I would hope that interviewing experts gets you a reasonable estimation of how likely an email is to be legitimate.
I don't know how I feel about it but I do think it's an interesting argument. The point of DKIM is, first and foremost, to fight spam. The non-repudiation aspect is, as far as I'm concerned, a side effect of DKIM, not a core feature.
The more I think about it the more I inch towards agreeing with TFA. If I need my email to be authenticated I can sign them with GPG. If the law enforcement needs to see if I did or did not send an email they can subpoena Google.
>Non-repudiation over time is a truly powerful property of DKIM'd email for a great many uses outside of blackmail.
Can you expand on this? I can't really come up with a use case that wouldn't be about associating somebody with an email they may want to distantiate themselves from.
> Non-repudiation over time is a truly powerful property of DKIM'd email for a great many uses outside of blackmail.
Exactly. If one enters into an contract using an e-mail, then DKIM can be used as a proof to the court of law that the contract was accepted by both sides.
Yes. I have seen first hand where it was used to help accelerate out of court agreement without needing a lawsuit. Basically a 3rd party had one of their outlook user accounts compromised by a bad actor who used it to tell another company new instructions for something.
The 3rd party tried to say other company fell for a phishing email and it was their fault but because of DKIM it was immediately provable that instead 3rd party was compromised and email legit sent from their o365 and they were pretending like they didn't know this. This all got disputed maybe a year after email sent.
Love Matthew Green but I personally am not a fan of this proposal. It doesn't fully achieve what he wants bc its only gmail and timing of compromise would be key. Most of the email hacks have actually been very much in the public interest despite being unethical. Breaches also lead to more productive work by companies in better securing accounts and better protecting sensitive information which google has been doing with account security and adding expiring messages.
Like do we really want companies to just continue sloppily sending customer info in email bc they can deny its legit or should they focus on not getting this info compromised to begin with?
Also, for ransomeware groups that now post data when not paid, it is not really seeming like too big of a disincentive that there is repudiation regarding the files they post.
If non-repudiation is important to you, then both parties should consent to it and use a platform that explicitly supports it.
It shouldn’t be sprung on people without consent. It would be like saying it’s fine to keep a recording from someone else’s webcam because it might prove a crime later.
There’s a reason why justice systems have statues of limitations. People should need to look over their shoulders for the rest of their lives because of one poorly written email.
It is not really being sprung on them with how long it has existed. Not at all like continuing recording on a webcam where you might say things never intended for the party receiving it.
Are ppl who don't even know DKIM exists but know they have shady emails saved in the cloud or on their personal really just banking on repudiation and thats why they take no other action like deleting the email or putting more thought into emails they send? Seriously doubt it.
Exactly bc of statute of limitations, they would not have to look over their shoulders for the rest of their lives because of one poorly written email.
Consent needs to be given freely, with knowledge of what you’re consenting to. If it’s not free and knowledgeable, it’s not consent.
I certainly didn’t realise that DKIM can be used as a non-repudiation signature, I’m sure most people using email don’t.
Thus there’s no consent and I would say that non-repudiation has been sprung on me.
The duration has nothing to do with it. Just because you can keep a camera hidden in someones room for an extended period of time doesn’t mean it’s ethical or consensual to record them.
Finally statues of limitations don’t protect people from a trial in social media. Social media is just as capable as the justice system of destroying a persons life. Unfortunately Twitter doesn’t have a statue of limitations.
I think it is less about user behavior and understanding than it is about the incentives it creates for nefarious actors. Basically, if emails can't be cryptographically verified then stealing a bunch of emails and anonymously dumping them somewhere is pointless since most people would probably not consider them authentic.
> Exactly. If one enters into an contract using an e-mail, then DKIM can be used as a proof to the court of law that the contract was accepted by both sides.
It would make a good TV drama plot, but courts don't work this way in real life. If that were the case, courts wouldn't be able to enforce contracts with wet signatures (which are straightforward to forge), or verbal contracts (which are valid contracts and regularly enforced).
In practice, you don't need to check DKIM in order to use an email as evidence of a contract, because the courts would more likely just use the many other threats and tools at their disposal to ensure that the email is not fabricated.
This is why, even though most contracts are not executed in a cryptographically secure manner, most contract disputes that land before the courts hinge on matters like breach of contract ("we agree on the original terms, but disagree on whether our actions upheld them") or disputes over the intended vs. actual meaning of the contract ("we agree on the text we both signed to, but disagree on the correct interpretation of that text").
Disputes over whether the text of the executed contract is authentic are rare in real life.
> If that were the case, courts wouldn't be able to enforce contracts with wet signatures (which are straightforward to forge)
I'm pretty confident that I could sign an email with a DKIM key if that were published, however, there's nothing that would give me the confidence that I could forge a pen signature in such a way that not even an expert could detect the forgery.
> or verbal contracts (which are valid contracts and regularly enforced).
I'm not a a lawyer, but according to the first google result "the Uniform Commercial Code [...] requires that contracts for the sale of goods over $500 to be in writing".[1]
> Disputes over whether the text of the executed contract is authentic are rare in real life.
Maybe they are rare precisely because it's hard and risky to forge signatures.
I'm not a a lawyer, but according to the first google result "the Uniform Commercial Code [...] requires that contracts for the sale of goods over $500 to be in writing".[1]
In practice, this doesn't seem to mean that every time you buy an iPhone, Apple provides you a paper contract authenticated with an actual verifiable hand-signed signature of an authorised officer.
Not to mention that DKIM only validates that en email was sent with particular content from a particular email address. It cannot ensure who was actually sitting at the keyboard composing the email.
I don't know about your country, but in mine (The Netherlands), it is a completely and utterly valid way to enter a contract.
Actually, you are free to enter a contract in any way possible. It is vormvrij (translated: form-free). Excluded is the purchase of a house, as far as I know. But for the rest, you are free to come to an agreement via WhatsApp, Facebook, email, or a scrawl on a piece of paper.
Because, without DKIM, a dishonest party can repudiate the email. Just as a written contract is superior to an oral contract, a non repudiable written contract is superior to a repudiable written contract.
> In which scenario Amazon would deny sending an email and you would be protected by DKIM?
You want a specific scenario of a dispute between a vendor and a customer? Ok. Let's say I email Amazon's customer support to ask them if a specific order is going to incur customs fees, and the Amazon representative emails me back that the order is not going to incur customs fees. Then I make the order, and to my surprise, I do have to pay custom fees. I contact Amazon to ask them to compensate me for the fees, but Amazon now claims that they are not responsible for custom fees. At this point I would be protected by a copy of the email where they claimed that I would incur no customs fees. If I can demonstrate to Amazon that I have proof of their false claims, prior to the purchase, they will be inclined to compensate. If they refuse to compensate, I can (depending on jurisdiction) take my claim to small claims court and present my evidence there. In this case it's unlikely for anyone to actually validate the DKIM signatures, but it does matter whether email is generally considered to be non-repudiable. If you run a campaign to make email repudiable, and make sure people should know email is repudiable, then this email will be less convincing as evidence.
