Re: [Acme] Barry Leiba's Discuss on draft-ietf-acme-email-smime-10: (with DISCUSS and COMMENT)
Alexey Melnikov <alexey.melnikov@isode.com> Thu, 05 November 2020 11:04 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 583ED3A0E80; Thu, 5 Nov 2020 03:04:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.346
X-Spam-Level:
X-Spam-Status: No, score=-2.346 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.247, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4DVTGjfpgJYl; Thu, 5 Nov 2020 03:04:12 -0800 (PST)
Received: from statler.isode.com (Statler.isode.com [62.232.206.189]) by ietfa.amsl.com (Postfix) with ESMTP id 593B43A0E7E; Thu, 5 Nov 2020 03:04:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1604574251; d=isode.com; s=june2016; i=@isode.com; bh=WL5PWEPUIsQQkL7CEdtMP8B0KBmH+OlfP1XoaZesCKA=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=ErfzvPevy9qB1vnshyB3JYHkOyo5123LFqh8o1weGONkoApq8kfcSdNWr+lIinsA7StViD pNjySMn2LL7v6jHp9XiANqJytZ93rcmWTtVXQDYBQTKlC3IA1z4lmCJe35D0zPk+ILsbN3 s1vDaFGF1rCC4bBEVUzUD2rUBFGmhCA=;
Received: from [192.168.1.222] (host5-81-100-6.range5-81.btcentralplus.com [5.81.100.6]) by statler.isode.com (submission channel) via TCP with ESMTPSA id <X6PcKQB1e2VK@statler.isode.com>; Thu, 5 Nov 2020 11:04:10 +0000
To: Barry Leiba <barryleiba@computer.org>
Cc: The IESG <iesg@ietf.org>, "Salz, Rich" <rsalz@akamai.com>, acme@ietf.org, draft-ietf-acme-email-smime@ietf.org, acme-chairs@ietf.org
References: <160390414669.4316.7078245483813646358@ietfa.amsl.com> <9d1f51f3-838c-cf5b-c05b-5a1e53ace5d7@isode.com> <CALaySJL_rB_-ZktZtUHn+9k_czkrhrXh7AXoBuL7h+FwAiV4OQ@mail.gmail.com>
From: Alexey Melnikov <alexey.melnikov@isode.com>
Message-ID: <565e6077-ece3-0726-8858-4ee10cf01bd0@isode.com>
Date: Thu, 05 Nov 2020 11:03:46 +0000
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.4.0
In-Reply-To: <CALaySJL_rB_-ZktZtUHn+9k_czkrhrXh7AXoBuL7h+FwAiV4OQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-GB
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/U_3jg0enHEYd1DeF2gOB_cbjHCI>
Subject: Re: [Acme] Barry Leiba's Discuss on draft-ietf-acme-email-smime-10: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Nov 2020 11:04:14 -0000
Hi Barry, On 29/10/2020 21:33, Barry Leiba wrote: > Hi, Alexey, and thanks for the response. You responded to the first > message, rather than to the second, so you didn't pick up my first > DISCUSS point, repeated here: > >> I question why this is Informational, and the shepherd writeup doesn't really >> explain it. I get that this fills a gap, and that the working group wants to >> see this adopted. I don't get why, therefore, you aren't proposing a standard >> here. What is the point of making this Informational, and not Proposed >> Standard... or Experimental, if you're less sure of whether it will work as >> expected? When asked in the WG there was not enough support to make it a Proposed Standard, in particular due to CA requirements for S/MIME evolving outside of IETF. The rest is above my paygrade, I am afraid. I just want this this to be published :-). > To the other points: > >>> DISCUSS: That said, I don’t understand the need to specifically allow UTF-8 >>> here. If the subject only contains “ACME:”, FWS, and a base64 string, it will >>> always be ASCII. Why are we talking about UTF-8 at all? >> The idea is to be as compatible with existing software (e.g. MUAs and >> web mail clients). I did some tests and some implementations >> unconditionally use UTF-8 charset label even if the data is purely >> ASCII. Thus the text above. > OK, I guess that's not a problem. I might prefer a SHOULD for ASCII, > or some such, and inclusion of an explanation that ASCII is all that's > needed, and that UTF-8 is permitted only for compatibility. Please > consider that, but this item is no longer at a DISCUSS level: we've > had the discussion. Ok, I will add SHOULD for US-ASCII. Thank you for the discussion. >>> The message MUST also pass >>> DMARC validation [RFC7489], which implies DKIM and SPF validation >>> [RFC7208]. >>> >>> Two things here, which apply to bullet 9 in Section 3.2 also: >>> >>> 1. DMARC does not imply DKIM *and* SPF validation: DMARC uses DKIM *or* SPF to >>> do Identifier Alignment. >> Sloppy wording on my part. Would something like "which implies >> compliance with DKIM [ref] and SPF [ref]" work better? > I think that "which implies validation of DKIM or SPF" is accurate and > better. In any case, definitely "or", not "and". But that's only if > we keep the DMARC bit, which is a more important discussion. > >>> 2. I have an issue with requiring the use of DMARC at this point, as it’s >>> specified only in an Informational document in the Independent stream. >> This is an Informational document on IETF stream, so the bar is already >> pretty low ;-). Besides you know that that DMARC itself is being revised. > That speaks to my first DISCUSS point, at the top of this message, and > is something we need to talk about. Apart from that, if you want to > wait for the DMARC revision as Proposed Standard, sure. I'm very much > not happy building standards around what we know to be a problematic, > non-standard protocol that we're working on revising. No, I am really not happy with waiting for DMARC process to be finished. >>> In any >>> case, what’s the point of requiring DMARC? It seems to me that the >>> authentication you