IETF Logo Mail Archive

Re: [openpgp] Put Signature in an Email's Header

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 20 October 2023 12:58 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B826BC1522A0 for <openpgp@ietfa.amsl.com>; Fri, 20 Oct 2023 05:58:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.313
X-Spam-Level:
X-Spam-Status: No, score=-6.313 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b="EglmVblH"; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b="1leyU3Go"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bC67HRTUruD8 for <openpgp@ietfa.amsl.com>; Fri, 20 Oct 2023 05:58:02 -0700 (PDT)
Received: from che.mayfirst.org (unknown [162.247.75.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8A32C1519B3 for <openpgp@ietf.org>; Fri, 20 Oct 2023 05:57:00 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1697806618; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=va9K4rW1v7sdojfX2VYMS62n4ELBRWuODwv2lfgo9MI=; b=EglmVblH/lZwIhPY0cMWDj2MPcrDLP+4MJObLVacdGbsWYgQwLenNVSak/R57YdqyTbRT BJV5WjNw7wGJlk2Ag==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1697806618; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=va9K4rW1v7sdojfX2VYMS62n4ELBRWuODwv2lfgo9MI=; b=1leyU3GoBE5MhxHgKel0GXYKKidyZoNlnH7G3miU6gVrhlPRXGzfoBqkK78XUdLj9Zz8t kLzXi1cG1iCJkx3A/EMVfA6dQ/yY9Uc1QdZqk0S/UQV54juoQ+9E9WKzmXkyrumW5LYb5Je cHk4exnhlXLvSSkxzrtQAtmPIWXCaozuD/U3DMET3m43N67oKR1PXWWN9ppLBN16G2Dmhyq T9Rx3lXimBkrSC3O78Jfvw6QF09NWYOwN25cRVgNapl4aSInovah5/iMzwO6oOMr7GifUgW Ho9n6bPR1973b4n7I+AT+ToGEQTGjqkh2s2zp+Xcj/gAqrhWmM1FLmO/DFRw==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 8D72BF9E8; Fri, 20 Oct 2023 08:56:58 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 32B9520628; Thu, 19 Oct 2023 14:42:27 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Kai Engert <kaie@kuix.de>, Andrew Gallagher <andrewg@andrewg.com>
Cc: Wiktor Kwapisiewicz <wikto@metacode.biz>, openpgp@ietf.org
In-Reply-To: <17566aae-8b29-4223-b641-26846f3d64f7@kuix.de>
References: <48be3fcf-cdce-9ef4-655b-63b6dddf9310@kuix.de> <20201211095836.5218a72e@computer> <cd02d2db-0671-dfc0-dab3-dc793a2c1605@metacode.biz> <878sa4y7hy.wl-neal@walfield.org> <4dbaf770-2b2e-47cc-afb5-3ba07706aafd@kuix.de> <87a5v1j4xo.fsf@wheatstone.g10code.de> <db447915-fc25-4759-879e-b64020c0ec0e@kuix.de> <87zg31hoee.fsf@wheatstone.g10code.de> <ba560bb0-0fa5-40a2-b70d-83f36859e17e@metacode.biz> <87v8dphmec.fsf@wheatstone.g10code.de> <17a06888-8516-457f-8ef3-85b7c77ce2f6@kuix.de> <51A7082C-D4E0-4577-B3E5-0688664FDD0F@andrewg.com> <17566aae-8b29-4223-b641-26846f3d64f7@kuix.de>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Thu, 19 Oct 2023 14:42:25 -0400
Message-ID: <875y32ihda.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/Ic2G8N2d2GeageIHm2J-jeLb2Oo>
Subject: Re: [openpgp] Put Signature in an Email's Header
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Oct 2023 12:58:06 -0000

Sorry for the long delay in following up on this discussion:

On Wed 2023-08-09 10:32:20 +0200, Kai Engert wrote:
> On 08.08.23 19:09, Andrew Gallagher wrote:
>> I’d be wary of such a double-encapsulation, it feels fragile.
>
> This is what we currently do when combining a signature and protected 
> headers:
>
> multipart/signed (application/pgp-signature)
>      multipart/mixed (protected-headers)
>          headers
>          payload
>      signature data
>
> And the new suggestion is:
>
> multipart/mixed
>      signature-as-a-header
>      multipart/mixed (protected-headers)
>          headers
>          payload
>
> Given that both use two layers around the payload, why do you consider 
> the new suggestion more fragile?

Calling the above two schemes (A) and (B), and assuming that each line
in the schema above is intended to represent a MIME part, i'll observe
that (A) has been tested and shown to be problematic for viewing in some
widely deployed MUAs (Outlook being the most visible).

For this reason, the recommendation that LAMPS has settled on in
https://datatracker.ietf.org/doc/draft-ietf-lamps-header-protection/ for
signed-only messages using the multipart/signed construct is scheme (C):

 multipart/signed (application/pgp-signature)
     payload (protected-headers)
     signature data

That is, there is *no* separate MIME subpart for headers for a
cryptographically protected message, and the headers that are protected
in a signed message can simply be injected onto the payload MIME part
directly.

Sending a test multipart/signed PGP/MIME mesage from Thunderbird 115.2.2
(on debian) i see that the actual result is yet another approach, scheme
(D):

 multipart/signed (application/pgp-signature)
     multipart/mixed (protected-headers)
         payload
     signature data

I don't think there's anything to be gained from (D) over (C).

Scheme (B) (kai's "new suggestion" above) is also problematic, even if
the "signature-as-a-header" is not its own MIME subpart.  It's
problematic because users expect a message to have a single
cryptographic status, which means that the signature is best offered
over the entire message -- and this wrapper looks like it is *not* a
cryptographic envelope at all.  (please see
draft-ietf-lamps-e2e-mail-guidance for discussion of the cryptographic
envelope).

If anyone wants to experiment with the kind of scheme referred to in the
subject line, in particular trying to synchronize with the types of
constraints that are necessary to keep DKIM signatures intact, i don't
think it's a bad idea.  But i don't think you need any alternate MIME
structure to do it.

          --dkg

v2.23.0 | Report a Bug | By Email