If you run a campaign to make email repudiable, and make sure people should know email is repudiable, then emails will no longer be convincing evidence.
The original email spec doesn't provide any security against forgeries. The "sent from" field in email is about as secure as the "sent from" field in physical letters. The only reason why laypersons consider email to be non-repudiable is because of additional protocols like SPF and DKIM that were implemented after the original spec. Without these protocols email would be considered repudiable, which OP considers to be a preferrable outcome.
> And that commerce existed before emails?
Yes, and? I'm not claiming that all commerce would come to a halt immediately if this campaign for email repudiability was successful. Of course commerce would continue to exist. But the world would be worse off, not better. There would be slightly more disputes, and dishonest parties would increase their chances of defrauding honest parties.
> You don't need DKIM to solve the issues you've pointed out.
Are you alluding to hypothetical alternative protocols for authenticating contracts? If you can make the world move off from email, that's great! Email is horrible! But if you can't make people move away from email, you won't make the world a better place by making email less secure.
> Again: How many disputes like that have been resolved with DKIM?
How many? As in, you expect me to have statistics on it? Are we pretending that when people resolve disputes, they mark their disputes in some kind of global database that we can query for statistics? You're not making any sense.
> The only reason why laypersons consider email to be non-repudiable is because of additional protocols like SPF and DKIM that were implemented after the original spec
You really think that laypersons have any idea of what DKIM is?
> But the world would be worse off, not better.
That's the whole point of this discussion. You seem to be arguing that the world would be better with non-repudiable email. But then I ask how many disputes have been resolved with DKIM and you have no idea. So basically your argument has zero basis in reality.
You're asking for every email user to have non-repudiation enforced unwillingly to them in every email they send so that someone maybe someday may solve some imaginary dispute with Amazon by using DKIM.
> You really think that laypersons have any idea of what DKIM is?
The layperson doesn't have to understand the intricacies of email protocols, it's enough that they consider email to be non-repudiable. This is why a copy of an email typically suffices as "proof" of a contract. If you successfully run a campaign to make email repudiable, then laypersons will no longer consider email to be non-repudiable, and emails no longer suffice as "proof" of a contract. If you disagree with something I said here, can you specify which part it is exactly that you disagree with?
> You seem to be arguing that the world would be better with non-repudiable email.
Yes, the world is better off now, at a time when laypersons consider e-mail to be non-repudiable, compared to a hypothetical future where this is no longer the case.
> But then I ask how many disputes have been resolved with DKIM and you have no idea. So basically your argument has zero basis in reality.
So if I can't give the exact number of times that DKIM has helped in dispute resolution, then my argument "has zero basis in reality"? This doesn't make any sense. If I said that "the existence of courts prevents vigilantes", you could say the same thing: "well what's the exact number of times that the existence of courts has prevented vigilanteeism? ha! you don't know the exact number! your argument has zero basis in reality then." We could apply your logic to many other scenarios: what's the number of times that existence of guards has prevented prison breaks? What's the number of infections prevented by vaccines? We don't know the exact numbers for any of these things, and yet we can logicly deduce that courts prevent vigilantes, guards prevent prison breaks, vaccines prevent infections, and DKIM prevents breaking contracts.
> You're asking for every email user to have non-repudiation enforced unwillingly to them in every email they send so that someone maybe someday may solve some imaginary dispute with Amazon by using DKIM.
Laypersons already believe that emails have non-repudiation property. People are free to use secure messengers to communicate privately. When people choose to communicate with email, they are choosing non-repudiation over privacy. You are the one who is asking to change e-mail protocols so that they would work differently than people currently expect. I'm the one saying e-mail should work like people expect e-mail to work.
> The layperson doesn't have to understand the intricacies of email protocols, it's enough that they consider email to be non-repudiable.
They consider it non-repudiable not because of DKIM, it's just a common misconception. People believed that before DKIM. They will still believe it if Google discloses its DKIM keys.
They totally should not believe it, though.
> So if I can't give the exact number of times that DKIM has helped in dispute resolution, then my argument "has zero basis in reality"?
Of course that's not what I meant, I don't care about exact numbers. Just give me some evidence that DKIM is relevant to solve disputes anywhere else other than in the minds of HN commenters. Otherwise your claim that the world is better off now with non-repudiable email has no basis in reality.
> they are choosing non-repudiation over privacy
They totally are not. They have no idea what are the properties of email. As an example, a non-tech friend of mine was once surprised that email does not provide any confidentiality.
We're discussing a campaign whose goal is to increase the deniability of email. When you say things like "they will still believe [email is non-repudiable] if Google discloses its DKIM keys", you're essentially saying that this campaign will not be successful in its ultimate goal - that even if the campaign manages to get Google to periodically rotate and publish their DKIM keys, it will not achieve the desired effect of increasing the deniability of email. So, you're saying that this campaign is a fool's errand?
I don't have a strong opinion on the chances of success that this campaign has. What I am saying is that if the campaign was successful in increasing the repudiability of email, that would make it easier for people to repudiate emails that they've sent, and that would be a bad thing in the context of resolving disputes. Do you agree?
A signed and scanned PDF is also commonly used, same as an old-school fax-based contract where you sign and send it back. But, yes, the DKIM definitely does not matter for contract purposes.
Except, as pointed out in the article, over time the ability to crack the underlying key and thus forge such emails becomes very practical. By disavowing the keys it prevents someone from taking a cracked key, forging an email and then "discovering it" for nefarious purposes.
Disavowing also protects against key theft or leaks. I'd guess that theft or leaks are probably more likely than cracking, now that the major providers are using long keys.
A counter to the non-repudiation of old emails is the fact that people who own their own mail servers can rotate their DKIM keys. So it's already possible for e.g politicians to have their email set up in such a way that they're insulated from leaks.
The argument here is more that customers of gmail and other email services are not offered repudiation as a feature.
"Rotating keys" isn't the important part. "Publishing keys" is the important part. "Rotating keys" is an implementation requirement of "DKIM with repudiability via eventually-published keys."
This fails the role-reversal test. If Donald Trump had his e-mails leaked in 2016, the blackmailer would likely have extorted a ransom payment from then-candidate Trump. He paid off Stormy Daniels, after all. Nobody would have gotten any juicy e-mail dumps, and some criminals would have had actual leverage over politicians. Just because Hillary Clinton was less shrewd than Donald Trump does not mean that blackmail material is good for us as citizens just because some politicians don't pay ransoms on principle.
