Re: [lamps] Paul Wouters' Discuss on draft-ietf-lamps-e2e-mail-guidance-15: (with DISCUSS and COMMENT)
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 17 March 2024 19:52 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 183A7C14F605; Sun, 17 Mar 2024 12:52:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b="SMcampIP"; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b="d60hCN5J"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LpbcMPtBv5wo; Sun, 17 Mar 2024 12:52:52 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8FB2C14F604; Sun, 17 Mar 2024 12:52:51 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1710705169; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=wcJfJADzZEAPH2eHNn4H3Gw9tEz/P7whDWZlOcsKBa0=; b=SMcampIPw76AuKUYzuNy9mYGge9/lp3qxd0XnkoAxTEFrv4YfLHwpdkKswK9pSBVlscDZ vUxslaOHAfflq53CA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1710705169; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=wcJfJADzZEAPH2eHNn4H3Gw9tEz/P7whDWZlOcsKBa0=; b=d60hCN5JaBUKUisDn8f+FNPaJE4Uh8CNjlzoGqiAM6q6RfRyKfzDBCTJCOWgrBDVWrefS U75IOfVyApbAOLtl3nmo3bXglhQcK1OqgHYYmQ8bQwUD6UtQ++OT5/5CozhFJ59IxqJoujq Et1SSIKAg6PtrB4O49+JHmN3Q/a5psggP/Fo6vDaYWkjfjeDaC/7ZchEF1YQh9/1+zjgd7/ ODsHtOIIg1Spc7d+XWoWE8Zw8O1A6qJItnGS6kd2xiT5FchtwYSST6wr0vJJWrGMYBbkZ1s OhLVks0ffZb2YNxPO9EWeJ1Y6lr/wvcuon9AdJKrxyTWjCplZ6y6c2Bx8lfQ==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 3459BF9DB; Sun, 17 Mar 2024 15:52:49 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 6A4CB20857; Sun, 17 Mar 2024 15:52:47 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Paul Wouters <paul.wouters@aiven.io>
Cc: The IESG <iesg@ietf.org>, draft-ietf-lamps-e2e-mail-guidance@ietf.org, lamps-chairs@ietf.org, spasm@ietf.org, housley@vigilsec.com
In-Reply-To: <CAGL5yWbfoX8SnQyAQzggN-2Z1HhTTkMSeebEh-P9k5EhkDmzzw@mail.gmail.com>
References: <170969517060.45916.11010011783885804824@ietfa.amsl.com> <87a5n29bk7.fsf@fifthhorseman.net> <CAGL5yWbfoX8SnQyAQzggN-2Z1HhTTkMSeebEh-P9k5EhkDmzzw@mail.gmail.com>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= xjMEZXEJyxYJKwYBBAHaRw8BAQdA5BpbW0bpl5qCng/RiqwhQINrplDMSS5JsO/YO+5Zi7HCi QQfFgoAMQWCZadnIAUJBdtHCwMLCQcDFQoIApsBAh4BFiEE1HcEDHDCFWpcKYVJu36RAUlea/ cACgkQu36RAUlea/edDQD+M2QjnoEyu/TjI+gRXBpXQ5jCsnnp9FdYhaSSUW/vZ8kBAJByWlj A9aMfVaVrmvgcYw7jzJz+gmZspBRB++5LZ20NzRc8ZGtnQGZpZnRoaG9yc2VtYW4ubmV0PsLA EQQTFgoAeQMLCQdHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnEu/CS CeyWwC6j4ihJr2u/z6delsF1pvYW3ufgf1L538DFQoIApsBAh4BFiEE1HcEDHDCFWpcKYVJu3 6RAUlea/cFAmWnX5AFCQXZ8EUACgkQu36RAUlea/cjVwD+ONjdHM74rAa6EEiiqaPjlptiaZx CVqFYXnib6EbZARkBAPnnR8pW8vCBnDXHKu65jNqwF3aH761NaOqqMFfppg8GzjMEZXEJyxYJ KwYBBAHaRw8BAQdAjX25Fq2Q9IUFeHy6yByIQPBnFOedFliuEiCIUzJsENDCwMUEGBYKAS1HF AAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnwqKWsw56uoWVLIFcs7ZecJ gwpsSNevWCzbviKQ8yRLUCmwK+oAQZFgoAbwWCZXEJywkQdy0WHjXNS4FHFAAAAAAAHgAgc2F sdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnEIJSOxuw2y/UJmg5M3BLpN0JYjODZpXiEVFu 1byARzMWIQR0vATEPYYIS+hnLAZ3LRYeNc1LgQAAsH8BAKg1C5LK/D7pSkXCD+jfTSP+CqM58 iHLjh4vKhpOKsTJAQCHldtEjxJ1ksPTFgG9HihHH7qc6/wvvLw77ETMpwlrAxYhBNR3BAxwwh VqXCmFSbt+kQFJXmv3BQJlp1+rBQkCF4lgAAoJELt+kQFJXmv3ydsA/2roQZ2Jm/7iUrg/2C5 ClWA/xbvPC31LyMkGGH2/rq8tAP9BgqLuCPnNTVPqeX9+9qqMmaFq7wmvjq5I+yycAw9CDc44 BGVxCcsSCisGAQQBl1UBBQEBB0BZMsRrRaaeFSYMF1ZdfRmVgBriDUIr99eDQ085BK14DgMBC AfCwAYEGBYKAG5HFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnsazAWX tEHUPmSTmcRZAIsAsNiO8k0hdjsfRlRVipgJgCmwwWIQTUdwQMcMIValwphUm7fpEBSV5r9wU CZadfqwUJAheJYAAKCRC7fpEBSV5r90AjAPwLgY1iKiFJEj32SVD5f721929l79VxQB5FlQss x1n5kQEA6Uct2tPvbB6T7p5KG3Gl+tbi7oJAuxFmpkpW5/N2Owg=
