IETF Logo Mail Archive

Re: [Acme] Barry Leiba's Discuss on draft-ietf-acme-email-smime-10: (with DISCUSS and COMMENT)

Alexey Melnikov <alexey.melnikov@isode.com> Thu, 05 November 2020 11:04 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 583ED3A0E80; Thu, 5 Nov 2020 03:04:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.346
X-Spam-Level:
X-Spam-Status: No, score=-2.346 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.247, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4DVTGjfpgJYl; Thu, 5 Nov 2020 03:04:12 -0800 (PST)
Received: from statler.isode.com (Statler.isode.com [62.232.206.189]) by ietfa.amsl.com (Postfix) with ESMTP id 593B43A0E7E; Thu, 5 Nov 2020 03:04:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1604574251; d=isode.com; s=june2016; i=@isode.com; bh=WL5PWEPUIsQQkL7CEdtMP8B0KBmH+OlfP1XoaZesCKA=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=ErfzvPevy9qB1vnshyB3JYHkOyo5123LFqh8o1weGONkoApq8kfcSdNWr+lIinsA7StViD pNjySMn2LL7v6jHp9XiANqJytZ93rcmWTtVXQDYBQTKlC3IA1z4lmCJe35D0zPk+ILsbN3 s1vDaFGF1rCC4bBEVUzUD2rUBFGmhCA=;
Received: from [192.168.1.222] (host5-81-100-6.range5-81.btcentralplus.com [5.81.100.6]) by statler.isode.com (submission channel) via TCP with ESMTPSA id <X6PcKQB1e2VK@statler.isode.com>; Thu, 5 Nov 2020 11:04:10 +0000
To: Barry Leiba <barryleiba@computer.org>
Cc: The IESG <iesg@ietf.org>, "Salz, Rich" <rsalz@akamai.com>, acme@ietf.org, draft-ietf-acme-email-smime@ietf.org, acme-chairs@ietf.org
References: <160390414669.4316.7078245483813646358@ietfa.amsl.com> <9d1f51f3-838c-cf5b-c05b-5a1e53ace5d7@isode.com> <CALaySJL_rB_-ZktZtUHn+9k_czkrhrXh7AXoBuL7h+FwAiV4OQ@mail.gmail.com>
From: Alexey Melnikov <alexey.melnikov@isode.com>
Message-ID: <565e6077-ece3-0726-8858-4ee10cf01bd0@isode.com>
Date: Thu, 05 Nov 2020 11:03:46 +0000
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.4.0
In-Reply-To: <CALaySJL_rB_-ZktZtUHn+9k_czkrhrXh7AXoBuL7h+FwAiV4OQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-GB
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/U_3jg0enHEYd1DeF2gOB_cbjHCI>
Subject: Re: [Acme] Barry Leiba's Discuss on draft-ietf-acme-email-smime-10: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Nov 2020 11:04:14 -0000

Hi Barry,

On 29/10/2020 21:33, Barry Leiba wrote:

> Hi, Alexey, and thanks for the response.  You responded to the first
> message, rather than to the second, so you didn't pick up my first
> DISCUSS point, repeated here:
>
>> I question why this is Informational, and the shepherd writeup doesn't really
>> explain it.  I get that this fills a gap, and that the working group wants to
>> see this adopted.  I don't get why, therefore, you aren't proposing a standard
>> here.  What is the point of making this Informational, and not Proposed
>> Standard... or Experimental, if you're less sure of whether it will work as
>> expected?
When asked in the WG there was not enough support to make it a Proposed 
Standard, in particular due to CA requirements for S/MIME evolving 
outside of IETF. The rest is above my paygrade, I am afraid. I just want 
this this to be published :-).

> To the other points:
>
>>> DISCUSS: That said, I don’t understand the need to specifically allow UTF-8
>>> here.  If the subject only contains “ACME:”, FWS, and a base64 string, it will
>>> always be ASCII.  Why are we talking about UTF-8 at all?
>> The idea is to be as compatible with existing software (e.g. MUAs and
>> web mail clients). I did some tests and some implementations
>> unconditionally use UTF-8 charset label even if the data is purely
>> ASCII. Thus the text above.
> OK, I guess that's not a problem.  I might prefer a SHOULD for ASCII,
> or some such, and inclusion of an explanation that ASCII is all that's
> needed, and that UTF-8 is permitted only for compatibility.  Please
> consider that, but this item is no longer at a DISCUSS level: we've
> had the discussion.
Ok, I will add SHOULD for US-ASCII. Thank you for the discussion.
>>>          The message MUST also pass
>>>          DMARC validation [RFC7489], which implies DKIM and SPF validation
>>>          [RFC7208].
>>>
>>> Two things here, which apply to bullet 9 in Section 3.2 also:
>>>
>>> 1. DMARC does not imply DKIM *and* SPF validation: DMARC uses DKIM *or* SPF to
>>> do Identifier Alignment.
>> Sloppy wording on my part. Would something like "which implies
>> compliance with DKIM [ref] and SPF [ref]" work better?
> I think that "which implies validation of DKIM or SPF" is accurate and
> better.  In any case, definitely "or", not "and".  But that's only if
> we keep the DMARC bit, which is a more important discussion.
>
>>> 2. I have an issue with requiring the use of DMARC at this point, as it’s
>>> specified only in an Informational document in the Independent stream.
>> This is an Informational document on IETF stream, so the bar is already
>> pretty low ;-). Besides you know that that DMARC itself is being revised.
> That speaks to my first DISCUSS point, at the top of this message, and
> is something we need to talk about.  Apart from that, if you want to
> wait for the DMARC revision as Proposed Standard, sure.  I'm very much
> not happy building standards around what we know to be a problematic,
> non-standard protocol that we're working on revising.