If you want transparency from your politicians, then you should demand unconditional archival and publication of campaign e-mails. Build transparency into the system. Leakers are not archivists, nor are they journalists. They are leakers, with an entirely different set of motivations and incentives which only sometimes align with journalistic or archival motivations. You as a member of the public will not hear about leaks if the person in possession of those leaked files has successfully extorted or ransomed the politician they came from. In this particular threat model, DKIM does not provide a social benefit to you as a citizen, it provides a monetary benefit to the leaker.
> Non-repudiation over time is a truly powerful property of DKIM'd email for a great many uses outside of blackmail.
This. Publishing the DKIM keys would be a huge loss for email archivists and historians in general. E.g. a couple weeks ago Donald Knuth published all of the emails he's sent and received over the last 20+ years of his career[1], without DKIM how would we know that they are authentic?
You can say the exact same thing about all secure messaging, which, after all, has the essential function of keeping documents out of the hands of third parties, including activists and historians. If DKIM upsets you, how do you get your head around disappearing messages?
I mean, I guess you'd have to think that, to think that ensuring deniable emails is "shameful", as this thread suggests. I just wonder what the boundary of that thinking is. Message encryption also impedes activists!
> how do you get your head around disappearing messages?
I mean I try to publish most of my interesting email conversations on the web, because every time you have a good email conversation that isn't public it's like taking a $100 bill and lighting it on fire. So I wouldn't ever personally use disappearing messages.
Literally the first rule of email is that if you wouldn't want it on the front page of the NYT then you shouldn't send it. The first national scandal involving email was Iran Contra in 1986. People should know by now not to put anything into an email that they wouldn't be comfortable with the entire world knowing. And while privacy is hugely important to individuals and essential for a healthy society, to me rotating DKIM keys feels like it's incentivizing people to use email incorrectly.
We did, it's called email. The phrase "like a postcard" is how email has been described for decades -- by our school systems and the media when educating the general public, in corporate training, and in the court system.
Quite the opposite is true.
Gmail, for example, says "Google.com Mail protects your message during delivery
As you add people to this message, this icon will let you know your message is secure."
> Do you mistrust the unsigned emails from 10+ years ago because they were sent prior to DKIM?
Yes.
> As for authenticity, you could contact him, or his correspondents?
Correspondents aren't necessarily going to tell the truth about the authenticity of their own email. And that's assuming they're alive, reachable, and willing to talk, all of which may not be the case now and will be the case with 100% certainty in the future.
That just proves that he did send the mails he published. But since he did not put the mails on a block chain, we'll never know whether he was e.g. exchanging steamy e-mails with Grace Hopper or arranging weed deals with E.W. Dijkstra (or vice versa) on the side and decided to omit them from his published correspondence >:-)
As a security professional I 100% agree with the author.
The comments here on Hacker News seem to have tripped on the examples given (keywords: politicians, journalists) and turned this into the more generic and politically loaded discussion whether it's desirable to "cryptographically verify" what politicians write.
But that's not the point! The point is that DKIM is technically not designed for this use case and the way people misuse DKIM for this unintended purpose is highly problematic from a cryptographic and engineering perspective.
I think the best way to think of DKIM is that it's a "cryptographic protocol" in the sense that git is a "cryptographic protocol" because it uses SHA1. If you think "PGP" (not the best example :-)) or "Telegram" you have the wrong idea: DKIM is a bunch of cryptographic primitives haphazardly bolted on email to solve a specific problem. It's not good cryptographic design because good cryptographic design anticipates unintended usecases and deal with them appropriately.
1) Read the DKIM RFC.
First of all the only field that it's required to sign is the From: header (see RFC, section 5.4). So you could still forge an email but have it pass a DKIM signature check.
If people believe that DKIM "cryptographically signs" e-mails in the sense of PGP, then that's a problem, because that's not true. A DKIM signed email doesn't actually say anything: you have to look at the signature which part of the message are signed, which is not standardized.
So you could have this situation when people, like journalists or even people on Hacker News, think a forged email is valid because it has a valid DKIM signature (but the signature is over the From: header only). E-mail is complicated as it is without having to explain to people who have binary classified an email as "forgery" or "not forgery" based on a specific combination of email-headers and DKIM signature specification. Let's not do that.
2) Look at what mail providers actually do with their DKIM keys.
For legacy reasons due to DNS providers and length of TXT records, many large internet providers use DKIM keys that are 1024 bit RSA.
Already 10 years ago, most standard bodies started to recommend against the use of 1024 bit RSA. It's deprecated. Like MD5-deprecated.
The fact that many service providers use the same key for all emails for all customers and reuse that key for years, increasing the likelihood of the key being leaked, is another case against trusting DKIM for this purpose.
> First of all the only field that it's required to sign is the From: header
OK, I've never looked into DKIM before, but 6376 looks fairly recent, and it reports the message body must be hashed. Now sure, there may be issues with the hash to allow arbitrary collisions, and of course the key may have been leaked or broken, and in any case today's key is unlikely to be secure against nation states now, let alone in 10 years time.
I agree in general the idea that having "DKIM signed" mails means they are authentic is an issue -- in 20 years time it will be easy enough for anyone to forge a DKIM signature for any email they want that they claim was sent today, but from what I can see the message body is signed.
Technically, DKIM probably shouldn't take away deniability. But to be fair, this discussion doesn't exist in vacuum. Requesting that Google publish private keys is inherently politically loaded, given recent events. (and it's was neither goal or anti-goal in DKIM design, so it's not that there is mistake in protocol or something).
If some provider decides to implement this proposal, I don't think they should do it retroactively and publish old keys. It would be just inviting additional political shitstorm.
The piece seems to be arguing from a general principle. Repudiation is a feature of most secure messaging applications and it is a feature that should be introduced to GMail. This argument doesn't fully address how technologies are actually used today.
As far as I can tell, people who need repudiation are already using apps that have repudiation (eg Signal), because they know they are in a vulnerable position. The people who need repudiation already have it. So far we have seen DKIM authentication used against individuals in positions of power. With things as they are, cryptography is leveling the playing field by empowering the vulnerable while holding those in power responsible. If this situation or balance were to change perhaps it would make sense to rethink DKIM non-repudiation. I understand this is an opinionated/political take on cryptography that not everyone would share.
> Google could launch the process right now by releasing its ancient 2016-era private keys. Since the secrecy of these serves literally no security purpose at this point, except for allowing third parties to verify email leaks, there’s no case for keeping these values secret at all.
