IETF Logo Mail Archive

Re: [Last-Call] Last Call: <draft-knodel-e2ee-definition-07.txt> (Definition of End-to-end Encryption) to Informational RFC

John Levine <johnl@taugh.com> Wed, 12 October 2022 21:58 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99CC1C1522BA for <last-call@ietfa.amsl.com>; Wed, 12 Oct 2022 14:58:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.161
X-Spam-Level:
X-Spam-Status: No, score=-4.161 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=t/meY4LT; dkim=pass (2048-bit key) header.d=taugh.com header.b=ctjE5uxH
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tEej8E-0dnOm for <last-call@ietfa.amsl.com>; Wed, 12 Oct 2022 14:58:29 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5212C1522B1 for <last-call@ietf.org>; Wed, 12 Oct 2022 14:58:29 -0700 (PDT)
Received: (qmail 87329 invoked from network); 12 Oct 2022 21:58:27 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=1551f.63473883.k2210; bh=sz04FhRyR2oLLJds+NR9C6SXRDZnZMJZ3uCTxL3FHU8=; b=t/meY4LTeBUf7Of3h0bxZFdBk2s7E8NKJXkeruHuZGb/Sc8TP/nBDC4kMmHnNxp7J4/hZAfxxlusXnc4Bqc+zVaMAlsp61LPncR2QcUb8siLZNfNyyBx+AeBxjAmwWaff+CkzNHk5+m5SFS6pde4Z8aMYshXkpWHh1CLwDMniyJ/4b7zIzQIOPICX6P7hZkGLa4Z0FICyNAPgHm5dT9WEQ9It+kqv8nlEKZeihXKYldlMfcONURAudnGjn1CncRlxYBVV/NdNcg2U/yS1JUByoLU4+QRmbeh1bKvnGqNO1k15aLRdqCiTdjBsq/UBNNQocCguUJ5dOYfNAETIOnOMw==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=1551f.63473883.k2210; bh=sz04FhRyR2oLLJds+NR9C6SXRDZnZMJZ3uCTxL3FHU8=; b=ctjE5uxHb3sLRCstVDaBkjcdOOeB6PInCwigxgV4du5w8xEvJ7RBzbu9Pkm3jzjLA3BOVphIO5tE9mVIzG3TuVUdunR1t1ay7VsS52VBhpjplwH/EAA9UnPinAVORqX+wnMaEAEbtRjhp7cbkphSRu3ab0A2luN6CfSWAGSH8q7XJAqRwZ/jvAnOLNwKReGSzQFPBIOVLRNDVzJh4QReeKHfA/kCvF7dMZiOuiWJuUAiuHLy0P+81v6qgV1thl0FlvCf36VGHxvnS6zYXQg5aUeBzfVGymaDF4INVdPBmbmyD/Sms7GLzczDsbGwQMfhUj6MdG/M4y6XROZ/InRuUQ==
Received: from ary.local ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 12 Oct 2022 21:58:26 -0000
Received: by ary.local (Postfix, from userid 501) id 72CC44C7714C; Wed, 12 Oct 2022 17:58:25 -0400 (EDT)
Date: Wed, 12 Oct 2022 17:58:25 -0400
Message-Id: <20221012215826.72CC44C7714C@ary.local>
From: John Levine <johnl@taugh.com>
To: last-call@ietf.org
In-Reply-To: <20221012203820.8B0E44C761B4@ary.local>
Organization: Taughannock Networks
X-Headerized: yes
Cleverness: minimal
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/LAfyH0kxi5uBuu7q2Np7nSnU_CA>
Subject: Re: [Last-Call] Last Call: <draft-knodel-e2ee-definition-07.txt> (Definition of End-to-end Encryption) to Informational RFC
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2022 21:58:34 -0000

 [[ sigh, unhelpful text editor ]]

It appears that John Levine  <johnl@taugh.com> said:
>It appears that Brian E Carpenter  <brian.e.carpenter@gmail.com> said:
>>Hi,
>>
>>I assume this draft has been discussed widely in the Security Area, to
>>have reached last call, but I don't follow discussions there, so I'm
>>sorry if my comments are repetitive.
>>
>>> These dimensions taken as a whole comprise a generally comprehensible picture of consensus at the IETF as to what is end-to-end encryption,
>>
>>I'm not sure that we have any real consensus about this. I guess this
>>last call will tell us.
>
>I read the draft in detail and I have no idea whether webmail could be considered E2E encrypted.

I'm not looking for the answers to these questions, but for guidelines that would let us
come up with consistent answers.

Imagine we have webmail, encrypted connection between server and browser, mail encrypted with PGP or S/MIME.

If the mail is encrypted and decrypted on the server, so the server is part of the endpoint, is that E2E?

I have a mail account on a server on which I personally control the hardware and software, one at Protonmail,
one at Gmail.  Are the answers the same?

Or assume the encryption is in the browser or phone app.  Does the key management matter for E2E?
How about if the key is stored on the server, but the server promises not to use it, only to
provide it to the user's browser?  (You can check their 150,000 lines of code on Github to see
whether they actually do this.)

I realize this may seem somewhat nitpicky but if we're going to say end to end, we really need
a clear understanding of what "end" implies or requires.

R's,
John

v2.23.0 | Report a Bug | By Email