Re: Last Call: <draft-ietf-dane-openpgpkey-05.txt> (Using DANE to Associate OpenPGP public keys with email addresses) to Proposed Standard
Paul Wouters <paul@nohats.ca> Fri, 11 September 2015 17:39 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 533F61B30B6 for <ietf@ietfa.amsl.com>; Fri, 11 Sep 2015 10:39:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5ymdBxb5oYhR for <ietf@ietfa.amsl.com>; Fri, 11 Sep 2015 10:39:13 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC6C71B3475 for <ietf@ietf.org>; Fri, 11 Sep 2015 10:38:23 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3nCPSX2Ybcz9MT; Fri, 11 Sep 2015 19:38:20 +0200 (CEST)
Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=I9BMtklJ
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id kaqlSqjNCCni; Fri, 11 Sep 2015 19:38:18 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 11 Sep 2015 19:38:18 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 16AA380099; Fri, 11 Sep 2015 13:38:17 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1441993097; bh=LWVzh+Chjxi8PxgFLYYMScpHnPcrn37qF7BMas+DIfU=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=I9BMtklJVbUA+iV447CIJpz2fJqLm5zA8sSuaUoliM8lgCePhf/zsxq0F86iSsngc LVrNB9UV3Uvz4gwuHwNTa5MlvdvN64WrOs7bYM2iKfxvkTiHJakLKi8+F896PIr3ZL xk1D1BBFZ2LTKQGZ+sZaSi6qSu3Gprk5u9TsVYCw=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.15.2/8.15.2/Submit) with ESMTP id t8BHcFBq027185; Fri, 11 Sep 2015 13:38:16 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Fri, 11 Sep 2015 13:38:15 -0400
From: Paul Wouters <paul@nohats.ca>
To: John C Klensin <john-ietf@jck.com>
Subject: Re: Last Call: <draft-ietf-dane-openpgpkey-05.txt> (Using DANE to Associate OpenPGP public keys with email addresses) to Proposed Standard
In-Reply-To: <E5628A37051C58A4C7E9005E@JcK-HP8200.jck.com>
Message-ID: <alpine.LFD.2.20.1509111243020.21480@bofh.nohats.ca>
References: <20150828151107.2592.98917.idtracker@ietfa.amsl.com> <alpine.OSX.2.11.1508311731160.8791@ary.lan> <8E726113FEEB642F81213CD3@JcK-HP8200.jck.com> <20150911144421.GE21942@mournblade.imrryr.org> <E5628A37051C58A4C7E9005E@JcK-HP8200.jck.com>
User-Agent: Alpine 2.20 (LFD 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/RfJu7EB8iHeR7FR_MwNU_4AxLqk>
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Sep 2015 17:39:15 -0000
On Fri, 11 Sep 2015, John C Klensin wrote: > the I-D warns against that case). On the other hand, if the > MUA, having decided that the two addresses are equivalent, sends > the encrypted message to the joesmith mailbox, then information > the sender believes is being transmitted encrypted is disclosed > to the wrong party. Luckilly, "joesmith@example.com" and "Joesmith@example".com are already really good hypothetical friends. They have been regularly receiving each others unencrypted email for the last 20 years. > I believe that whole scenario is a bad idea and is one of While others believe that webforms and phone virtual keyboard auto-correct functions that changes "joesmith@example.com" to "Joesmith@example.com" is an _actual_ problem to address, happening to actual people every day and not some theological and hypothetical deployment. In the real world, the local-part is not case sensitive. > several reasons why originating MUAs should not start > algorithmically guessing at names It is not guessing. It is a defined transformation. Leaving lowercasing out of the spec will result in most implementations querying the unmodified and the lowercased versions to support webforms and virtual keyboard auto-capitalization. And some implementations will forget to implement this because it wouldn't be mentioned in the spec, and it will cause some people's email to go out unencrypted where it could have gone out encrypted. But we would have saved the imaginary Joe Smith and joe Smith from receiving each others unreadable email. At