I've used Google's DKIM signatures to timestamp call recordings for years by putting a sha256 of the attached recording in the subject, so "literally no security purpose" isn't true!
(though I should probably go through and timestamp those signatures right now them using another method, just in case this guy's idea gains any traction)
If you have a specific use case where you need non-repudiation then there are numerous other tools you can accomplish that with. I think the author is arguing that it shouldn't be on by default.
DKIM's protection aren't as strong as people say they are (though fairly strong)
1) DKIM doesn't protect the To: header in any reasonable way (its not really designed to). i.e. it protects it in the sense that the original email had that as the To: header, but this is easy to forge as the To: header is not used by SMTP in delivery (think Bcc). i.e. its easy to write emails that are To: <some address> that are never attempted to be delivered to said address.
2) DKIM (even on gmail) doesn't quite protect the From: header as one would expect. Yes, gmail in general makes it difficult to spoof the email in the From header (it will replace it with your own if you try in the general case), but there's a huge but, if you gave gmail itself access to use that e-mail. i.e. I can be compsciphd@gmail.com but if billgates@gmail.com was convinced to allow me access to send emails as billgates@gmail.com (either via cooperation or a technical or sociological hack) then i can do that without having access to the account. and this permission is permanent. as far as I can tell, it irrevocable and to other gmail users there is no indication that other accounts have this permission for your email.
so what do we learn
1) can't 100% trust DKIM to believe who an email was sent to unless you actually retrieved it out of said user's email spool
2) can't 100% trust DKIM to believe who actually sent an email (even on gmail)
now, do I think DKIM gives anywhere close to 0% trust. No, I think its much closer to 100 than 0, but one has to understand the limitations and most people who discuss it, don't seem to understand them.
the threat is a hack playing a very long game. If one doesn't view that long game hack threat as serious, then its close enough to 100% (especially if gmail rotates their keys even without making the private part public), but if a long game hack threat is a serious thing, then it drops.
I don't see non repudation as that bad a thing. Are people any less likely to be blackmailed due to technical deniability of email contents? I feel that for most, that wouldn't matter.
"The problem with DKIM is that no customers asked for this feature as a default in their commercial mail account."
Two questions:
Have there ever been any Gmail design decisions, e.g., default settings, where users were consulted first?
I was recenty informed by another HN commenter that "99% of users" are "not qualified to have opinions" on something like MacOS behaviour,[FN1] or in this case Gmail behaviour. If this is true, should "99%" of users be given the choice not to use DKIM if they are "not qualified" to have an opinion on DKIM?
So I thought Google was already CIA for a long time. But now a CIA shill (or NSA) has to resort to a public plea to remove email authentication, so that future embarrassing email leaks, probably proving corruption and other criminal activity, can easily be plausibly denied. Wtf. Even for old emails, gmail break-ins.
They are getting more and more laughable.
What about a public plea for justice? Accountability?
Equating something to a CIA front company is too simplistic(like Zuckerberg's Facebook and Lifelog project),
the companies, projects and frameworks grow out of their sponsors reach and evolve into large, complex systems like the Internet(a spin-off from ARPANET created by Advanced Research Projects Agency (ARPA) of the United States Department of Defense ).
>it makes us all more vulnerable to extortion and blackmail
This is true with the added proviso that, by "us", he means "the guilty". The rest are protected, on the contrary, to this very particular form of these crimes.
Adding a proviso to your proviso, "the guilty" here could include those guilty of being transexual, associating with undesirables, holding unpopular opinions, having mental health issues, or, ya know, having anything private they prefer not to be disclosed.
I doubt Google will publish old private keys that were not designed to become public later. I would guess that it's too dangerous or cumbersome to do the security analysis.
What if someone realizes that Google uses a broken cryptographically secure pseudorandom number generator (CSPRNG) à la Debian ? Unlikely but the risks exists, so not going to happen in my opinion.
> What if someone realizes that Google uses a broken cryptographically secure pseudorandom number generator (CSPRNG) à la Debian ?
1. Someone with bad intentions figuring that out could start spamming other domains using gmail.com From Addresses.
2. Someone with good intentions would contact google security for a bug bounty or maybe just publish a zero-day report. Google would correct the issue and the world would be a slightly more secure place.
#2 would almost certainly happen, I suspect. And if #1 happened _before_ #2 then there'd be more spam in the world, temporarily.
Wow. This blog post is appalling. I completely disagree with it.
Consider this excerpt from the blog post:
> But DKIM authenticity is great! Don’t we want to be able to authenticate politicians’ leaked emails?
> Modern DKIM deployments are problematic because they incentivize a specific kind of crime: theft of private emails for use in public blackmail and extortion campaigns. An accident of the past few years is that this feature has been used primarily by political actors working in a manner that many people find agreeable — either because it suits a partisan preference, or because the people who got “caught” sort of deserved it.
> But bad things happen to good people too. If you build a mechanism that incentivizes crime, sooner or later you will get crimed on.
The author seems to be arguing that if after a certain point it becomes impossible to verify whether an email was genuine or not, that would somehow be a good thing.
This reasoning seems harmful to me. It's incredible that the author treats this moral argument as self evident. Let me state my objections clearly.
1. The truthfulness and reliability of the historical record is important. The fact that politicians are protected from blackmail when they write incriminating emails is utterly insignificant by comparison. Is the principle being defended that protecting politicians from blackmail is stronger than a public interest in having a historical record?
2. Making historical emails impossible to authenticate after a certain period of time makes it more difficult to prosecute crimes. It helps criminals, the very thing the author claims to be trying to avoid. If a politician, or anyone for that matter, sends an incriminating email which is evidence of the intent to commit a crime, why on earth would you want to make it easier to cover your tracks?
Seriously, can someone present a moral argument for why this should be adopted? It seems only harmful to me.
The word "appalling" describes something that creates surprising distress or dismay (itself implying surprise).
To be surprised at a cryptographer advocating for deniable messaging is to suggest that you're unacquainted with the field of messaging cryptography, in which deniable messaging has been a foundational goal for almost 2 decades, going back to Ian Goldberg and Nikita Borisov, who once yelled at me on Twitter for giving OTR short shrift and thus ensured I'd always associate his name with OTR and thus, I'm sure to his delight, his name being dropped on this thread.
I'd again like to point out how clear it is, the epistemic approach being taken in this thread. You can disagree with deniable messaging as a valid goal (it'd set you apart from cryptography engineers, but that's fine). But you can't be appalled by it in 2020, because the idea is old enough to drink in a bar in Canada, and motivated at least two of the most famous protocols in all of cryptography.
