Re: [Last-Call] Last Call: <draft-knodel-e2ee-definition-07.txt> (Definition of End-to-end Encryption) to Informational RFC
Toerless Eckert <tte@cs.fau.de> Wed, 12 October 2022 23:54 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E970C14CE42 for <last-call@ietfa.amsl.com>; Wed, 12 Oct 2022 16:54:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.657
X-Spam-Level:
X-Spam-Status: No, score=-1.657 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 09KocrLTbTQb for <last-call@ietfa.amsl.com>; Wed, 12 Oct 2022 16:54:24 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17078C14CE3F for <last-call@ietf.org>; Wed, 12 Oct 2022 16:54:22 -0700 (PDT)
Received: from faui48e.informatik.uni-erlangen.de (faui48e.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTPS id AA69B548545; Thu, 13 Oct 2022 01:54:15 +0200 (CEST)
Received: by faui48e.informatik.uni-erlangen.de (Postfix, from userid 10463) id 952934EBCF6; Thu, 13 Oct 2022 01:54:15 +0200 (CEST)
Date: Thu, 13 Oct 2022 01:54:15 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: John Levine <johnl@taugh.com>
Cc: last-call@ietf.org
Message-ID: <Y0dTp9zpokQxCM/w@faui48e.informatik.uni-erlangen.de>
References: <20221012203820.8B0E44C761B4@ary.local> <20221012215826.72CC44C7714C@ary.local>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20221012215826.72CC44C7714C@ary.local>
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/sb4WMCpNbwN9hp7QTvJPRdSQ7vY>
Subject: Re: [Last-Call] Last Call: <draft-knodel-e2ee-definition-07.txt> (Definition of End-to-end Encryption) to Informational RFC
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2022 23:54:26 -0000
I recommended to the authors to have a picture with (composite) endpoints,
a network with observer/attackers in between and a key management system and
then to say that any use of end-to-end encryption must define well what is
included in the endpoints.
To pick up on your example:
IMHO web-mail can only provide end-to-end encryption if the web-server is part of
one end-point. Meaning that any of these web-forms where a user communicates
with participants of that end-point (company) can be end-to-end. And if that
end chooses to outsource the web-server to some cloud service, it is still
end-to-end encryption because we have just created a very large and insecure
endpoint, and a quite uninteresting network piece.
Ultimately, in the same way as one can not simply say "foo is trusted" without being
more specific, it is equally useless to say "foo provides end-to-end-security".
The minimun useful statement about end-to-end-security seems to be
"foo provides end-to-end-security between <endpoint1> and <endpoint2>", with sufficiently
good description of the two endpoints or use of well enough established terms for either.
Cheers
Toerless
On Wed, Oct 12, 2022 at 05:58:25PM -0400, John Levine wrote:
> [[ sigh, unhelpful text editor ]]
>
> It appears that John Levine <johnl@taugh.com> said:
> >It appears that Brian E Carpenter <brian.e.carpenter@gmail.com> said:
> >>Hi,
> >>
> >>I assume this draft has been discussed widely in the Security Area, to
> >>have reached last call, but I don't follow discussions there, so I'm
> >>sorry if my comments are repetitive.
> >>
> >>> These dimensions taken as a whole comprise a generally comprehensible picture of consensus at the IETF as to what is end-to-end encryption,
> >>
> >>I'm not sure that we have any real consensus about this. I guess this
> >>last call will tell us.
> >
> >I read the draft in detail and I have no idea whether webmail could be considered E2E encrypted.
>
> I'm not looking for the answers to these questions, but for guidelines that would let us
> come up with consistent answers.
>
> Imagine we have webmail, encrypted connection between server and browser, mail encrypted with PGP or S/MIME.
>
> If the mail is encrypted and decrypted on the server, so the server is part of the endpoint, is that E2E?
>
> I have a mail account on a server on which I personally control the hardware and software, one at Protonmail,
> one at Gmail. Are the answers the same?
>
> Or assume the encryption is in the browser or phone app. Does the key management matter for E2E?
> How about if the key is stored on the server, but the server promises not to use it, only to
> provide it to the user's browser? (You can check their 150,000 lines of code on Github to see
> whether they actually do this.)
>
> I realize this may seem somewhat nitpicky but if we're going to say end to end, we really need
> a clear understanding of what "end" implies or requires.
>
> R's,
> John
>
>
> --
> last-call mailing list
> last-call@ietf.org
> https://www.ietf.org/mailman/listinfo/last-call
--
---
tte@cs.fau.de
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… Salz, Rich
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… Eric Rescorla
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… Paul Wouters
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… Eric Rescorla
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… Brian E Carpenter
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… Salz, Rich
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… Toerless Eckert
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… John Levine
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… John Levine
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… Toerless Eckert
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… Kjetil Torgrim Homme
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… Keith Moore
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… Lloyd W
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… John R Levine
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… Toerless Eckert
- Re: [Last-Call] Last Call: <draft-knodel-e2ee-def… Phillip Hallam-Baker