IETF Logo Mail Archive

Re: [openpgp] Remove email metadata by encrypting headers using the published DKIM key

Michael Richardson <mcr+ietf@sandelman.ca> Thu, 23 June 2022 17:57 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E49CC13CD8F for <openpgp@ietfa.amsl.com>; Thu, 23 Jun 2022 10:57:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.709
X-Spam-Level:
X-Spam-Status: No, score=-6.709 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uWU0PUU0mQ5p for <openpgp@ietfa.amsl.com>; Thu, 23 Jun 2022 10:57:07 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08FC5C15D888 for <openpgp@ietf.org>; Thu, 23 Jun 2022 10:57:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 158A938C17; Thu, 23 Jun 2022 14:13:21 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id rXS79kdKSHWb; Thu, 23 Jun 2022 14:13:18 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 9585438C33; Thu, 23 Jun 2022 14:13:18 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sandelman.ca; s=mail; t=1656007998; bh=IHFjbuEwvyHfviu+mYpSQ1TerkUlhDuMrt1wy49lw4c=; h=From:To:cc:Subject:In-Reply-To:References:Date:From; b=NTVZiW5XCYyENX8s+x+VXEDCLPauM151n5k/nJn2jQlDRYe25tK8u70ALGZM+FvJR RrOYBf9MkW8eB5MuCdh2wrRSr8dTd1/Mt4iD3vxkGRtdFK50072mx+xcojm4Ir9VJP Nlsk1XaaqJx8p4t4H4IWy+SubgL4FyBIB03LJCwUzvsD+4TyHO+DUqM3M6VWuWTJ++ vw1NAo5+rolfWj5ma6z0gW3Wv4tYDL3TnXYhkObtkRNguMGo/uj+9Tjb9hSd7UQsrh Me3kDS09vZo2ZHupgiov96XZUj44M0AixDtiyHrt4eYqfShi5JULBtNN5ms8qFg7OA bjYO8xibMnXng==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 19C6D14; Thu, 23 Jun 2022 13:57:03 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Kai Engert <kaie@kuix.de>
cc: Tobias Mueller <tobi@cryptobit.ch>, openpgp@ietf.org
In-Reply-To: <419f3afb-d066-17e5-a88b-9b9509715d99@kuix.de>
References: <f9585e88-635b-4385-afca-0de845acb875@kuix.de> <1e12d6982101bbe6c3c534f2848431a08598c10c.camel@cryptobit.ch> <419f3afb-d066-17e5-a88b-9b9509715d99@kuix.de>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Thu, 23 Jun 2022 13:57:03 -0400
Message-ID: <7180.1656007023@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/7D7CcaTQHsniw-laQ6ilqTZD6w8>
Subject: Re: [openpgp] Remove email metadata by encrypting headers using the published DKIM key
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jun 2022 17:57:11 -0000

Kai Engert <kaie@kuix.de> wrote:
    > On 23.06.22 10:45, Tobias Mueller wrote:
    >> I guess the changes your idea brings are big enough to warrant a
    >> separate DKIM-like mechanism, maybe a "DomainKeys Encrypted Mail" (DKEM)
    >> that works about the same as DKIM.

    > I like the acronym DKEM. However, I'd rather define the M in DKEM as
    > "Metadata", not Mail, because this isn't about encrypting all of the
    > mail, only some of the headers.


    >> Compared to DKIM, though, the recipient server cannot process mails when
    >> the key is not available (or a wrong key is used) which seems like a
    >> rather big obstacle.

    > True, it would be required to demand that a sending agent checks the key
    > source (e.g. DNS) right before sending it, to ensure the key information
    > is fresh.

Why would the recipient server be unable to process the email?
The To:/CC: headers are *NOT* used at the SMTP layer.

The recipient server could well receive the email, queue it, and then decrypt
it later.

This could probably be prototyped using the milter interfaces that both
postfix and sendmail use, and those mostly look like a pass through an
auxiliary server.  (opendkim does the same thing)
If the auxiliary server is unavailable, then the email stays in the Q.


--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email