Instead, what people are doing here is skimming this post, digging no further, and then calling to mind their understanding of current events. Then, from that tiny thread of information and a bunch of axioms invented, I presume, in the span of just a minute or two, they're deriving an entire first-principles explanation of how messaging security is supposed to work.
You can do that, but I think it's more than fair to point out that there are people that have dedicated their entire career to studying this subject and publishing on it, and if commenters are going to make it clear that they haven't even tried to engage with that material, it's unclear why they should be taken seriously.
In the quote I presented above, the author wasn't making a technical argument, but a moral one.
If you or the author are presenting an argument why repudiation is necessary on technical grounds, I will admit ignorance and defer to the experts.
But my reading of the blog post was that it is not a technical argument. It's an argument about morality, and specifically the author used political examples. If the author did not want lay people to argue about the moral implications, why did they use non-technical arguments?
I don't know how fair this is but will just say that the first thought that jumps to my mind here is that being surprised at a cryptographer advocating for deniable messages is a little bit like being surprised at a medical researcher advocating for effective antibiotics. It probably never occurs to either of them to question the legitimacy of their moral stance.
I certainly could be wrong. What’s the case for repudiation? Is making blackmail harder really the cryptographer’s mail argument for why repudiation is a benefit?
I didn’t see a more convincing argument in the blog post. If there is a technical reason why repudiation is beneficial, I would be grateful for an explanation.
I'm not going to present a moral argument (what is a moral argument in this context?), only two direct rebuttals of your objections:
1. DKIM provides neither truthfulness nor objectivity. It's a signature mechanism used between mail servers to reduce spam. For implementation reasons, most DKIM users sign with RSA keys that are either currently crackable or will be crackable in a matter of years. Consequently, "signed" emails that are leaked years after their alleged transmission provide a false sense of non-repudiation.
2. Per 1, these emails are already impossible to authenticate after a period of time. This just makes the expectation more explicit. More generally, however, this just isn't a fruitful (or intended) application of DKIM: if the government wants to obtain evidence of a crime, they're going to subpoena the email provider and retrieve the originals. If the suspected criminal is sufficiently important, they'll use pointier methods. The outcomes of our criminal justice system intentionally doesn't hinge on the validity of a few DNS-published RSA keys.
First: I don't think Matthew Green "resorted" to anything. I think he chose the blackmail example because it's easy to understand on a personal level: we all use repudiatable protocols in other contexts (like Signal), so why wouldn't we want it on our emails?
Second: That's not how blackmail works. It's contingent on what the extorted party thinks, not the cryptographic integrity of the blackmail material. That's why mass blackmail spam campaigns (that DKIM fails to prevent, ironically enough) are remarkably effective. Publishing DKIM secret keys after their expiry doesn't magically prevent blackmail; it just removes one more tool from the blackmailer's toolbelt for instilling fear in the target.
The problem is that it's not clear about it. It looks like it does quite a bit, and the counter-argument boils down to "someone could have cracked the secret key", which everyone always is told is the thing that is impossible. So you get plenty people believing and claiming DKIM can do that. This would be fixed by obviously breaking it.
> 1. The truthfulness and reliability of the historical record is important. [...]
Everybody agrees here, but how does one gets to decide that Google, a private corporation, is the one to decide that a given email is an accurate historical email? An email provider is a defacto certificate authority?
Are these dkim keys subject to the same standard of care as private keys that CAs manage?
For your regular-person scenario, having a way for a 3rd party private company "certify" an email sent from another private company (example: your online order) may be good enough, but is it good enough in every scenario?
In the general case, repudiation is desired by users, and non-repudiation is needed in only very particular cases. Companies serving nontechnical users should make repudiation the default, because if given the choice most users would prefer it to be the default.
In the particular case of Google releasing its DKIM keys, I think I would need more context. What kind of repudiation property do users expect when sending emails over GMail? Is non-repudiability currently used by users for legal or business purposes? Probably the way to do it would be to announce a particular date maybe a year into the future that the private keys would be released.
> Seriously, can someone present a moral argument for why this should be adopted? It seems only harmful to me.
Because this isn't just about politicians, or holding politicians accountable. It affects the rest of us too!
Instead, imagine what would happen if a hacker accessed the email of a closeted LGBTQIA+ person living in a country where being outed is practically a death sentence, and the DKIM signatures were sufficient proof of guilt.
The author underestimates how ready people are to believe slander. Publishing of DKIM keys will only allow people to produce more convincing faked emails. If a bunch of faked emails about a political leader signed with DKIM keys were released securities experts are going to say these keys are leaked and anyone could fake those emails but by the time they do the damage will have already happened and no one would be listening to them. The solution is not to release DKIM keys, but to make sure mails are not leaked. Throwing away signatures a few days after the email is delivered would not be a bad plan either, given they have actually served their purpose at that point.
So, when one sees a photograph, do people automatically believe it? Why aren't there photoshopped images of high profile people being published everywhere as slander? Because people know that photoshop exists.
Similarly, if everyone knows that these keys have been released, people wouldn't believe slanderous email dumps.
As I said in my other comment, I fear that Google may have securely destroyed the keys because of fear of it getting stolen.
Can't you just set up your mailserver so that it drops all the crypto headers (DKIM-Signature, ...) after verifying them and storing the result in Authentication-Results? Only your server's Authentication-Results header is really relevant to spam filtering, anyway.
Unless you're debugging something those headers seem irrelevant anyway, and they bloat the messages very much. (often times they are 3-4x the size of actual email)
> Can't you just set up your mailserver so that it drops all the crypto headers (DKIM-Signature, ...) after verifying them and storing the result in Authentication-Results?
Matthew Green's ask isn't about protecting users that are tech-savvy enough to just set up their own mailserver and configure it a special way.
It's about protecting the billions of users that aren't.
Gmail (and other email providers) could also protect these billions by making the header-stripping change at the server level for everyone.
After all, Green is proposing for them to change their servers anyway, so either way it requires some kind of server change.
The advantage of Green's approach is it gets results quickly because with one change they can protect a lot of emails. But, while quick results are nice, is this problem really so urgent that only the fastest solution should be considered?
Another difference is the set of users who are protected. If you rotate DKIM keys, you protect Gmail users against non-repudiation risks because their outgoing emails become more deniable. But if you strip headers from Gmail users' inboxes, you protect Gmail users against hacking, because now hacking a Gmail account gets you less-valuable data.
Also, publishing old DKIM secret keys will require some distribution method. Where do you actually put them? For a given email provider, where do you go look to find them? It's a solvable problem but it's one that doesn't exist with the header-stripping approach.
Yes, the call isn't for GMail to kill non-repudiation protections on mail they receive (and was signed by others), it's to kill it on emails they've signed and thus are sitting on someone else's server.