least they will still have each others unencrypted email to read. > --and IETF specs, even > experimental ones, should not encourage doing so-- even though > 5321 does not (and cannot) explicitly prohibit it. If the > advocates of this spec believe the level of risk is acceptable, > I believe they _MUST_ carefully describe that risk and the > tradeoffs in their Security Considerations section. I am totally willing to do that, once we can find one instance out of the 10^9 email addresses where two different people have identical email addresses apart from the case of the local-part. I suspect the change of finding that is going to be smaller than that of a hash collision in DNSSEC or OpenPGP. > Because this is a security protocol, I'm even more concerned > about false positives because the sending MUA has no way to know > whether joe+smith@example.com and joe.smith@example.com The document has never in any of its iterations stated that the "+" or "." symbol should be removed before hashing, let alone that they should be juxtaposed in the way you are describing, so your concern is unfounded. > users are not, and never have been, uniquely bound to mailboxes. The OPENPGPKEY record is not about users, it is bound to email addresses. (or as you can call them, mailboxes) > In the PGP case in particular, it is not an accident > that the key format contains provisions for several addresses > associated with a given user, addresses that are individually > signed/ certified/ validated. And OPENPGPKEY records can be deployed on any of these indepedantly, and the draft even suggests removing those IDs in the key that are not referring to the mailbox for which the OPENPGPKEY is being created. >> If the user and MUA want to be able to employ DNSSEC to obtain >> keys for correspondents well outside their social circle, it >> is not reasonable to call these keys "bogus". They are >> certainly less "bogus" than most web site (DV) certificates. > > One of us misunderstands DNSSEC. It doesn't obtain anything. > It merely provides validation of one thing and one thing only, > which is an integrity check that a response to a DNS query > reflects what is actually in the DNS. It is not, as the draft > can be read to assume or imply, a magical form of pixie dust > that, e.g., attests to the binding between a key found in the > DNS and a particular external user identity. It seems we have already established a nice family of pixie dust with the SSHFP, CERT, TLSA, IPSECKEY and CAA records. And of course other records also publish data on the assumption that the consumer can trust it due to DNSSEC, such as SPF/TXT records. DNSSEC is used as a PKI. Half the people who built DNSSEC, set out to build it as a PKI from the start. > I'm not sure what that means, but you have, IMO, just > strengthened my argument that the Security Considerations > section of the draft is completely inadequate as a discussion of > the vunerability and risks associated with this approach. You mean, the risk of an MTA receiving a plaintext email and sending it on as a plaintext email because it did not find an OPENPGPKEY record? Or an enduser sending an unencrypted email and not being told by their mail client it could have been encrypted, and so they send the email in plaintext as they had planned to originally do anyway? > MUAs start > guessing at mailbox name variations in the way you suggest (or > otherwise), There is no guessing. See above. See WGLC. See dane archive. > [1] Upon skimming back through the draft, if example.net. owns > an MX record that points to smtp.example.com, it is not > completely clear whether the lookup for an OPENPGPKEY record > should be performed at subdomains of example.net, > smtp.example.com, or example.com. It is perfectly clear, and does not involve the MX record whatsoever. The document states: o The user name (the "left-hand side" of the email address, called the "local-part" in the mail message format definition [RFC5322] and the local-part in the specification for internationalized email [RFC6530]) should already be encoded in UTF-8 (or its subset ASCII). If it is written in another encoding it should be converted to UTF-8 and then hashed using the SHA2-256 [RFC5754] algorithm, with the hash truncated to 28 octets and represented in its hexadecimal representation, to become the left-most label in the prepared domain name. Truncation comes from the right-most octets. This does not include the at symbol ("@") that separates the left and right sides of the email address. o The string "_openpgpkey" becomes the second left-most label in the prepared domain name. o The domain name (the "right-hand side" of the email address, called the "domain" in RFC 5322) is appended to the result of step 2 to complete the prepared domain name. Nowhere does it tell you to look at MX records. > I note in that regard that the first sentence of Section 3 of the > I-D is simply false. The first sentence reads: The DNS does not allow the use of all characters that are supported in the "local-part" of email addresses as defined in [RFC5322] and [RFC6530]. RFC 6530 Section 7.1: Permits the use of UTF-8 strings in email addresses, both local parts and domain names. So you are claiming that DNS can take any UTF-8 character? I guess you should file an errata for IDNA RFC-3492. Paul
- Re: [dane] Last Call: <draft-ietf-dane-openpgpkey… Petr Spacek
- Re: [dane] Last Call: <draft-ietf-dane-openpgpkey… Viktor Dukhovni
- Re: Last Call: <draft-ietf-dane-openpgpkey-05.txt… John R. Levine
- Re: Last Call: <draft-ietf-dane-openpgpkey-05.txt… Paul Wouters
- Re: Last Call: <draft-ietf-dane-openpgpkey-05.txt… John Levine
- Re: Last Call: <draft-ietf-dane-openpgpkey-05.txt… Stephen Farrell
- Re: Last Call: <draft-ietf-dane-openpgpkey-05.txt… John R Levine
- Re: Last Call: <draft-ietf-dane-openpgpkey-05.txt… Paul Wouters
- Re: Last Call: <draft-ietf-dane-openpgpkey-05.txt… John Levine
- Re: Last Call: <draft-ietf-dane-openpgpkey-05.txt… Viktor Dukhovni
- Re: Last Call: <draft-ietf-dane-openpgpkey-05.txt… Simon Josefsson
- Re: Last Call: <draft-ietf-dane-openpgpkey-05.txt… Simon Josefsson
- Re: Last Call: <draft-ietf-dane-openpgpkey-05.txt… manning
- Re: Last Call: <draft-ietf-dane-openpgpkey-05.txt… Paul Wouters
- Re: Last Call: <draft-ietf-dane-openpgpkey-05.txt… Paul Wouters
- Re: Last Call: <draft-ietf-dane-openpgpkey-05.txt… John C Klensin
- Re: what's a standard for, was Last Call John Levine
- Re: Last Call: <draft-ietf-dane-openpgpkey-05.txt… Viktor Dukhovni
- Re: what's a standard for, was Last Call Paul Wouters
- Re: Last Call: <draft-ietf-dane-openpgpkey-05.txt… John C Klensin
- Re: Last Call: <draft-ietf-dane-openpgpkey-05.txt… Paul Wouters
- Re: what's a standard for, was Last Call John Levine
- Re: Last Call: <draft-ietf-dane-openpgpkey-05.txt… Viktor Dukhovni
- Re: Last Call: <draft-ietf-dane-openpgpkey-05.txt… John C Klensin
- Re: Last Call: <draft-ietf-dane-openpgpkey-05.txt… John C Klensin
- Re: Last Call: <draft-ietf-dane-openpgpkey-05.txt… Paul Wouters
- Re: Last Call: <draft-ietf-dane-openpgpkey-05.txt… Scott Kitterman
- Re: DNS names, was Last Call on _openpgpkey John Levine
- Re: DNS names, was Last Call on _openpgpkey Mark Andrews
- Re: Last Call: <draft-ietf-dane-openpgpkey-05.txt… John C Klensin
- Re: Last Call: <draft-ietf-dane-openpgpkey-05.txt… Stephen Farrell
- Re: DNS names, was Last Call on _openpgpkey Andrew Sullivan
- Re: DNS names, was Last Call on _openpgpkey John C Klensin
- Re: DNS names, was Last Call on _openpgpkey Andrew Sullivan
- Re: DNS names, was Last Call on _openpgpkey Donald Eastlake
- Re: DNS names, was Last Call on _openpgpkey Mark Andrews
- Re: DNS names, was Last Call on _openpgpkey Andrew Sullivan