Re: [Acme] I-D Action: draft-ietf-acme-email-smime-06.txt

"A. Schulze" <sca@andreasschulze.de> Sun, 03 November 2019 11:03 UTC

Return-Path: <sca@andreasschulze.de>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDDA0120110 for <acme@ietfa.amsl.com>; Sun, 3 Nov 2019 03:03:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=andreasschulze.de header.b=xIoS1yF3; dkim=pass (2048-bit key) header.d=andreasschulze.de header.b=wD7MDnSc
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GibrT-_Olbh3 for <acme@ietfa.amsl.com>; Sun, 3 Nov 2019 03:03:19 -0800 (PST)
Received: from mta.somaf.de (mta.somaf.de [IPv6:2001:470:77b3:103::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5537D1200E5 for <acme@ietf.org>; Sun, 3 Nov 2019 03:03:19 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=andreasschulze.de; i=@andreasschulze.de; q=dns/txt; s=ed25519; t=1572778995; h=from : subject : to : references : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding : from; bh=+ZXDlqBAhd8K/0WfDCO5gtN3MJ6IWOKQs9E1/SZv9dU=; b=xIoS1yF3nhzUSgiUdnMvoKScD5LaJtdvD1kGfcRXRiKJ0SThjAWE6hBy ea6b1QiMHoRa/LUioMMGGP+E/AS5DQ==
From: "A. Schulze" <sca@andreasschulze.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=andreasschulze.de; s=201910-51C84578; t=1572778995; x=1577778995; bh=+ZXDlqBAhd8K/0WfDCO5gtN3MJ6IWOKQs9E1/SZv9dU=; h=From:Subject:To:References:Message-ID:Date:MIME-Version: In-Reply-To:Content-Type:Content-Transfer-Encoding:autocrypt:cc: content-transfer-encoding:content-type:date:from:in-reply-to: message-id:mime-version:openpgp:references:subject:to; b=wD7MDnScMdow9mYLB3Kjn6iv9B29ekUjITniGBG7iUu5tCE3rrN4FKUPs9hcRJNft iJJLJFKW9BtwG0YxSQYuSWegLmKk/13yIagsS6CrNbrNuYbrwDq4hmSW96fEa/ckhX A5+tR8KuC9D9V8xwWHkcWCGNradYcw1fByCsslE0BqX41RXIs2pWjtzgpJ6nzXObeQ AneAX/Sk3K2HzlQ2jE/ua86rTP7+1xsFuORZno+he7YGqoZdvNdBOk6piMRjEsVkuz GDLmE3PicpscTORyDwX1rIMGITt02SbKnZqNrROxqiiU0s4aNaAQAdLvrhjXcDZrso YcH3k0y2p5R3Q==
To: acme@ietf.org
References: <157263269426.31940.7170436071805504773@ietfa.amsl.com>
Message-ID: <58702a20-3ab5-de9e-56ae-1c8eb17042eb@andreasschulze.de>
Date: Sun, 03 Nov 2019 12:02:31 +0100
MIME-Version: 1.0
In-Reply-To: <157263269426.31940.7170436071805504773@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/JqvyD7H8MCyyjx57B1WbjKLq674>
Subject: Re: [Acme] I-D Action: draft-ietf-acme-email-smime-06.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Nov 2019 11:03:22 -0000


Am 01.11.19 um 19:24 schrieb internet-drafts@ietf.org:
>       Title           : Extensions to Automatic Certificate Management Environment for end user S/MIME certificates
>       Author          : Alexey Melnikov
> 	Filename        : draft-ietf-acme-email-smime-06.txt
> 	Pages           : 10
> 	Date            : 2019-11-01

Hello,

I'v noticed this version enhance the number of header fields MUST be covered by DKIM.
But some of us may be are aware of "Breaking DKIM - on Purpose and by Chance" [1] published in 2017.

To mitigate such attacks it would be helpful to REQUIRE header fields also can't be added.
see https://tools.ietf.org/html/rfc6376#section-3.5, definition of h= and
INFORMATIVE EXPLANATION + NOTE

Andreas

[1] https://noxxi.de/research/breaking-dkim-on-purpose-and-by-chance.html