This relies on the problematic approach to deniability of making forgeries possible.
To make this work you need to claim a forgery when you know that no such forgery occurred. So you explicitly or implicitly have to accuse someone of a serious crime/offence they did not commit. Most people have a greater sense of honour than that. Those that don't would still have to fear getting caught.
If someone actually does forge a message using the old private keys provided by Google then you would have to fight the assumption that you were using the system as it was designed. Everyone would just assume you said it and are now using the possibility of forgery to lie about having said it.
You can always claim a forgery anyway should you decide to do that. Perhaps someone got access to Google's relatively poorly guarded DKIM private key. How would you know? You are probably not making a specific claim anyway.
There should be no need to make claims of forgery. The mere fact that an email can be forged will substantially reduce the likelihood of email being used, unless clear providence can be provided.
At the moment that providence can be proved with DKIM. Remove DKIM and now bad actors need to prove that they actually broke into someone’s emails and stole them. A much high bar to pass, especially as it may mean incriminating yourself of a crime.
Emails become just as useful as find a pile of top secret papers on the floor. Unless you can prove the source of those papers everyone is going to ignore you.
Am I the only one thinking that the issue comes from the fact that DKIM stuff is (I assume) inserted into the email's headers?
DKIM is used for transfer of email, to make sure that the originating server is who it pretends to be. Shouldn't that be part of an envelope of the email, which would be discarded once the email has been received and its sending server verified and authenticated? Like for paper mail, one does _usually_ not keep the envelope (though I admit that there may be exceptional situations where it may be preferable to keep the envelope).
--
In the interest of users (will most probably never happen), all incoming emails should be ignored and dismissed unless the recipient has explicitly specified that it accepts email sent from a given email address. Wouldn't this give the power back to the users?
We've backed into a particular default, more via path-dependencies than conscious choice, that:
* emails between major email providers have this lingering semi-authenticity indicator that authors didn't explicitly choose
* to the extent the providers keep their DKIM keys non-public, only those providers (or those who exfiltrate such keys) can forge old emails
Both of these have problems if considered from 1st principles:
* Users should be able to control if they're creating non-repudiable messages.
* No one, not even Google, should have the power to create authentic-seeming forgeries.
This article's author, Matthew Green, suggests rapid expiration & disclosure of DKIM keys to narrow the window of time the user is subject to a non-repudiation they didn't choose. (Green here only specifically requests disclosure of years-old keys to invalidate older message archives, but conceivably a rigorous expiration-and-disclosure schedule could be chosen to limit the risk to weeks or days.)
And via public disclosure, Green intends to indirectly address the risk of privileged parties forging emails, by giving everyone the same power-to-forge older emails - so no particular forgery can be too convincing.
But these new defaults are nearly as ad-hoc – reactive without conscious design – as the DKIM problem they purport to solve.
Many would prefer that their emails, or at least some of them, be non-repudiable for a while or indefinitely. Many recipients would like to maintain their own private authenticity records – which as Green notes, can be bootstrapped into existence (even with rapid-expiring DKIM keys) by secure-timestamping messages & current DKIM keys at the time they're received.
(To the extent Google & other providers have internally-trusted tamper-proof logs, they may already have de facto secure timestamping happening on all inbound/outbound email. Thus any amount of DKIM key fouling wouldn't stop their unique internal ability to authenticate older messages, for their own forensic or political purposes.)
I'd prefer users be given some visibility into, and choice over, how much durable authentication is added to their email messages – before adopting either Green's quick fix (publish old keys ASAP), or defaulting all users to his potential longer-term solution of explicitly "non-attributable email" (per his KeyForge paper or other schemes).
I understand that the arguments both for and against the current DKIM regime are fairly nontrivial (should we analyse it as a loss of rights to the public (your past emails can be attributed to you) or a gain (you can hold the powerful to account)?), but either way, it seems that the only position that is consistent with the author's would be one that is enthusiastically in favour of improvement and proliferation of DeepFake technology. After all, we already live in a world where technology has created a novel form of attribution that could be used for blackmail: slightly over 100 years ago, nobody could prove or disprove that you said or did something in the past, whereas nowadays a video (given some pixel-level forensics) works as irrevokable proof positive.
Repudiation doesn't seem to be desired by email users. Whether it's a valid encryption principle or not. The example crimes were not facilitated by this, but were merely verified. Had the DKIM keys been rotated, Podesta's emails would still have been stolen and leaked.
Perversely, this solution could result in MORE emails being hacked MORE OFTEN. Allow me to explain.
If a hacker were to retrieve some emails before the DKIM key was made public, they could then sign their hacked emails with their own timestamped signature, proving that they are in fact authentic (since the signed timestamp shows that they were retrieved before the DKIM key was released).
Therefore, by rotating the DKIM keys "every few weeks" you are giving the would-be hackers a deadline to retrieve the target emails - a few weeks - which could lead to hackers preemptively hacking as many possibly useful accounts as possible (not just the ones they know they want at a given moment), every few weeks.
If crackers could justify the resources, they would already now be doing more cracking. It's not like they can just scale their operations ten times all else staying equal. The proposed change in key rotation and publication makes fresh mails only more valuable relative to old messages, not more valuable in general.
If we're looking at cracking-activities from an economic point of view, publishing DKIM keys makes the cracking harder:
1. More accounts need to be cracked fast
2. Timestamped signatures must be published in a timely way
3. Results must be stored until they become useful
These things not only increase cracking expenses, they also increase the threat of detection.
Your threat model appears to be that most email providers are hacked a substantial percent of the time, right? What defenses of anything are going to work with that threat model?
You don't necessarily have to hack the provider. You can hack the user's laptop and siphon the data out of their email client. If they use a web client, you can read the files it caches. Or maybe you can set up IMAP and have your malware read a copy of everything. To the email provider, all of this just looks like the user is reading their email.
It's interesting that he asks for this solution but not the more easy to implement solution to the other side of the problem (which you can do if you run your own server): remove the DKIM signatures upon delivery to your inbox. Google can just add in a tag in their database that says "this message was verified". Or at least make it an option for users if they want that ability.
In the case of Podesta, the emails were stolen from his gmail account. If the headers weren't there, the messages would have been unverifiable.
This would break a cool indieweb "hack" with DKIM - webfistbump, which lets folks participate in webfinger even if their email provider doesn't support webfinger, like gmail:
He should be complaining to the standards bodies. DKIM keys should expire like most other asymmetric cryptosystems. There will always need to be backward compatibility, but then it's your fault if you're using outdated software or not using a major mail provider (who would very certainly support the new standard). Directing this complaint to one company seems bizarre because most people who care about this kind of thing aren't using Gmail to begin with.