need is provided by DKIM or S/MIME; what do you need from >>> DMARC? >> We can't use S/MIME, as the whole point of this document is to get an >> S/MIME certificate. > Umm... > > 5. In order to prove authenticity of a challenge message, it MUST be > either DKIM [RFC6376] signed or S/MIME [RFC8551] signed. > > ...so you are using S/MIME signing. I might have got myself confused here, because there is assymetry here. S/MIME can be used for ACME challenges, but it can't be used for ACME responses. >> I suppose just requiring DKIM is fine, but properly configured SPF will >> get an extra assurance that the domain owner has a properly (securely, >> for some definition of securely) configured email system. So I am open >> to suggestions. > You haven't answered what you're trying to get from DMARC. You can > say that the message has to be signed. Doesn't that accomplish what > you need? It seems to me that what DMARC provides beyond that is > Identifier Alignment and sender policy checking, which don't seem to > provide anything you need for this protocol. I want identifier alignment for sure. Policy checking not so much. > I'd like to understand > why the protocol needs them, or what else it is that it needs from > DMARC. I don't see why you get any benefit from SPF either -- in > conjunction with DKIM, SPF is only useful in cases where the DKIM > signature is broken -- so let's include that in the discussion as > well. Actually, if DKIM signature is fine, but SPF is broken, this is still a reason to suspect that something is not right. But I think I will let go of SPF and will remove DMARC/SPF. I will cut & paste specific text about identifier alignment into my draft. >>> The "Auto-Submitted" header field SHOULD >>> include the "type=acme" parameter. >>> >>> Why not MUST? What are the consequences of not doing this, and why might it be >>> hard to? >> This is for backward compatibility with existing email/web mail clients. >> I don't really know how hard it would be for existing clients to have an >> extra parameter there. >> >> Its presence would really help in debugging, but nothing should break if >> it is absent. > If the parameter is just to help debugging, then maybe just say that > as an explanation for the SHOULD?: > > NEW > The "Auto-Submitted" header field SHOULD include > the "type=acme" parameter to aid in debugging. > END I used a version of your text. >>> 5. The In-Reply-To: header field SHOULD be set to the Message-ID >>> header field of the challenge message according to rules in >>> Section 3.6.4 of [RFC5322]. >>> >>> As with an earlier comment: Why is this SHOULD and not MUST? >> Because some email clients wouldn't set it and I would like to achieve >> highest compatibility with deployed MUA/web mail base. > Keeping in mind that this is a non-blocking comment... I'm never happy > when we waffle because we think implementations won't do it. Either > we want this there for a good reason, or we don't... if we do, it > should be a MUST, and everyone knows that won't be thrown in jail for > not doing it. If we leave it as SHOULD, I think we should explain > that better. > > The bottom line, I guess, is this: why do we want it there? Does it > improve interoperability, security, usability, or debugging? It would improve usability/debugging and ability to use other protocols (like IMAP and Sieve) to automate processing. > If so, > can we explain that so there's useful context? If it doesn't, then > maybe it should just be "should", rather than "SHOULD"? > >>> 8. There is no need to use any Content-Transfer-Encoding other than >>> 7bit for the text/plain body part, however use of Quoted- >>> Printable or base64 is not prohibited in a "response" email >>> message. >>> >>> Is the “is not prohibited” meant to discourage it? If so, that should be done >>> more directly. >> I would like to, but I don't control when MUAs/web mail would apply CTE >> to the body, thus the above text. > If you'd like to discourage it, we can do that without being too > strong. Maybe something like this?: > > NEW > 8. There is no need to use any Content-Transfer-Encoding other than > 7bit for the text/plain body part. Use of Quoted-Printable or base64 > in a "response" email message is not necessary and should be avoided, > though it is permitted. > END I used your new text, thank you. >>> The example body contains a “.”, which is not a valid base64url character. >> It is JWS, which contains a dot. > I'm confused, then. The text says that it's "one or more line > containing the base64url-encoded SHA-256 digest [FIPS180-4] of the key > authorization". > > How can that contain a dot? The key authorization might, but then you > make a digest of it and encode the digest, and that encoded blob can't > contain a dot, right? What am I missing (just hit me over the head; > it's OK). I will come back to you on this. > Again, thanks for the response, and I look forward to continuing the > discussion. :-) > > Barry
- [Acme] Barry Leiba's Discuss on draft-ietf-acme-e… Barry Leiba via Datatracker
- Re: [Acme] Barry Leiba's Discuss on draft-ietf-ac… Alexey Melnikov
- Re: [Acme] Barry Leiba's Discuss on draft-ietf-ac… Barry Leiba
- Re: [Acme] Barry Leiba's Discuss on draft-ietf-ac… Alexey Melnikov
- Re: [Acme] Barry Leiba's Discuss on draft-ietf-ac… Alexey Melnikov
- Re: [Acme] Barry Leiba's Discuss on draft-ietf-ac… Barry Leiba