Date: Sun, 17 Mar 2024 15:52:46 -0400
Message-ID: <87a5mw7i0h.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/77vRSTNgDOiocE41AcgK-IXW34Q>
Subject: Re: [lamps] Paul Wouters' Discuss on draft-ietf-lamps-e2e-mail-guidance-15: (with DISCUSS and COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Mar 2024 19:52:57 -0000
Hi Paul--
Thanks for the discussion and feedback.
On Sun 2024-03-17 18:16:01 +1000, Paul Wouters wrote:
> [ dkg wrote: ]
>> The fact that the messages are authenticatable is critical for many of
>> the systems that use e2ee mail, including things like verification of
>> protected headers.
>
> I am not sure I'd agree with "critical".
OK, maybe "critical" is too strong, but having cryptographically
authenticated and integrity-checked headers allows the receiving MUA to
reason about the message with more confidence, including things like
what to do when composing a reply to an encrypted message, to avoid even
an encrypted reply from going where it wasn't originally intended to go.
This is especially important for things like control systems governed by
end-to-end cryptographic mail (e.g. the debian archive; mailing lists
like schleuder; DNS registrar controls; etc)
Even without these mechanical advantages, helping the recipient
understand the difference between a deliberately unsigned encrypted
message and a signed encrypted message is … awkward at best.
> I see it more as a user option, a choice of the sender to hand out
> such cryptographic proof or not.
One of the goals of the e2e-mail-guidance draft is usability. Asking
the user to make a subtle choice each time they send an e-mail increases
the mental load associated with using cryptographically protected mail.
If making that choice has no particular consequence, then it's just a
cost with no benefit.
Streamlining the decisions required of the user is important for
usability.
> There is an unmistakable difference if we sit at a bar and I tell you
> "Roman is impossible to work with", versus a crypto graphically signed
> message of the same.
I agree there is a difference between those two scenarios.
But what this draft asks implementers to consider is whether there is
actually a significant difference between badmouthing Roman in an
*unsigned* e-mail versus badmouthing him a *cryptographically signed*
e-mail.
Either way, the recipient can replay the e-mail to Roman or Roman's
supervisor (sorry Roman!). Do you think Roman (or his supervisor) will
attach any significant weight to the fact of the end-to-end
cryptographic signature?
Remember that "non-repudiability" only goes so far: i might not be able
to claim that the message was sent from somewhere else, but i can always
claim that my MUA got hacked. And, remember that "repudiability" itself
also only goes so far: the message that is not cryptographically signed
can be traced/authenticated by Received headers, by MTA logs, by
inspection of a sent mail folder, etc, depending on what access someone
has, and how much certainy the judge requires from the evidence.