It seems like this would also be useful for proving contracts/statements over email in business law. While it may not have been designed for this purpose (and there could still be claims that the sending account was hacked, unlike a personal GPG key which identifies the individual rather than the infrastructure), it seems to be a pretty good thing to have.
Meta: HN should enforce post size minimums on contentious topics like this. Basically every long post is a sincere perspective from the author trying to convey their viewpoint, and 9/10 of the short posts is reddit/twitter level snark like "Translation: You're a dictator-wannabe"
The persons used as examples for justification for publishing and rolling DKIM are exactly the kind of people whom I do not want to have the benefit of repudiation. If they did something bad, it's in the public interest to prove so.
I've responded to a subcomment below explaining why "emails from politicians must be leakable" is not a good argument against the author's case.
That said, I think this would be problematic on some levels not being considered. A good part of the world's email infrastructure is decentralized, and doesn't run on providers who update software well and often. If Google were to publish their keys after rotation, a new class of attacks could emerge where attackers could successfully forge authentic emails from Google that would look secure to an outdated provider. Nigerian prince 2.0 if you will.
Decentralization is one of email's biggest strengths. I agree with the premise here, but I don't think the solution is to publish keys. Perhaps moving to a protocol that explicitly provides non-repudiation while keeping backwards compatibility would work.
Can you point to any specific examples of systems that report DKIM signing status but fail to check the validity state of a DKIM signing key? That seems like an extraordinarily unlikely set of circumstances.
Meanwhile, the IETF is speccing more messaging protocols with non-repudiation and HN users seem to be cheering that shortcoming along: https://news.ycombinator.com/item?id=25100316
I think it's kind of unfortunate that there are many people that suddenly care when its powerful people or their families that are getting caught out by DKIM, these aren't the people who need protection from it the most. No one would even care if the Hunter Biden related emails passed DKIM except for the widespread allegation that they were fake, and no one still cares because conversation about them passing DKIM is widely suppressed (including on HN, unfortunately, where a post about it was immediately flagged). Oh well, I suppose it's like when the ACLU used to defend awful speech for the sake of defending free speech because those were the cases available which could make an impact.
Unfortunately publishing DKIM secret keys only goes so far towards avoiding accidental non-repudiation: Recipients can cryptographically timestamp the signatures before the keys are published. ... and doing so already makes sense independent of DKIM. In fact, one of the ways that the public was able to prove that the outdated google DKIM key was a real key was that we were able to find cryptographically timestampped google signed emails from back when that key was still in use.
Better than key publication is to avoid having a non-repudiateable stamp to begin with. This is much easier in the context of end-to-end two-party interactive protocols, but I believe is still possible for multiparty protocols.
The analog for DKIM wouldn't work so well unfortunately, because DKIM isn't end to end. E.g. DKIM could be changed so that the signature demonstrated that either the sending server or the recipient server signed the message-- this would be just as good for anti-spam, but really wouldn't improve the non-repudiation in most cases. Contrast that with applying the same approach to end-to-end messaging, where it gives you pretty strong non-repudiation.
I think you are missing part of the irony here. A good number of those Hillary emails should have been on a government server in the first place, signed for entirety by the government for archival. Non-repudiation is an explicit design goal for the communication of public officials.
I think you're confused. Very few Clinton emails were ever leaked or released. The major leak people like to talk about was of John Podesta's emails. Podesta was a private employee of the Clinton campaign, he never worked at the state department. And of course being the campaign manager, having his email be provided by a government agency would have been a huge campaign finance violation to begin with.
> No one would even care if the Hunter Biden related emails passed DKIM except for the widespread allegation that they were fake, and no one still cares because conversation about them passing DKIM is widely suppressed (including on HN, unfortunately, where a post about it was immediately flagged).
Uh... no RFC822 headers from the Hunter Biden emails were ever released, certainly none with a passing DKIM signature. I read that Post article with a microscope. This never happened.
And in fact, the transparent truth that these appeared to LACK the trivially producible authentication layer is one of the big reasons that the more right-leaning entities among the tech community stayed far away from this subject.
Interesting, thanks. Odd that this data was never part of the published record from the Post, and that Graham's source is apparently secret? Curious what you make of that? If the Post had it, they'd surely have released it. I guess it's sort of academic at this point, but it does point to a few different actors pushing this story in different directions.
> If the Post had it, they'd surely have released it.
It's extremely rare for journalists in traditional media to publish email headers, even when people are accusing messages of being inauthentic and the DKIM would go a long way towards certifying them and when people are begging for them. I think I'm aware of only one other instance, though I've personally begged journalists for headers multiple times even in some cases where I was a subject of the article and not some random nobody.
From the perspective of protecting sources it's probably good advice to avoid publishing any kind of opaque header-stuff. But also, most readers wouldn't know what to do with the information and -- less charitably-- publishing evidence moves away from the framework where readers accept the reporters word on blind faith.
Your position was entirely understandable: I declined to link to the repo or the two flagged HN threads about it, though I considered it, because I thought it would increase the risk that my comment would get flagged. I think your reply had the surprising consequence of making a really good example at how effective the suppression of info like this is at distorting the public discourse.
I PREFER my politicians email to be unmasked. I don't care if it's Hillary or Donald. All of this should be publicly available in a democracy. Keeping the keys secret preserves history
even after spending countless hours configuring SMTP, SSL, TLS, SPF, DMARC, DKIM, IP address pools, white/blacklists, etc. there is still a 99% chance secure, authorised, authenticated, "signed", sealed email will be delivered to a spam folder
I like the idea of non-repudiation, let the chips fall where they may when such authentic email is maliciously dumped.
Perhaps a simple timestamped based appendage can be added for the sake of email client authentication. In other words reject the email if the signature is older than a few hours/minutes.
Only the recipient has access to the DKIM signatures. If something is politically worth leaking then it's worth signing and time-stamping. At least then there's no question that it's the legitimate email and not falsified.
I think there's an angle to the plausible deniability that many people are missing.
Email servers get hacked all the time, right? A disgusting amount. Its almost like security is really difficult; in fact, its difficult to secure both the emails and the DKIM private keys. They're usually on the same server, after all.
If a DKIM private key gets hacked, and the world relies on DKIM to provide non-repudiation in the verification of email leaks, then a hacker who obtains someone's DKIM private key could forge an email to contain any content they want, sign it with that private key, then leak that. The world says "its DKIM validated, Trump really did kill a litter of puppies twelve years ago", Trump tries to say "no, my email server was hacked, i never did that but they got my DKIM key" and who the hell would believe him? The headlines have already been written, and the argument against it is some crazy technical terminology a hundredth a percent of the population actually understands?
