IETF Logo Mail Archive

Re: [dane] OPENPGP --- Privacy considerations

Viktor Dukhovni <ietf-dane@dukhovni.org> Sat, 01 August 2015 16:37 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C31A21A0025 for <dane@ietfa.amsl.com>; Sat, 1 Aug 2015 09:37:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NHonx7b48raa for <dane@ietfa.amsl.com>; Sat, 1 Aug 2015 09:37:20 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA8D51A0011 for <dane@ietf.org>; Sat, 1 Aug 2015 09:37:19 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 8FE3A284D64; Sat, 1 Aug 2015 16:37:18 +0000 (UTC)
Date: Sat, 01 Aug 2015 16:37:18 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20150801163718.GC4347@mournblade.imrryr.org>
References: <1437580854.052529954@apps.rackspace.com> <814D0BFB77D95844A01CA29B44CBF8A7015D2DD4@lhreml504-mbs> <4FEE7B8C-F482-4FB8-824E-26B26D30BAD7@powerdns.com> <20150731182209.GB18811@sys4.de> <000601d0cc2d$3c8c80e0$b5a582a0$@rozanak.com> <20150801131604.GC18811@sys4.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20150801131604.GC18811@sys4.de>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/IJlWg73R4phqdUhj_NRQSMt4E88>
Subject: Re: [dane] OPENPGP --- Privacy considerations
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Aug 2015 16:37:21 -0000

On Sat, Aug 01, 2015 at 03:16:04PM +0200, Florian Kirstein wrote:

> Did you read my full email? Thats EXACTLY what I wrote in a later
> paragraph. And it's the reason I wrote I vote for sha. And even would
> prefer iterations there %) And see the risk of rainbow tables used
> to reverse those.

My original proposal that introduced hashes for the local part
suggested hashing the full email address to help thwart rainbow
tables.  That was not accepted, because it does not support domain
equivalence via DNAME aliases.  And we've failed to reach consensus
on even a single layer of hashing just the local part.  There is,
however reluctant, some consensus around base32.

No matter what storage encoding of the localpart is used, a passive
wiretap will reveal the domain of each correspondent's key lookup,
and whether that correspondent is new or one that was looked up
previously.  This is inherent in using a cleartext DNS query
protocol.

How important is support for such equivalent domains, relative to
potential privacy gains?  There is no privacy for lookups of DNS
data, until the transmission channel is somehow encrypted, but even
then, unless your local resolver avoids forwarding all queries to
the ISP, the ISP resolver has the plaintext of all DNS queries.

There was some recent discussion of

    https://tools.ietf.org/html/draft-moore-email-addrquery-01

on the IETF UTA list.  As written in that draft the MSA learns the
plaintext of all key lookups, but this is not a data leak, because
in short order the MSA will see the envelope of the final outbound
message.  With STARTTLS on increasingly more SMTP hops, localpart
data is modestly well protected (passive wiretaps may be able to
distinguish between long and short envelope recipient addresses
based on the sizes of TLS packets unless random padding is used to
extend such packets to hide the plaintext length).

Protection from traffic analysis requires Tor (or better).

So trade-offs are inevitable, and evidently make reaching consensus
difficult.

In the UTA discussion, I am running into irrational fear of DNSSEC,
and I think an unreasonable goal of eliminating the MSA as a trusted
party.  Always using the MSA as a proxy would I believe significantly
improve the scalability and abuse resistane of the protocol.
Without the complexity of end-to-end payload signing, the MSA would
need to be trusted.  It may be possible to add end-to-end signing,
but not clear how without DANE publishing the signing keys, and
stapled DANE responses between MUA and MSA.

Given the clear DNSSEC animus of at least some of the parties, I
don't see a way forward that avoids compromising at least one of
the objectives.  Time will tell...

These are not easy to solve problems.  If someone thinks they have
a simple solution that does not compromise on any of the design
goals, they're probably not thinking hard enough.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email