Re: [Last-Call] Last Call: <draft-knodel-e2ee-definition-07.txt> (Definition of End-to-end Encryption) to Informational RFC
Kjetil Torgrim Homme <kjetilho@ifi.uio.no> Thu, 13 October 2022 06:53 UTC
Return-Path: <kjetilho@ifi.uio.no>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18997C1524D6 for <last-call@ietfa.amsl.com>; Wed, 12 Oct 2022 23:53:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.007
X-Spam-Level:
X-Spam-Status: No, score=-7.007 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ifi.uio.no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6FxirQ8fkvHS for <last-call@ietfa.amsl.com>; Wed, 12 Oct 2022 23:53:37 -0700 (PDT)
Received: from mail-out01.uio.no (mail-out01.uio.no [IPv6:2001:700:100:10::50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8299C1522BF for <last-call@ietf.org>; Wed, 12 Oct 2022 23:53:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ifi.uio.no; s=key2103; h=MIME-Version:Date:Content-Transfer-Encoding:Content-Type: References:In-Reply-To:Cc:To:From:Subject:Message-ID:Sender:Reply-To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=F9/Fvr3vWYejTdAOK0UR61UjNE6aiFZdubpjxqUGRuw=; b=oby1Yn7CtRMiyZRfxpBI8V9CxQ 9dEnzfm6BENxT8q7ZYcmNzbpwLzhJcLLed3+s+1JRYQuo2wLPp3AKyGx/f18jq7ofIbhKMtlPGjFq J2pQpYdkisUNF6zNVvxIQWjOSE+4QL4UcuhjdFPLRGShipEWt/zvKLTbX0FM9HJ09UBUx6xU4KBH4 fYMSU8BwrrlTk0oaKcAXUPpQXB3PggVEAslUfWWumRVVD/sehYzFNvYruq7o7ULDRc7U1sN7o8ROX bUaQ10VDeJECbDmZFIUUpavPtBwxBiOroMzZ8veQ7/Pd+Tf9/9dNyTw+Yv2lm11ywgRCiEXvRDgxm 4eTRJYsw==;
Received: from mail-mx12.uio.no ([129.240.10.84]) by mail-out01.uio.no with esmtps (TLS1.2) tls TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <kjetilho@ifi.uio.no>) id 1ois5u-0045Nu-9p; Thu, 13 Oct 2022 08:53:26 +0200
Received: from wireguard.i.bitbit.net ([87.238.42.12] helo=scribus.ms.redpill-linpro.com) by mail-mx12.uio.no with esmtpsa (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) user kjetilho (Exim 4.95) (envelope-from <kjetilho@ifi.uio.no>) id 1ois5t-000BCm-Ln; Thu, 13 Oct 2022 08:53:26 +0200
Message-ID: <9e734c66ef5c96dd4c1d52caece48d1ffc1fb451.camel@ifi.uio.no>
From: Kjetil Torgrim Homme <kjetilho@ifi.uio.no>
To: Toerless Eckert <tte@cs.fau.de>, John Levine <johnl@taugh.com>
Cc: last-call@ietf.org
In-Reply-To: <Y0dTp9zpokQxCM/w@faui48e.informatik.uni-erlangen.de>
References: <20221012203820.8B0E44C761B4@ary.local> <20221012215826.72CC44C7714C@ary.local> <Y0dTp9zpokQxCM/w@faui48e.informatik.uni-erlangen.de>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 13 Oct 2022 08:52:18 +0200
MIME-Version: 1.0
User-Agent: Evolution 3.44.4 (3.44.4-1.fc36)
X-UiO-SPF-Received: Received-SPF: neutral (mail-mx12.uio.no: 87.238.42.12 is neither permitted nor denied by domain of ifi.uio.no) client-ip=87.238.42.12; envelope-from=kjetilho@ifi.uio.no; helo=scribus.ms.redpill-linpro.com;
X-UiO-Spam-info: not spam, SpamAssassin (score=-5.0, required=5.0, autolearn=disabled, UIO_MAIL_IS_INTERNAL=-5)
X-UiO-Scanned: 041CDC6DBF7ECA1B517123638B148F3692C74781
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/H4a4dp11AJ3sAkjDNAwY92Fzrf4>
Subject: Re: [Last-Call] Last Call: <draft-knodel-e2ee-definition-07.txt> (Definition of End-to-end Encryption) to Informational RFC
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Oct 2022 06:53:43 -0000
to. den 13. 10. 2022 klokka 01.54 (+0200) skreiv Toerless Eckert: > I recommended to the authors to have a picture with (composite) endpoints, > a network with observer/attackers in between and a key management system and > then to say that any use of end-to-end encryption must define well what is > included in the endpoints. Surely the idea must be that e2ee makes it impossible for any third party to listen in? > To pick up on your example: > > IMHO web-mail can only provide end-to-end encryption if the web-server is part of > one end-point. Meaning that any of these web-forms where a user communicates > with participants of that end-point (company) can be end-to-end. And if that > end chooses to outsource the web-server to some cloud service, it is still > end-to-end encryption because we have just created a very large and insecure > endpoint, and a quite uninteresting network piece. I do not think it is useful to consider such a scenario end-to-end- encryption, since it is decrypted by the web-mail provider and readable in plain text by them. Without qualifications, the two ends of a mail exchange are the sender and the recipients. It is not impossible to implement true E2EE web-mail - you just have to do the decryption using JavaScript in the browser. This means the decryption key must also be stored in the browser, typically unlocked by a master password at the beginning of your session. E.g., Firefox Sync uses the master password to allow such a secret to be synced across your browser instances without divulging the key itself to any third parties (including Mozilla). Of course you have to trust their binary not to contain any backdoors, but we will never solve *that* problem. > Ultimately, in the same way as one can not simply say "foo is trusted" without being > more specific, it is equally useless to say "foo provides end-to-end-security". > The minimun useful statement about end-to-end-security seems to be > "foo provides end-to-end-security between <endpoint1> and <endpoint2>", with sufficiently > good description of the two endpoints or use of well enough established terms for either. > Most SMTP servers also employ end-to-end-encryption (TLS) for each hop along the way. So yes, endpoints matter. Leaving John's musings in here, which are basically saying the same thing, although more open-ended :) > On Wed, Oct 12, 2022 at 05:58:25PM -0400, John Levine wrote: > > > > I'm not looking for the answers to these questions, but for guidelines that would let us > > come up with consistent answers. > > > > Imagine we have webmail, encrypted connection between server and browser, mail encrypted with PGP or S/MIME. > > > > If the mail is encrypted and decrypted on the server, so the server is part of the endpoint, is that E2E? > > > > I have a mail account on a server on which I personally control the hardware and software, one at Protonmail, > > one at Gmail. Are the answers the same? > > > > Or assume the encryption is in the browser or phone app. Does the key management matter for E2E? > > How about if the key is stored on the server, but the server promises not to use it, only to > > provide it to the user's browser? (You can check their 150,000 lines of code on Github to see > > whether they actually do this.) > > > > I realize this may seem somewhat nitpicky but if we're going to say end to end, we really need > > a clear understanding of what "end" implies or requires. -- venleg helsing, Kjetil T.
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… Salz, Rich
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… Eric Rescorla
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… Paul Wouters
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… Eric Rescorla
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… Brian E Carpenter
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… Salz, Rich
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… Toerless Eckert
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… John Levine
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… John Levine
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… Toerless Eckert
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… Kjetil Torgrim Homme
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… Keith Moore
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… Lloyd W
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… John R Levine
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… Toerless Eckert
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… Phillip Hallam-Baker