IETF Logo Mail Archive

Re: [Endymail] Improvements to S/MIME

Wei Chuang <weihaw@google.com> Mon, 15 September 2014 08:51 UTC

Return-Path: <weihaw@google.com>
X-Original-To: endymail@ietfa.amsl.com
Delivered-To: endymail@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F6B61A0276 for <endymail@ietfa.amsl.com>; Mon, 15 Sep 2014 01:51:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.03
X-Spam-Level:
X-Spam-Status: No, score=-3.03 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vpvc0F92eoYj for <endymail@ietfa.amsl.com>; Mon, 15 Sep 2014 01:51:14 -0700 (PDT)
Received: from mail-qa0-x22f.google.com (mail-qa0-x22f.google.com [IPv6:2607:f8b0:400d:c00::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F09941A026F for <endymail@ietf.org>; Mon, 15 Sep 2014 01:51:13 -0700 (PDT)
Received: by mail-qa0-f47.google.com with SMTP id dc16so3443948qab.6 for <endymail@ietf.org>; Mon, 15 Sep 2014 01:51:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=yjF9fhuS8soIIUvAh/DRPwxECARxq3b0WNH4JvCxMwE=; b=EwQNWzbakVrZQIRbXtVWYULpfogfI43gxjuTRbDyMTRs6oTfvSaW0JjCWFHdsXtwTn o33PMD9znuZn9dxQAGSZZ8Xz3TBLyIun0OVuYhP8jaz9DM7qTlQvGPhrNrb4JwKXx8yE 50T7V9L4hYcw34BIcTjVRiyjZFAi80NuhPLVa6MMfMllXK0bYa11RdxyKWR5funERbO8 qYWm8dPFlOQF/iSQlwaVBwNH0sT0ZSj/Cu5MMeRbK5Pn0vfvBPnXLCqFIUfavgHwgM0j 32FHaiohTl4utM/0rL8ICa1Kx5XBL0m8GrhrMMUosPxvCL1XqykQms6dmAKD6dyeyIfi b99A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=yjF9fhuS8soIIUvAh/DRPwxECARxq3b0WNH4JvCxMwE=; b=HVa2yF8WI3mR5OTZxKO14K9hM4CRmEMttWqT1qd7cwvX0MeNI5dqoxaDspsBqVUCvO 28mNoqjSxn/31MARKNaGunFTsrYVJzIrR4ziv3UKg1Y44fibdGgmIPqv5kx1m4nXx6Mo 6RW3Dv/abw1T3QH8rtOZx3HgaDvHlJAUnkaNaaSl12f/ErF2n8uR6k4x1fJaTe+lZvr4 qDGuGGLxlbtiz+/ALV338b16isz/5XICUtTUWy7s9DAWi9+B5mIBO48WSeYGhIaGkQfi 9P2Db4qCZ419Yb+D66jzAGX8Vhz8qNFw3jm/yY5oqaU4fq7IQ1BMC+l449bGlmfqVbQP F75w==
X-Gm-Message-State: ALoCoQntBj1ThVUZ9f4v9jJqFaDdFPMu9igmQdtCeG8jXbXn6h7FxoJXAziwLg3vTdMQLYv5MMKA
X-Received: by 10.140.42.77 with SMTP id b71mr34730474qga.52.1410771073051; Mon, 15 Sep 2014 01:51:13 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.116.71 with HTTP; Mon, 15 Sep 2014 01:50:51 -0700 (PDT)
In-Reply-To: <CAMm+LwivBifWKYMDBDocr4LCH40iVgP4zE2xXgEfkrb4bpN+Nw@mail.gmail.com>
References: <CAAFsWK0VtnVvKwvkC1kjK+yKORkADVW1cKDx7nQ1fxA=dpZeTQ@mail.gmail.com> <87sijvmmo5.fsf@vigenere.g10code.de> <CAMm+LwivBifWKYMDBDocr4LCH40iVgP4zE2xXgEfkrb4bpN+Nw@mail.gmail.com>
From: Wei Chuang <weihaw@google.com>
Date: Mon, 15 Sep 2014 01:50:51 -0700
Message-ID: <CAAFsWK0aTJAJF0wqEGCvEK6BJkKZZGVueJ7W56WHefh7O09xJQ@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Content-Type: multipart/alternative; boundary="001a11c1293eab7470050316bc71"
Archived-At: http://mailarchive.ietf.org/arch/msg/endymail/nMr-uH_eMVFX6GZe6EP8W2p0FH8
Cc: Werner Koch <wk@gnupg.org>, endymail <endymail@ietf.org>
Subject: Re: [Endymail] Improvements to S/MIME
X-BeenThere: endymail@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <endymail.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/endymail>, <mailto:endymail-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/endymail/>
List-Post: <mailto:endymail@ietf.org>
List-Help: <mailto:endymail-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/endymail>, <mailto:endymail-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Sep 2014 08:51:15 -0000

On Sat, Sep 13, 2014 at 11:46 AM, Phillip Hallam-Baker <
phill@hallambaker.com> wrote:

> On Sat, Sep 13, 2014 at 1:54 PM, Werner Koch <wk@gnupg.org> wrote:
> > On Fri, 12 Sep 2014 19:48, weihaw@google.com said:
> >
> >> 1) S/MIME doesn't fully protect users mail envelope metadata.  For
> example
> >> the recipient and envelope-sender must be visible to the intermediate
> SMTP
> >
> > If you want that, it is easy to put the messaqge into a message/rfc822
> > mail container and use faked subject and other mailer header.
>
> Again there is a difference between what you can do and a standard.
>
> I think that 80% of what we need to do could be done in a profile of
> S/MIME that says stuff like
>
> * MUST support AES-128, AES-256
> * MUST support [choose order of encrypt + sign]
> * MUST support domain level certs for end entity
> * MUST support message/rfc822 encrypted payload
>
> What we need to add on top is really not so difficult:
>
> * Mechanism for discovering recipient encryption preference, format
> support (PGP/SMIME), algorithm support and encryption key
> * Mechanism for direct trust, aka key fingerprint
> * Mechanism for private key maintenance
>

It occurs to me that acceptable X509 certificate profiles could be another
i.e. does recipient require
- CA path constraints
- support certain revocation methods
- accepted x509 versions, signature algorithm+keylength
- accepted root CAs
etc.

-Wei

v2.23.0 | Report a Bug | By Email