IETF Logo Mail Archive

Re: [openpgp] Remove email metadata by encrypting headers using the published DKIM key

Tobias Mueller <tobi@cryptobit.ch> Thu, 23 June 2022 08:46 UTC

Return-Path: <tobi@cryptobit.ch>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82C99C15AD51 for <openpgp@ietfa.amsl.com>; Thu, 23 Jun 2022 01:46:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.905
X-Spam-Level:
X-Spam-Status: No, score=-6.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uJ_VhoJf7ZwP for <openpgp@ietfa.amsl.com>; Thu, 23 Jun 2022 01:46:08 -0700 (PDT)
Received: from mail.cryptobit.ch (cryptobit.ch [188.40.138.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D7D8C157B3B for <openpgp@ietf.org>; Thu, 23 Jun 2022 01:46:05 -0700 (PDT)
Received: from 127.0.0.1 (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client did not present a certificate) by mail.cryptobit.ch (Postfix) with ESMTPSA id 4LTDP43Z2LzKdcc; Thu, 23 Jun 2022 10:46:00 +0200 (CEST)
Message-ID: <1e12d6982101bbe6c3c534f2848431a08598c10c.camel@cryptobit.ch>
From: Tobias Mueller <tobi@cryptobit.ch>
To: Kai Engert <kaie@kuix.de>
Cc: openpgp@ietf.org
Date: Thu, 23 Jun 2022 10:45:59 +0200
In-Reply-To: <f9585e88-635b-4385-afca-0de845acb875@kuix.de>
References: <f9585e88-635b-4385-afca-0de845acb875@kuix.de>
Content-Type: text/plain; charset="UTF-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/UydHVvbayHW_FO1bm_01Lf5HAXY>
Subject: Re: [openpgp] Remove email metadata by encrypting headers using the published DKIM key
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jun 2022 08:46:13 -0000

Hi Kai,

interesting idea.

I'd be concerned about the use of the same key for both signing and
encryption.

I guess the changes your idea brings are big enough to warrant a
separate DKIM-like mechanism, maybe a "DomainKeys Encrypted Mail" (DKEM)
that works about the same as DKIM.

Compared to DKIM, though, the recipient server cannot process mails when
the key is not available (or a wrong key is used) which seems like a
rather big obstacle.

Also, I guess, using HTTPS is considered to be more popular than using
DNSSEC for distributing such information. So you could envision
something like MTA-STS.

Best,
  Tobi
 
On Thu, 2022-06-23 at 10:31 +0200, Kai Engert wrote:
> I'd like to drop the following idea about reducing some metadata from 
> emails.
> 
> While the OpenPGP list isn't the perfect fit for this suggestion, I'm 
> guessing that many of you might have an opinion on this idea, given
> that 
> PGP is related to privacy and email. Please suggest a better place to 
> discuss this, if there is one.
> 
> While this idea might be applicable to additional email headers, I'll 
> start by talking about the recipient headers TO and CC.
> 
> Today, emails leak information about the sender and the recipients of
> an 
> email to everyone along the route.
> 
> If a domain has published an RSA key for DKIM signatures on DNS (and 
> signals on DNS that it opts in to the encryption mechanism described 
> here), then agents that send email to that domain could encrypt the
> list 
> of recipients.
> 
> For example, if the intended recipient is someone@example.com, the
> agent 
> could encrypt "someone" and encode it as base64. The software on the 
> recipient server could then use the DKIM key to decrypt the message.
> 
> Simply replacing the addresses doesn't work for emails with
> recipients 
> on more than one domain, because the server on each recipient domain 
> must be able to decrypt the list of recipients.
> 
> So maybe alice@business.example.com could be replaced by 
> enc-recip-1@business.example.com, and bob@ngo.example.com could be 
> replaced by enc-recip-2@ngo.example.com, and an email header for each 
> combination of {recipient, destination-domain} could be added:
> 
> X-enc-recip-which: (replacement-identifier) 
> (encrypted-base64-encoded-mailbox-name) (domain key that can decrypt 
> this cipher)
> 
> Example:
> 
> X-enc-recip-to: enc-recip-1 ZWNpbGEK business.example.com
> X-enc-recip-to: enc-recip-2 b2JiCg== business.example.com
> X-enc-recip-cc: enc-recip-1 RUNJTEEK ngo.example.com
> X-enc-recip-cc: enc-recip-2 T0JCCg== ngo.example.com
> 
> Possibly also:
> 
> X-enc-from: enc-recip-0 Y2hhcmxpZQo= business.example.com
> X-enc-from: enc-recip-0 Q0hBUkxJRQo= ngo.example.com
> 
> Some domains want to use separate servers for sending emails and 
> receiving emails, and they might prefer to store the DKIM sending key
> on 
> the servers for outgoing email, only. That would require that
> optionally 
> a separate key could be published by the domain for receiving
> encrypted 
> headers. Because some sort of signaling is required that allows a
> server 
> to opt in to receive encrypted headers, it might be better to not
> reuse 
> the DKIM keys, but rather define a separate DNS record for publishing
> an 
> encryption key for receiving such headers.
> 
> Above this paragraph is the generic description of the new idea that 
> could (maybe) reduce the amount of meta data in emails.
> 
> Below this line is a rough idea for a potential application. I'm not 
> claiming the idea is practical, I'm just offering it as an example
> for 
> how the metadata reduction could be beneficial.
> 
> Let's say uncensored@example.com is an email robot, that offers the 
> retrieval of documents from wikipedia.org and archive.org, intended
> for 
> users like Garry, who lives in Censorland, which censors access to
> those 
> sites.
> 
> Garry sends email to uncensored@example.com, asking for the wikipedia 
> article on Special-Peace-Collaboration.
> 
> If the email address uncensored@example.com can be seen in the email
> in 
> the clear, then the admins of Censorland can easily block it as
> undesired.
> 
> However, if example.com is a large email provider, encrypting the
> true 
> recipient mailbox is a domain fronting approach to make blocking the 
> mailbox difficult.
> 
> The email that Garry sends could be encrypted using OpenPGP, to hide 
> which article Garry is requesting. Garry could also include their
> public 
> key, allowing the email robot to encrypt the article that is sent to 
> Garry by email in response.
> 
> (When sending the response to Garry, in addition to encrypting the 
> article, the email should also use a fake sender address, to not
> reveal 
> the true origin of the email to the Censorland email server
> operators.)
> 
> Sent in the hope these ideas make some sense and could be useful.
> 
> Kai
> 
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp

v2.23.0 | Report a Bug | By Email