Differences between revisions 30 and 31
Revision 30 as of 2014-03-04 08:47:06
Size: 4754
Comment: refine wording regarding mail handling.
Revision 31 as of 2014-03-04 08:47:54
Size: 4755
Comment: fix typo
Deletions are marked like this. Additions are marked like this.
Line 25: Line 25:
DG-ITEC offers these types of network acess: DG-ITEC offers these types of network access:

DebianParl used by Greens/EFA

Pilot project about trusted email.

Project

Project is deployed by the Greens/EFA coalition at the European Parliament, in collaboration with DG-ITEC (institutional sysadmins) and DebianParl developers.

10 parliamentary workers - politically elected and staffers - are equipped with a laptop running the email profile of DebianParl, and guided in using its security features to establish trusted communication.

Challenges

Internet

No internet connection is ordinarily available for user-trusted computers.

DG-ITEC in principle supports Linux, but completetly lack procedures to do so (even for the Ubuntu systems they support themselves).

DG-ITEC offers these types of network access:

  • Wired
    • ethernet plugs may only be used for institutionally controlled machines
  • ?EP-guest wifi

    • requires either certificate or credentials
    • certificate-based access only permitted by parliamentary workers
    • credentials-based access only permitted by others than parliamentary workers
  • EP-PRIVATE wifi
    • requires certificate
    • current certificate issuing procedure explicitly excludes Linux.
  • (EP-EXT wifi)
    • requires password (email account credentials or temporary guest credentials)
    • temporarily turned off as reaction to a recent spoofing attack

Ideal would be that DG-ITEC turns on EP-EXT wifi with no access control (and treats it equal to alien networks as anti-spoofing measure).

Workarounds:

  1. Participants use EP-guest, with certificate issued ordinarily by DG-ITEC.
  2. Participants use EP-PRIVATE, with certificate issued exceptionally by DG-ITEC.
  3. Participants use non-parliamentary internet providers (e.g. via cellphone or nearby cafe).

Email

Parliamentary email account is unusable for trusted email.

DG-ITEC considers it a security risk to offer open email standards accessible from outside the European Parliament.

DG-ITEC offers personal email for parliamentary workers:

  • Email accounts are served using Microsoft Exchange
    • Proprietary protocols are ordinarily enabled
    • Open standard protocols SMTP and IMAP exist but are ordinarily disabled

Ideal would be that DG-ITEC enables open standard IMAP and SMTP protocols ordinarily (and requires open standard TLS protocol for security).

Workarounds:

  1. Participants use parliamentary address, via SMTP and IMAP exceptionally enabled by DG-ITEC.
  2. Participants use non-parliamentary address.

Mailinglists

Parliamentary email acount is unusable with ordinary mailinglists.

DG-ITEC treats ordinary mailinglists as spoofing: Drops mails originating from their domain and redistributed back to same domain.

Ideal would be that DG-ITEC would respect envelope sender (i.e disregard "From:" in email itself) as documented in RFC 5321 section 3.9.

Workarounds:

  1. Participants use non-parliamentary address.
  2. Participants use non-standard mailinglist, exceptionally designed to cheat Parliamentary postal system.

Timeline

Pending

DebianParl (now):

  • Invite participants to mailinglists and intro workshops
  • Refine project documentation
  • Prepare intro workshop
  • Refine automated install

Greens/EFA (now):

  • Buy laptops for participants

DG-ITEC (now):

  • Fix avoid silently dropping mail sent via proxy services (e.g. mailinglists)
  • Issue certificates for EP wifi network for participants
  • Enable IMAP protocol for participants