Re: [Ietf-dkim] Thinking About DKIM and Surveillance

Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 03 October 2019 01:11 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: ietf-dkim@ietfa.amsl.com
Delivered-To: ietf-dkim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80328120219 for <ietf-dkim@ietfa.amsl.com>; Wed, 2 Oct 2019 18:11:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EDB1QR_cnilV for <ietf-dkim@ietfa.amsl.com>; Wed, 2 Oct 2019 18:11:24 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FC6912024E for <ietf-dkim@ietf.org>; Wed, 2 Oct 2019 18:11:23 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 8D1EABE47; Thu, 3 Oct 2019 02:11:21 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qKB3lZdXhMxF; Thu, 3 Oct 2019 02:11:17 +0100 (IST)
Received: from [10.244.2.138] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 86DC5BE39; Thu, 3 Oct 2019 02:11:17 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1570065077; bh=YWP8SjFfHc1RkfY05ZE8KYAAflZf73x0KE2ILNFzZok=; h=To:References:From:Subject:Date:In-Reply-To:From; b=cmRaeRPlCBfRHDqm8VsqmRGUnfhV0f16W+x0s2o53ldYp9ILm7kOjpzqqxURmGRGg E+iNzgZJ+XxjDBZ5tvEVU7JVeDIRFCV7Y+KAGHOu3bny8msWoYsFpar7osfTMd68zC Ni3j5kaTrZp2LVGt9FFwjEmk/zQ0kiKrVo2gwo/g=
To: Jon Callas <jon@callas.org>, ietf-dkim@ietf.org
References: <B0CC594E-7B2A-46D2-BEBD-C4E20FF6D1D6@callas.org>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=5BB5A6EA5765D2C5863CAE275AB2FAF17B172BEA; url=
Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw==
Message-ID: <a800807e-c2ea-4c06-ff3b-f40276797ca0@cs.tcd.ie>
Date: Thu, 3 Oct 2019 02:11:12 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <B0CC594E-7B2A-46D2-BEBD-C4E20FF6D1D6@callas.org>
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="cRapAryACTd2Le5Uz6I0Wpo0qRYUu3TgP"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-dkim/40hfXhj-_2lOGj3AuAbTQyK0NDY>
Subject: Re: [Ietf-dkim] Thinking About DKIM and Surveillance
X-BeenThere: ietf-dkim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DKIM List <ietf-dkim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim/>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Help: <mailto:ietf-dkim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Oct 2019 01:11:27 -0000

Hiya,

Had a quick flick through the paper. Good work but
not something that could yet be immediately used
(which is entirely reasonable). Nonetheless it'd be
good to see work done in this space.

I do however disagree with some of the motivations
for the smarter crypto:

- The authors say: "The public key is required to
persist over disclosures:  otherwise, the frequency
of manual key updates and DNS updates would render
fine-grained disclosures inviable." ESNI is an example
that frequent (hourly) public key rotation is entirely
doable and in any case the effort required is in
publishing anything at some frequency - it makes no
difference if the value is cryptographic (like an RRSIG)
nor mostly how frequently one publishes - once the
automation is in place then you're done.

- I don't buy threat model 2 being that sensible as
one against which to focus defences. AIUI, mostly the
signatures that end up having undesirable properties
(non-repudiation) are leaked from collections. In
real-time, leaking the message content (regardless of
whether that came in email, sms, signal or whatever)
and not an email envelope seems much more likely.

- It's not clear to me there's an hierarchical IBS
scheme that could scale and that hasn't got a fatal
key escrow problem. There may be - I didn't look,
but I don't know there is. (And IBS always seem to
smell patenty, sadly.) Even if key escrow were to
somehow be considered ok, I'm not sure that the
role of key generator fits into the architecture
of email.

- section 5.1: starting out with (paraphrasing)
"replace the currently widely deployed thing"
isn't realistic

- TimeForge seems pretty complex to the point where
I can't see it happening.

In the end, I'd like to see us exploring this space
and this paper is a fine input for that exploration
but I don't see that it provides usable solutions
so far. Still a good paper though.

Cheers,
S.

On 02/10/2019 20:29, Jon Callas wrote:
> I know that I've written about this before, so please bear with me a bit. A continuing concern of mine is the way that DKIM contributes to overall surveillance smog that the Internet has.
> 
> When we designed DKIM, this was something we considered; it was a concern. It wasn't so big a concern that we thought it should derail DKIM, and it wasn't even a concern when it was taken over by the IETF. Nonetheless, it was an issue, is an issue, and becomes a bigger issue nearly every day. The most notorious failure here is the Podesta email dump, where the stolen emails were verified against the DKIM signatures. This is precisely what we didn't want to happen -- that DKIM was used for things beyond fighting inauthentic emails. We ought to do something, the question is what. 
> 
> When I think about how to reduce the tracking and surveillance issues, the solution space includes: (1) Better management of the keys (e.g. lifecycle management of some sort); (2) Better management of the emails (e.g. strip out surveillance-friendly headers in an MDA between the MTA and MUA -- think procmail filter that removes information leaks); (3) Better crypto. If I wave my magic wand and can cause software to appear and be deployed, I'd do them all. None of them are perfect. A crawler that would collect all DKIM keys would blunt the benefits of better key management; building and deploying better header handling is a huge task; better crypto needs an addendum to the DKIM standard.
> 
> Nonetheless, I recently came across an interesting article, "KeyForge: Mitigating Email Breaches with Forward-Forgeable Signatures". It's on the IACR eprint archive at <https://eprint.iacr.org/2019/390.pdf>;. I think that everyone here should look at it. The TL;DR is that they have a signing mechanism that blunts attributable signatures and introduces some interesting new concepts. They call it, "Delayed universal forgeability." Yes, that's vague, and it's my point; consider that an advert for the paper. It's an interesting way to look at better crypto that allows for spam-fighting without open-ended tracking.
> 
> I don't know that their solution is the answer, but I do know that it's asking the right questions. In 2005-7, we were concerned about surveillance smog, but we didn't have a good answer (or even consensus, but this was pre-Snowden). The stated answer of the day was proper key management of keys, but it's not clear that anyone has ever deleted a DKIM key out of DNS. (Okay, I'm exaggerating for effect.) They have very good comments about that; I'm not sure I agree, but I really like what they're saying. We also briefly considered some sort of ring or group signature to blunt attribution. That a mediocre mitigation at best, and one of our core goals was to boil the crypto down to essentials, using bare keys rather than certs or any other uniforms for the keys. It's DKIM, not DCIM.
> 
> I think their signatures take that *intent* -- a mix of math and operation -- and creates something really worth considering. Even if it's not the answer, the questions that we punted on in 2005 are vital for 2020 and beyond.
> 
> Thus, any discussion of it is good. I really liked it. Please read it.
> 
> 	Jon
> 
> _______________________________________________
> Ietf-dkim mailing list
> Ietf-dkim@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf-dkim
>