IETF Logo Mail Archive

Re: [lamps] Common Protected Header practice documented (was "Memory Hole")

Bernie Hoeneisen <bernie@ietf.hoeneisen.ch> Sun, 14 June 2020 14:10 UTC

Return-Path: <bernie@ietf.hoeneisen.ch>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DBB33A0828 for <spasm@ietfa.amsl.com>; Sun, 14 Jun 2020 07:10:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wxCh0Ks5yRIE for <spasm@ietfa.amsl.com>; Sun, 14 Jun 2020 07:10:34 -0700 (PDT)
Received: from softronics.hoeneisen.ch (softronics.hoeneisen.ch [78.46.205.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 231583A081F for <spasm@ietf.org>; Sun, 14 Jun 2020 07:10:33 -0700 (PDT)
Received: from localhost ([127.0.0.1]) by softronics.hoeneisen.ch with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from <bernie@ietf.hoeneisen.ch>) id 1jkTLD-000FIJ-Dg; Sun, 14 Jun 2020 16:10:31 +0200
Date: Sun, 14 Jun 2020 16:10:30 +0200
From: Bernie Hoeneisen <bernie@ietf.hoeneisen.ch>
X-X-Sender: bhoeneis@softronics.hoeneisen.ch
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
cc: IETF LAMPS WG <spasm@ietf.org>
In-Reply-To: <87ftj3pczs.fsf@fifthhorseman.net>
Message-ID: <alpine.DEB.2.22.394.2006141339010.57529@softronics.hoeneisen.ch>
References: <87ftj3pczs.fsf@fifthhorseman.net>
User-Agent: Alpine 2.22 (DEB 394 2020-01-19)
MIME-Version: 1.0
Content-Type: multipart/mixed; BOUNDARY="8323329-1676082590-1592137052=:57529"
Content-ID: <alpine.DEB.2.22.394.2006141513250.57529@softronics.hoeneisen.ch>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: bernie@ietf.hoeneisen.ch
X-SA-Exim-Scanned: No (on softronics.hoeneisen.ch); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/9wPyv7nGYR8AZlfzUrVfWM7ETU0>
Subject: Re: [lamps] Common Protected Header practice documented (was "Memory Hole")
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Jun 2020 14:10:36 -0000

Hi Daniel

Thanks for this great document! I was finally able to read and assess it. 
I believe it is quite useful to assist in finding a solution for our 
chartered work item on Header Protection.

I have some questions related to the S/MIME examples:

1) The examples you provide for S/MIME have a simple structure, i.e. 
the body consist of a single MIME entity. How would an example look with 
the solution your are proposing, if it was a tree of MIME entities (e.g. 
text and html as multipart/alternative)?

2) In the examples (e.g. 9.2.) you are using "Content-Type: text/plain", 
however the content appears to be a full "message/rfc822" email. To me 
this looks like a mismatch between Media-Type and Content. To my 
understanding, whatever is in "Content-Type: text/plain" is unformated and 
is not guaranteed to be parsable. However your proposal suggests to parse 
this to replace the outer header fields. Have I misunderstood anything?

Looking forward to your answer!

cheers,
  Bernie

--

http://ucom.ch/
Modern Telephony Solutions and Tech Consulting for Internet Technology


On Mon, 4 Nov 2019, Daniel Kahn Gillmor wrote:

> Hey LAMPS folks--
>
> At (and shortly after) the OpenPGP e-mail summit [0], a group of MUA
> developers went ahead and documented the way that several of us have
> been handling header protection in a backward-compatible way.
>
> This bundle of techniques used to be known as "Memory Hole" a while back
> but for a couple years now we've been calling it just "Protected
> Headers", since "Memory Hole" was confusing and weird for some people.
>
> Hopefully this document can serve as input for appendix A.1.1 of
> draft-ietf-lamps-header-protection-requirements-01 [1].
>
> The new draft is at:
>
>    https://datatracker.ietf.org/doc/draft-autocrypt-lamps-protected-headers/
>
> (it's "draft-autocrypt-…" because it's not a single-person draft, and
> because most of the experience we have in this comes from
> implementations actively engaged in the Autocrypt project [2]. But it is
> not a formal part of the Autocrypt specifications at this time, and it
> is not intended to ever be limited to Autocrypt implementations.)
>
> To whet your appetite, the summary:
>
> -------
>   The Protected Headers scheme relies on three backward-compatible
>   changes to a cryptographically-protected e-mail message:
>
>   *  Headers known to the composing MUA at message composition time are
>      (in addition to their typical placement as Exposed Headers on the
>      outside of the message) also present in the MIME header of the
>      root of the Cryptographic Payload.  These Protected Headers share
>      cryptographic properties with the rest of the Cryptographic
>      Payload.
>
>   *  When the Cryptographic Envelope includes encryption, any Exposed
>      Header MAY be _obscured_ by a transformation (including deletion).
>
>   *  If the composing MUA intends to obscure any user-facing headers,
>      it MAY add a decorative "Legacy Display" MIME part to the
>      Cryptographic Payload which additionally duplicates the original
>      values of the obscured user-facing headers.
>
>   When a composing MUA encrypts a message, it SHOULD obscure the
>   "Subject:" header, by using the literal string "..." (three U+002E
>   FULL STOP characters) as the value of the exposed "Subject:" header.
>
>   When a receiving MUA encounters a message with a Cryptographic
>   Envelope, it treats the headers of the Cryptographic Payload as
>   belonging to the message itself, not just the subpart.  In
>   particular, when rendering a header for any such message, the
>   renderer SHOULD prefer the header's Protected value over its Exposed
>   value.
>
>   A receiving MUA that understands Protected Headers and discovers a
>   Legacy Display part SHOULD hide the Legacy Display part when
>   rendering the message.
> -------
>
> Please don't be put off by the draft length -- nearly half of the
> document consists of test vectors that implementers can use to verify
> their ability to consume well-formed, protected-header messages.
>
> I'd be happy to present this work in Singapore if there's space on the
> agenda.
>
> Feedback, critiques, comments, etc, are all welcome.
>
> Regards,
>
>        --dkg
>
> [0] https://wiki.gnupg.org/OpenPGPEmailSummit201910
> [1] https://tools.ietf.org/html/draft-ietf-lamps-header-protection-requirements-01#appendix-A.1.1
> [2] https://autocrypt.org/
>

v2.23.0 | Report a Bug | By Email