Roman will probably feel just as bad when he sees the unsigned mail as
he will feel if the mail is signed. (and if we're talking about our
ex-AD, he is an unusual case because he actually knows the difference
between signed and unsigned mail -- most other people who are
"impossible to work with" won't even know the difference)
> In other words, mandating digital signatures can surely stifle free
> speech via email.
I'm not as sure as you are about that. I think the risk of confusing
and difficult choices limiting the reach of e2e-protected mail represent
a much more widespread chilling effect. People need to know that their
messages will be private except for the people they intend to receive
them. Each hurdle we put in the way of that has a larger impact than
any subtle nuance between signed and unsigned encrypted messages.
> The choice of medium can be based on the informal vs formal nature of it.
> A slack message can be a lot more informal than an email. Or a text
> message can be seen as informal too. Or a DM on various platforms.
>
> My concern is that you are raising the informality of email to a new
> formality that is not what some people come to expect of it.
I think people already think of unsigned e-mail as formal, as you say
above. I don't think they'll see this change as significantly
different.
> "Warning: this message was encrypted but not digitally signed. It could be
> a forgery".
will any MUA put the same warning on unsigned, non-encrypted messages
today? If not, then we're putting warnings on encrypted messages that
will make people reluctant to encrypt. ("i don't want them to get a
warning message when they read this mail")
> I'm not sure if the IETF should step too deep into the UI parts. I'm mostly
> pushing back at you trying to make sending encrypted unsigned messages
> a MUST NOT. If you could quantify that, I would be much happier.
I agree that the IETF should not step too deeply into UX design. But we
need to think clearly about how to expose simple and straightforward
semantics from the protocols we develop so that the UX designers have a
chance to make something that is actually usable.
To date, that has never been done with e2ee mail ☹
>> The document currently treats the e-mail address as the sender identity,
>> and doesn't grapple with the human-readable name at all.
>
> But how useful is the advise of this draft if all these out of scope things
> are
> not part of the discussion?
>
>> I've opened https://gitlab.com/dkg/e2e-mail-guidance/-/issues/14
>
> I see you addressed it in
> https://gitlab.com/dkg/e2e-mail-guidance/-/commit/fc7fe640873e2725e2d43c5381975acc59cd45f7
> Thanks!
I hope you'll agree that this draft is a step forward toward a usable
e2ee e-mail system, even though there are some things it doesn't cover.
Frankly, the "Future Work" appendix alone describes more outstanding
work than many WGs describe in their charter :/
>> > For comprehensibility, a conformant MUA SHOULD NOT create
>> > multiple copies of a given message that differ in the types
>> > of end-to-end cryptographic protections afforded
>> >
>> > Can it be clarified whether this is meant "to the same email user" ?
>> > A message send to multiple people, of whom only a subset support
>> > encryption, should still send "multiple copies of a given message
>> > that differ in the types of end-to-end cryptographic protections
>>
>> The text does not mean "to the same user" -- it deliberately means (and
>> i think says clearly) "per message" in order to provide a coherent view
>> to all participants of what kinds of cryptographic properties to
>> associate with a given message.
>
> I don't understand "per message" for example in the context of BCC:s,
> where the message to different people have different headers.
Most Bcc systems that i see today (outside of e2ee mail) send exactly
the same message to each recipient. named recipients and bcc'ed
recipients receive the same underlying message.
Even for Bcc implementations that put a literal `Bcc` header field in
the copy of the message sent to the Bcc'ed recipients, they don't alter
the message in any other way. And only one copy of the message lands in
the sender's "sent mail" folder. Doing something as radical as sending
a copy of the message in the clear to some recipients and an encrypted
copy of the same message to other recipients would be a major departure
from the expectation that the message is roughly the same anywhere it
shows up.
>> Your milter is not the only software i've seen that takes this tempting
>> shortcut! ☺ Do you think that any of these implementations can
>> effectively avoid the pitfalls described in that section?
>
> No, it is a terrible solution :)
:) i wish it was easier to get that right! it's certainly appealing
from an engineering perspective.
> I've updated my ballot to No Objection.
thanks!
--dkg
- [lamps] Paul Wouters' Discuss on draft-ietf-lamps… Paul Wouters via Datatracker
- Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Daniel Kahn Gillmor
- Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Paul Wouters
- Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Daniel Kahn Gillmor