No, I am really not happy with waiting for DMARC process to be finished.

>>> In any
>>> case, what’s the point of requiring DMARC?  It seems to me that the
>>> authentication you need is provided by DKIM or S/MIME; what do you need from
>>> DMARC?
>> We can't use S/MIME, as the whole point of this document is to get an
>> S/MIME certificate.
> Umm...
>
>     5.  In order to prove authenticity of a challenge message, it MUST be
>         either DKIM [RFC6376] signed or S/MIME [RFC8551] signed.
>
> ...so you are using S/MIME signing.

I might have got myself confused here, because there is assymetry here. 
S/MIME can be used for ACME challenges, but it can't be used for ACME 
responses.

>> I suppose just requiring DKIM is fine, but properly configured SPF will
>> get an extra assurance that the domain owner has a properly (securely,
>> for some definition of securely) configured email system. So I am open
>> to suggestions.
> You haven't answered what you're trying to get from DMARC.  You can
> say that the message has to be signed.  Doesn't that accomplish what
> you need?  It seems to me that what DMARC provides beyond that is
> Identifier Alignment and sender policy checking, which don't seem to
> provide anything you need for this protocol.
I want identifier alignment for sure. Policy checking not so much.
> I'd like to understand
> why the protocol needs them, or what else it is that it needs from
> DMARC.  I don't see why you get any benefit from SPF either -- in
> conjunction with DKIM, SPF is only useful in cases where the DKIM
> signature is broken -- so let's include that in the discussion as
> well.

Actually, if DKIM signature is fine, but SPF is broken, this is still a 
reason to suspect that something is not right.

But I think I will let go of SPF and will remove DMARC/SPF. I will cut & 
paste specific text about identifier alignment into my draft.

>>>          The "Auto-Submitted" header field SHOULD
>>>          include the "type=acme" parameter.
>>>
>>> Why not MUST?  What are the consequences of not doing this, and why might it be
>>> hard to?
>> This is for backward compatibility with existing email/web mail clients.
>> I don't really know how hard it would be for existing clients to have an
>> extra parameter there.
>>
>> Its presence would really help in debugging, but nothing should break if
>> it is absent.
> If the parameter is just to help debugging, then maybe just say that
> as an explanation for the SHOULD?:
>
> NEW
>        The "Auto-Submitted" header field SHOULD include
>        the "type=acme" parameter to aid in debugging.
> END
I used a version of your text.
>>>      5.  The In-Reply-To: header field SHOULD be set to the Message-ID
>>>          header field of the challenge message according to rules in
>>>          Section 3.6.4 of [RFC5322].
>>>
>>> As with an earlier comment: Why is this SHOULD and not MUST?
>> Because some email clients wouldn't set it and I would like to achieve
>> highest compatibility with deployed MUA/web mail base.
> Keeping in mind that this is a non-blocking comment... I'm never happy
> when we waffle because we think implementations won't do it.  Either
> we want this there for a good reason, or we don't... if we do, it
> should be a MUST, and everyone knows that won't be thrown in jail for
> not doing it.  If we leave it as SHOULD, I think we should explain
> that better.
>
> The bottom line, I guess, is this: why do we want it there?  Does it
> improve interoperability, security, usability, or debugging?
It would improve usability/debugging and ability to use other protocols 
(like IMAP and Sieve) to automate processing.
> If so,
> can we explain that so there's useful context?  If it doesn't, then
> maybe it should just be "should", rather than "SHOULD"?
>
>>>      8.  There is no need to use any Content-Transfer-Encoding other than
>>>          7bit for the text/plain body part, however use of Quoted-
>>>          Printable or base64 is not prohibited in a "response" email
>>>          message.
>>>
>>> Is the “is not prohibited” meant to discourage it?  If so, that should be done
>>> more directly.
>> I would like to, but I don't control when MUAs/web mail would apply CTE
>> to the body, thus the above text.
> If you'd like to discourage it, we can do that without being too
> strong.  Maybe something like this?:
>
> NEW
>     8.  There is no need to use any Content-Transfer-Encoding other than
>          7bit for the text/plain body part.  Use of Quoted-Printable or base64
>          in a "response" email message is not necessary and should be avoided,
>          though it is permitted.
> END
I used your new text, thank you.
>>> The example body contains a “.”, which is not a valid base64url character.
>> It is JWS, which contains a dot.
> I'm confused, then.  The text says that it's "one or more line
> containing the base64url-encoded SHA-256 digest [FIPS180-4] of the key
> authorization".
>
> How can that contain a dot?  The key authorization might, but then you
> make a digest of it and encode the digest, and that encoded blob can't
> contain a dot, right?  What am I missing (just hit me over the head;
> it's OK).
I will come back to you on this.
> Again, thanks for the response, and I look forward to continuing the
> discussion.  :-)
>
> Barry

v2.23.0 | Report a Bug | By Email