DebianParl used by Greens/EFA
Pilot project about trusted email.
Project
Project is deployed by the Greens/EFA coalition at the European Parliament, in collaboration with DG-ITEC (institutional sysadmins) and DebianParl developers.
10 parliamentary workers - politically elected and staffers - are equipped with a laptop running the email profile of DebianParl, and guided in using its security features to establish trusted communication.
Challenges
Internet
No internet connection is ordinarily available for user-trusted computers.
DG-ITEC in principle supports Linux, but completetly lack procedures to do so (even for the Ubuntu systems they support themselves).
DG-ITEC offers these types of network acess:
- Wired
- ethernet plugs may only be used for institutionally controlled machines
?EP-guest wifi
- requires either certificate or credentials
- certificate-based access only permitted by parliamentary workers
- credentials-based access only permitted by others than parliamentary workers
- EP-PRIVATE wifi
- requires certificate
- current certificate issuing procedure explicitly excludes Linux.
- (EP-EXT wifi)
- requires password (email account credentials or temporary guest credentials)
- temporarily turned off as reaction to a recent spoofing attack
Ideal would be that DG-ITEC turns on EP-EXT wifi with no access control (and treats it equal to alien networks as anti-spoofing measure).
Workarounds:
- Participants use EP-guest, with certificate issued ordinarily by DG-ITEC.
- Participants use EP-PRIVATE, with certificate issued exceptionally by DG-ITEC.
- Participants use non-parliamentary internet providers (e.g. via cellphone or nearby cafe).
Parliamentary email account is unusable for trusted email.
DG-ITEC considers it a security risk to offer open email standards accessible from outside the European Parliament.
DG-ITEC offers personal email for parliamentary workers:
- Email accounts are served using Microsoft Exchange
- Proprietary protocols are ordinarily enabled
- Open standard protocols SMTP and IMAP exist but are ordinarily disabled
Ideal would be that DG-ITEC enables open standard IMAP and SMTP protocols ordinarily (and requires open standard TLS protocol for security).
Workarounds:
- Participants use parliamentary address, via SMTP and IMAP exceptionally enabled by DG-ITEC.
- Participants use non-parliamentary address.
Mailinglists
Parliamentary email acount is unusable with ordinary mailinglists.
DG-ITEC treats ordinary mailinglists as spoofing: Drops mails originating from their domain and redistributed back to same domain.
Ideal would be that DG-ITEC would respect envelope sender (i.e disregard "From:" in email itself) as documented in RFC 5321 section 3.9.
Workarounds:
- Participants use non-parliamentary address.
- Participants use non-standard mailinglist, exceptionally designed to cheat Parliamentary postal system.
Timeline
March 2014: intro workshops 5th hosted by EPFSUG and 26th hosted by Greens/EFA
- January 2014: List of project participants compiled
December 2013: Greens/EFA formally announces pilot project
July 2013: Greens/EFA leader Rebecca Harms suggests internally to start use email encryption
April 2013: DebianParl project launched by Greens/EFA employee Erik Josefsson and Debian developer Jonas Smedegaard
[FIXME: when?]: EP employees start use Debian [FIXME:or Ubuntu?] on EP desktop
April 2011: EPFSUG supporter Jonatan Walck presents TMail as workaround for proprietary email protocols
Pending
DebianParl (now):
- Invite participants to mailinglists and intro workshops
- Refine project documentation
- Prepare intro workshop
- Refine automated install
Greens/EFA (now):
- Buy laptops for participants
DG-ITEC (now):
- Fix avoid silently dropping mail sent via proxy services (e.g. mailinglists)
- Issue certificates for EP wifi network for participants
- Enable IMAP protocol for participants