Re: [perpass] draft-josefsson-email-received-privacy

ned+perpass@mrochek.com Thu, 22 October 2015 05:49 UTC

Return-Path: <ned+perpass@mrochek.com>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B27F1B2E7E for <perpass@ietfa.amsl.com>; Wed, 21 Oct 2015 22:49:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.012
X-Spam-Level:
X-Spam-Status: No, score=-2.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T4f7xwNJWrms for <perpass@ietfa.amsl.com>; Wed, 21 Oct 2015 22:49:44 -0700 (PDT)
Received: from mauve.mrochek.com (mauve.mrochek.com [66.159.242.17]) by ietfa.amsl.com (Postfix) with ESMTP id 9141B1B2E7D for <perpass@ietf.org>; Wed, 21 Oct 2015 22:49:44 -0700 (PDT)
Received: from dkim-sign.mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01PS6UMJAI1C000PWF@mauve.mrochek.com> for perpass@ietf.org; Wed, 21 Oct 2015 22:44:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mrochek.com; s=mauve; t=1445492682; bh=U9SSMHziNo9XmmOyD62Sse4UxVxxyU6zCIPAjHbcQz8=; h=From:Cc:Date:Subject:In-reply-to:References:To; b=MV0Kz4Bup1zVugVns8wv1eCrj2QiPBcU6VmKj1gT+jzWBUl7OOztXf00XuIGkYmhh qo6Sv6QaFujZ8oZiskvoLRtF3wrjwf0jRyzeYi5Jdq/ivB/QkcxDPjOQBoa39nT8Cd Y/N2fTe+eav/YVnhKidTKUOFd4/ERO8qVggvTg+w=
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: TEXT/PLAIN; CHARSET=us-ascii
Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01PS0CK0G5IO01729W@mauve.mrochek.com> (original mail from NED@mauve.mrochek.com) for perpass@ietf.org; Wed, 21 Oct 2015 22:44:40 -0700 (PDT)
From: ned+perpass@mrochek.com
Message-id: <01PS6UMHPA8S01729W@mauve.mrochek.com>
Date: Wed, 21 Oct 2015 21:27:02 -0700 (PDT)
In-reply-to: "Your message dated Tue, 20 Oct 2015 20:28:34 +0200" <87r3kpmm25.fsf@nordberg.se>
References: <87r3kpmm25.fsf@nordberg.se>
To: Linus Nordberg <linus@nordberg.se>
Archived-At: <http://mailarchive.ietf.org/arch/msg/perpass/olIpnc_N1Vu46k0X_Rc74XMlYZE>
Cc: perpass@ietf.org
Subject: Re: [perpass] draft-josefsson-email-received-privacy
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2015 05:49:46 -0000

> Hi,

> draft-josefsson-email-received-privacy-00 has been submitted, see
> https://datatracker.ietf.org/doc/draft-josefsson-email-received-privacy/

> I'd be interested in hearing what people on the perpass list think of
> this.

It looks to me like the IETF is belatedly coming up to speed on a problem that
the email community - the large scale providers at least - is already in the
process of solving. And while it would be nice to write down some best
practices here so everyone knows what to do, the method described  in this
draft is *not* that best practice in any way, shape or form.

In fact its adoption would cause widespread damage to the email infrastructure.

Getting down to specifics: This proposal effectively makes the addition of
Received: fields optional: You only do it when you feel like it. The
obstensible purpose of this change is to prevent exposure of the sender's IP
address in the context of pervasive  surveillance.

However, this removal, were it to occur, is not terribly effective in achieving
this specific goal. Why? Because this does nothing prevent the IP address from
being logged elsewhere. And those logs often enjoy far less legal protection -
in some cases no protection at all - than actual message content. And good luck
convincing ISPs and MSPs not to collect this information.

If anything the removal of this information from messages for this claimed
result may create a false sense of security in regards to persuasive
surveilance.

All that said, there is a real privacy gain in not including this information
in messages. State actors with subpeona powers may have easy access to ISP/MSP
logs, but other players, including legitimate message recipients, do not. And
my location at the time I send a piece of mail really isn't the concern of any
of the message's recipients unless I choose to reveal it.

So where is the information stored and how can eliminate it safely? It's in the
from clause of the Receved: field generated by the SUBMIT server. The from
clause is mandatory, but there's noting that says the clause has to actualy
contain anything meaninful. So the obvious solution is to dummy information.
(My personal preference would be to define a well known name or names for this
purpose and use that without any IP address information at all, which the ABNF
in RFC 5321 explicitly allows.)

And this approach has already been deployed, successfully AFAICT. (To be fair,
gmail appears to have done it by dropping from clauses entirely - a syntax
violation.) We added an option to override the from clause to our product a few
months ago. (And I'm told we're fairly late to this particular party.)

Now, received fields are, as the draft notes, generated at other times, and the
name/address information in them can reveal internal network topology to some
extent. This concern is, IMNSHO, considerably overblown, but sanitizing from
clauses generated by internal relay steps may make sense in some specific cases.

And what about other aspects of the Received: field? The remainder of the (all
optional) clauses that Received: fields support also reveal information to some
extent and a detailed security analysis of all of them should be undertaken as
part of any work undertaken in this area.

That leaves the presence of the Received: field itself and the timestamp. The
former is critical to the proper functioning of the email transport
infrastructure: Received: field counting is the primary mechanism used to
prevent mail loops. And there's ample operational experience in the field with
the bad things that happen when the requirement to add Received: fields is
ignored or agents remove them willy-nilly.

The timestamp is quite useful in tracking routing delays after the fact. It
also doesn't reveal all that much given how it's going to be brackted by the
Date: field and the IMAP internaldate.

In summary, the present proposal as presently written is a nonstarter because
it breaks critical email functionality: The ability to detect and block mail
loops. In also unnecessarily causes the removal of highly useful timing and
trace information. An approach based on current inductry practices should be
considered instead and specific guidance on when the mechanism should be
employed needs to be given.

				Ned