Differences between revisions 41 and 42
Revision 41 as of 2014-05-10 06:50:57
Size: 5287
Editor: ?ErikJosefsson
Comment: adding link to 2nd workshop announcement
Revision 42 as of 2014-05-10 07:19:40
Size: 5277
Comment: Relax timeline entry: the _announcement_ of a meeting is too granular for aim of timeline (just used as reference for the broader event of meeting itself).
Deletions are marked like this. Additions are marked like this.
Line 83: Line 83:
 * May 2014: Greens/EFA [[http://lists.alioth.debian.org/pipermail/parl-user/Week-of-Mon-20140505/000042.html|2nd workshop announced]]  * May 2014: Greens/EFA [[http://lists.alioth.debian.org/pipermail/parl-user/Week-of-Mon-20140505/000042.html|2nd workshop]]

DebianParl used by Greens/EFA

Pilot project about trusted email.

Project

Project is deployed by the Greens/EFA coalition at the European Parliament, in collaboration with DG-ITEC (institutional sysadmins) and DebianParl developers.

10 parliamentary workers - politically elected and staffers - are equipped with a laptop running the email profile of DebianParl, and guided in using its security features to establish trusted communication.

Challenges

Internet

No internet connection is offered at all for user-trusted computers.

DG-ITEC standard procedures excludes Linux (even the Ubuntu systems they support themselves), and proposed extraordinary procedures involve applying secret tasks while in DG-ITEC possesion.

DG-ITEC offers these types of network access:

  • Wired
    • ethernet plugs may only be used for institutionally controlled machines
  • ?EP-GUEST wifi

    • requires either certificate or credentials
    • current certificate issuing procedure explicitly excludes Linux.
    • certificate-based access only permitted by parliamentary workers
    • certificate not given to user, only "activated" durectly by DG-ITEC themselves using secret steps
    • credentials-based access has a lifespan of the "visit" - i.e. intended only for others than parliamentary workers
  • EP-PRIVATE wifi
    • requires certificate
    • current certificate issuing procedure explicitly excludes Linux.
    • possibly not connected to internet

Ideal would be that DG-ITEC drops access control on EP-GUEST (and treats it equal to alien networks as anti-spoofing measure).

Workarounds:

  1. Participants use EP-GUEST, with certificate exceptionally passed as a plain file to the user by DG-ITEC.
  2. Participants use non-parliamentary internet providers (e.g. via cellphone or nearby cafe).

Email

Parliamentary email account is unusable for trusted email.

DG-ITEC considers it a security risk to offer open email standards accessible from outside the European Parliament.

DG-ITEC offers personal email for parliamentary workers:

  • Email accounts are served using Microsoft Exchange
    • Proprietary protocols are ordinarily enabled
    • Open standard protocols SMTP and IMAP exist but are ordinarily disabled

Ideal would be that DG-ITEC enables open standard IMAP and SMTP protocols ordinarily (and requires open standard TLS protocol for security).

Workarounds:

  1. Participants use parliamentary address, via SMTP and IMAP exceptionally enabled by DG-ITEC.
  2. Participants use non-parliamentary address.

Mailinglists

Parliamentary email account is unusable with ordinary mailinglists.

DG-ITEC treats ordinary mailinglists as spoofing: Drops mails originating from their domain and redistributed back to same domain.

Ideal would be that DG-ITEC would respect envelope sender (i.e disregard "From:" in email itself) as documented in RFC 5321 section 3.9.

Workarounds:

  1. DG-ITEC exceptionally excempt email-addresses of pilots from their strong anti-spoofing filter
  2. Participants use non-parliamentary address.

Timeline

Pending

DebianParl (now):

  • Refine project documentation

Greens/EFA pilots with laptop (now):

  • Find time to explore basic email, and share experiences at parl-user list

Greens/EFA pilots lacking laptop (now):

  • Find time to meet and get introduction about laptop

Greens/EFA pilots not subscribed to mailinglist (now):

  • Subscribe to parl-user list (or inform discrete if not interested in subscribing)

DG-ITEC (now):

  • Fix avoid silently dropping mail sent via proxy services (e.g. mailinglists)
  • Issue certificates for EP wifi network for participants
  • Enable IMAP protocol for participants

Curiosa

https://xkcd.com/1181/