DebianParl used by Greens/EFA
Pilot project about trusted email.
Project
Project is deployed by the Greens/EFA coalition at the European Parliament, in collaboration with DG-ITEC (institutional sysadmins) and DebianParl developers.
10 parliamentary workers - politically elected and staffers - are equipped with a laptop running the email profile of DebianParl, and guided in using its security features to establish trusted communication.
Challenges
Internet
No internet connection is offered at all for user-trusted computers.
DG-ITEC standard procedures excludes Linux (even the Ubuntu systems they support themselves), and proposed extraordinary procedures involve applying secret tasks while in DG-ITEC possesion.
DG-ITEC offers these types of network access:
- Wired
- ethernet plugs may only be used for institutionally controlled machines
?EP-GUEST wifi
- requires either certificate or credentials
- current certificate issuing procedure explicitly excludes Linux.
- certificate-based access only permitted by parliamentary workers
- certificate not given to user, only "activated" durectly by DG-ITEC themselves using secret steps
- credentials-based access has a lifespan of the "visit" - i.e. intended only for others than parliamentary workers
- EP-PRIVATE wifi
- requires certificate
- current certificate issuing procedure explicitly excludes Linux.
- possibly not connected to internet
Ideal would be that DG-ITEC drops access control on EP-GUEST (and treats it equal to alien networks as anti-spoofing measure).
Workarounds:
- Participants use EP-GUEST, with certificate exceptionally passed as a plain file to the user by DG-ITEC.
- Participants use non-parliamentary internet providers (e.g. via cellphone or nearby cafe).
Parliamentary email account is unusable for trusted email.
DG-ITEC considers it a security risk to offer open email standards accessible from outside the European Parliament.
DG-ITEC offers personal email for parliamentary workers:
- Email accounts are served using Microsoft Exchange
- Proprietary protocols are ordinarily enabled
- Open standard protocols SMTP and IMAP exist but are ordinarily disabled
Ideal would be that DG-ITEC enables open standard IMAP and SMTP protocols ordinarily (and requires open standard TLS protocol for security).
Workarounds:
- Participants use parliamentary address, via SMTP and IMAP exceptionally enabled by DG-ITEC.
- Participants use non-parliamentary address.
Mailinglists
Parliamentary email account is unusable with ordinary mailinglists.
DG-ITEC treats ordinary mailinglists as spoofing: Drops mails originating from their domain and redistributed back to same domain.
Ideal would be that DG-ITEC would respect envelope sender (i.e disregard "From:" in email itself) as documented in RFC 5321 section 3.9.
Workarounds:
- DG-ITEC exceptionally excempt email-addresses of pilots from their strong anti-spoofing filter
- Participants use non-parliamentary address.
Timeline
May 2014: Greens/EFA 2nd workshop
March 2014: intro workshops 5th hosted by EPFSUG and 26th hosted by Greens/EFA
- January 2014: List of project participants compiled
December 2013: Greens/EFA formally announces pilot project
July 2013: Greens/EFA leader Rebecca Harms suggests internally to start use email encryption
April 2013: DebianParl project launched by Greens/EFA employee Erik Josefsson and Debian developer Jonas Smedegaard
- November 2012: EP employees learn that DG-ITEC provided desktop computers are not allowed to run Ubuntu
April 2011: EPFSUG supporter Jonatan Walck presents TMail as workaround for proprietary email protocols
Pending
DebianParl (now):
- Refine project documentation
Greens/EFA pilots with laptop (now):
- Find time to explore basic email, and share experiences at parl-user list
Greens/EFA pilots lacking laptop (now):
- Find time to meet and get introduction about laptop
Greens/EFA pilots not subscribed to mailinglist (now):
- Subscribe to parl-user list (or inform discrete if not interested in subscribing)
DG-ITEC (now):
- Fix avoid silently dropping mail sent via proxy services (e.g. mailinglists)
- Issue certificates for EP wifi network for participants
- Enable IMAP protocol for participants