Ok, well, maybe you should rotate DKIM keys. Not necessarily make the private portion public, but at least rotate them and totally destroy the old private keys. But, again, if an email server is misconfigured enough to leak data, then its likely the admin is incompetent enough to also not be rotating keys. Moreover, unauthorized access to a server could happen over a period of years, during which hackers collect the rotated DKIM private keys while letting the admins think they're being deleted correctly.
The problem here isn't really DKIM; its the public's perception of what it was designed for. Technologists invented something, journalists discovered it, read a wikipedia article, and thought "woah we could use X for Y". So, I think it makes sense that we need a big name like Google to come out and say "Stop, this is not what this was designed for, it has major limitations in being used for that, and we're talking about real-world consequences like ruining potentially innocent peoples' lives."
If everyone had a proper understanding of email and was not dumb enough to send out secrets via email, or to at least encrypt the content of those emails...then nobody would believe such a leak to be plausible.
> And it happened again this year, when the recipients of an alleged “Hunter Biden laptop” provided a single 2015 email to Rob Graham for DKIM verification
I contacted Bruce Schneier a few days back and he claimed that Robert Graham is lying and that this was fabricated, in addition that one is unable to establish the integrity and authenticity of a message by using DKIM.
I personally think that if Bruce Schneier is wrong and one is indeed able to establish the integrity and authenticity of a message by using DKIM then it is useful for the one receiving the message to prove to others that the mail indeed came the one who sent them the message. Consider a harassing email or a promise for example.
As we head into the post-truth era, we already know videos are going to become far less trusted due to deep fake tech. Finding grains of truth through cryptography, like DKIM, is so refreshing that it hurts to think some people want to cripple it.
The Hunter Biden email is a good example.
I initially thought it was a garbage tabloid drop, but once I read Rob Graham's analysis, it felt very refreshing to have a real nugget of truth based on math. While the context of that content is up for debate, the truth was essentially undeniable (unless you subscribe to the 2016 private key being stolen).
The Hunter Biden email is a terrible example. It's very likely that what's been found on "Hunter Biden's" laptop is just hacked material which has been stuffed on a laptop to disguise the original source of the breach. In this case the DKIM signatures are being used to lend credibility to the story that the laptop was mysteriously left in repair shop, never to be reclaimed.
DKIM is not meant to validate conversations, it's meant to validate single messages for the purposes of spam prevention. Just because I can cryptographically validate selectively chosen messages from someone's mailbox, I don't have any proof that the conversation happened as presented.
There's a good reason why eliminating non-repudiation has been a goal of messaging protocols since OTR in 2004.
It's not farfetched to believe a crack-addicted wealthy individual who seemed to live a very "promiscuous" lifestyle, would have forgotten some cheap laptop at a repair shop. These people are humans, at the end of the day.
Yes, it is far-fetched given that the story doesn't add up. Also, cocaine isn't known to cause people to suddenly become poor thinkers. I've seen this narrative pushed multiple times that somehow him doing cocaine made him fly across country and drop off his laptop to a blind computer repair shop owner and leave it there with sensitive information on it which was verified by a blind man with his signature, which was then turned over to Rudy Gulliani because he was concerned about the material.
I personally am absolutely confident that every email I sent during college and my adolescence would merely shine brighter light on the perfection of my soul. It sounds like the rest of you should probably have behaved better.
Have most people here lost there mind? We are pro-fascism now?
What right does Google have to force this onto us. If I want it, I'll chose it.
The idea I consented because the information was there somewhere and I should have know the complexities is as BS as hidden terms and conditions.
What annoys me is if you're pro fascism and want to force tracking onto people, just say it. But stupidity about how this isn't totalitarian is unforgivable. I have a right not to be tracked.
What motivation would Google have to pay any attention to this request?
The only one I can imagine is that Google wants to get some positive PR out of it. Other than that it seems to me like Google will just ignore this as they ignore anything else they don't see as in their benefit to exert effort on.
I agree with the author but would Google have reasons to keep a copy of the private key? Is it possible that they have deliberately destroyed it?
P.S. This brought back memories. To anyone unaware of this, read about Pizzagate. You'll find that it has supposedly been debunked as a "conspiracy theory"... except for the emails which we know are legit.
What would that accomplish though for either side?
Have the signatures been validated? You don't need the private key to do so.
Assuming the keys are valid; either the emails are real, or
the keys were stolen and the emails forged.
I suppose if keys are released it gives plausible deniability for any leaked emails that occur AFTER the key release. So I can see why people sending incriminating emails would support this.
This is false. The article pointed to DKIM being used for journalistic verification for multiple parties (persons and organizations) across the political spectrum. It's not salty or overtly political.
DKIM secrets should also be added to GDPR-dump/export, and releasing keys in the same way after a while. Would make imports into other services possible, by trusting the legitimacy of export.
One thing that Google publishing their DKIM rotated keys is take fake news to a new level.
Basically anybody could use those signing keys to fake email from a politician or celebrity. Imagine the headlines “Celebrity X account hacked, here are the emails, cryptographically verified by Google”
Of course, informed people will know that anybody could have faked them, but I would guess normal people would be fooled. In addition, there is no way to say the emails are definitely fake. At least now, we can tell between actual leaked emails and fake emails.
> Of course, informed people will know that anybody could have faked them, but I would guess normal people would be fooled. In addition, there is no way to say the emails are definitely fake. At least now, we can tell between actual leaked emails and fake emails.
No, you can't. Google used to use 512- and 1024-bit RSA keys for DKIM signatures, both of which are comfortably within the means of small-to-medium-sized nation states. They currently use 2048-bit keys, which will probably be crackable within the next decade.
DKIM is providing a false sense of non-repudiation here, one that it was never designed (much less correctly implemented) to provide.
If Google did rotate the keys, it's quite likely some enterprising people would log observed keys. With access to a log of keys (that you don't believe has been tampered with) then rotating keys doesn't prevent non-repudation.
An alternative would be for email servers to strip the DKIM headers on inbound emails after recording that the email was validated. The email stored at rest then no longer provides non-repudation. Nothing is stopping you doing this today.
I'm not a fan of offloading that trust onto my email host. Not that I validate dkim headers, but the fact that I have access to them keeps my email host honest.
It seems to me that especially when an elected official has something they don't want others to know about that it should be public knowledge.
After all an efficient marketplace only is efficient if all actors have access to as much information as possible.
EDIT: As a follow up, several people point out that it could happen to me or a family member, but this seems even further reason to have DKIM so that if someone attempts to blackmail me based on the contents of my email, checking the DKIM signature makes it even easier to disprove a bad blackmail attempt.