= DebianParl used by Greens/EFA =

Pilot project about trusted email.

== Project ==

Project is deployed by the [[https://www.greens-efa.eu|Greens/EFA]] coalition
at the [[http://www.europarl.europa.eu/|European Parliament]],
in collaboration with DG-ITEC (institutional sysadmins)
and DebianParl developers.

10 parliamentary workers - politically elected and staffers - are equipped with a laptop running the email profile of DebianParl, and guided in using its security features to establish trusted communication.

== Challenges ==

=== Internet ===

No internet connection is offered at all for user-trusted computers.

DG-ITEC standard procedures excludes Linux
(even the Ubuntu systems they support themselves), 
and proposed extraordinary procedures involve applying secret tasks while in DG-ITEC possesion.

DG-ITEC offers these types of network access:
 * Wired
   . ethernet plugs may only be used for institutionally controlled machines
 * [[[[http://epfsug.eu/wws/arc/epfsug/2014-02/msg00057.html|EP-GUEST wifi]]
   . requires either certificate or credentials
   . current certificate issuing procedure explicitly excludes Linux.
   . certificate-based access only permitted by parliamentary workers
   . certificate not given to user, only "activated" durectly by DG-ITEC themselves using secret steps
   . credentials-based access has a lifespan of the "visit" - i.e. intended only for others than parliamentary workers
 * EP-PRIVATE wifi
   . requires certificate
   . current certificate issuing procedure explicitly excludes Linux.
   . possibly not connected to internet

Ideal would be that
DG-ITEC drops access control on EP-GUEST
(and treats it equal to alien networks as anti-spoofing measure).

Workarounds:
 1. Participants use EP-GUEST, with certificate exceptionally passed as a plain file to the user by DG-ITEC.
 2. Participants use non-parliamentary internet providers (e.g. via cellphone or nearby cafe).

=== Email ===

Parliamentary email account is unusable for trusted email.

DG-ITEC considers it a security risk
to offer open email standards accessible from outside the European Parliament.

DG-ITEC offers personal email for parliamentary workers:
 * Email accounts are served using Microsoft Exchange
   . Proprietary protocols are ordinarily enabled
   . Open standard protocols SMTP and IMAP exist but are ordinarily disabled

Ideal would be that
DG-ITEC enables open standard IMAP and SMTP protocols ordinarily
(and requires open standard TLS protocol for security).

Workarounds:
 1. Participants use parliamentary address, via SMTP and IMAP exceptionally enabled by DG-ITEC.
 2. Participants use non-parliamentary address.

=== Mailinglists ===

Parliamentary email account is unusable with ordinary mailinglists.

DG-ITEC treats ordinary mailinglists as spoofing: Drops mails originating from their domain and redistributed back to same domain.

Ideal would be that
DG-ITEC would respect envelope sender
(i.e disregard "From:" in email itself)
as documented in [[https://tools.ietf.org/html/rfc5321#section-3.9|RFC 5321 section 3.9]]. 

Workarounds:
 1. DG-ITEC exceptionally excempt email-addresses of pilots from their strong anti-spoofing filter
 2. Participants use non-parliamentary address.

== Timeline ==

 * July 2015: Greens/EFA 4th workshop (no public record)
 * October 2014: Greens/EFA [[https://lists.alioth.debian.org/pipermail/parl-user/Week-of-Mon-20141013/000106.html|dinner with Daniel Kahn Gilmor]] 
 * July 2014: Greens/EFA [[http://lists.alioth.debian.org/pipermail/parl-user/Week-of-Mon-20140707/000088.html|3rd workshop]] 
 * May 2014: Greens/EFA [[http://lists.alioth.debian.org/pipermail/parl-user/Week-of-Mon-20140505/000042.html|2nd workshop]] 
 * March 2014: intro workshops [[http://www.epfsug.eu/content/trust-your-friends|hosted by EPFSUG]] and [[http://www.greens-efa.eu/greensefa-4th-document-freedom-day-in-the-european-parliament-open-standards-in-the-field-of-encryption-11942.html|hosted by Greens/EFA]]
 * January 2014: List of project participants compiled
 * December 2013: Greens/EFA [[https://www.greens-efa.eu/software-procurement-11372.html|formally]] announces pilot project
 * July 2013: Greens/EFA leader Rebecca Harms [[http://icg.greens-efa.org/pipermail/hub/2014-January/000095.html|suggests internally]] to start use email encryption
 * April 2013: DebianParl project launched by Greens/EFA employee [[http://erikjosefsson.eu/|Erik Josefsson]] and Debian developer [[JonasSmedegaard|Jonas Smedegaard]]
 * November 2012: EP employees learn that DG-ITEC provided desktop computers are not allowed to run Ubuntu
 * April 2011: [[http://epfsug.eu/list-members-or-supporters-and-their-statements|EPFSUG supporter]] Jonatan Walck presents [[http://epfsug.eu/sites/default/files/tmail.pdf|TMail]] as workaround for proprietary email protocols

== Pending ==

DebianParl (now):
 * Refine project documentation

Greens/EFA pilots with laptop (now):
 * Find time to explore basic email, and share experiences at parl-user list

Greens/EFA pilots lacking laptop (now):
 * Find time to meet and get introduction about laptop

Greens/EFA pilots not subscribed to mailinglist (now):
 * Subscribe to parl-user list (or inform discrete if not interested in subscribing)

DG-ITEC (now):
 * Fix avoid silently dropping mail sent via proxy services (e.g. mailinglists)
 * Issue certificates for EP wifi network for participants
 * Enable IMAP protocol for participants

== Curiosa ==

https://xkcd.com/1181/