Re: [lamps] Common Protected Header practice documented (was "Memory Hole")
Bernie Hoeneisen <bernie@ietf.hoeneisen.ch> Sun, 14 June 2020 14:10 UTC
Return-Path: <bernie@ietf.hoeneisen.ch>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DBB33A0828 for <spasm@ietfa.amsl.com>; Sun, 14 Jun 2020 07:10:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wxCh0Ks5yRIE for <spasm@ietfa.amsl.com>; Sun, 14 Jun 2020 07:10:34 -0700 (PDT)
Received: from softronics.hoeneisen.ch (softronics.hoeneisen.ch [78.46.205.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 231583A081F for <spasm@ietf.org>; Sun, 14 Jun 2020 07:10:33 -0700 (PDT)
Received: from localhost ([127.0.0.1]) by softronics.hoeneisen.ch with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from <bernie@ietf.hoeneisen.ch>) id 1jkTLD-000FIJ-Dg; Sun, 14 Jun 2020 16:10:31 +0200
Date: Sun, 14 Jun 2020 16:10:30 +0200
From: Bernie Hoeneisen <bernie@ietf.hoeneisen.ch>
X-X-Sender: bhoeneis@softronics.hoeneisen.ch
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
cc: IETF LAMPS WG <spasm@ietf.org>
In-Reply-To: <87ftj3pczs.fsf@fifthhorseman.net>
Message-ID: <alpine.DEB.2.22.394.2006141339010.57529@softronics.hoeneisen.ch>
References: <87ftj3pczs.fsf@fifthhorseman.net>
User-Agent: Alpine 2.22 (DEB 394 2020-01-19)
MIME-Version: 1.0
Content-Type: multipart/mixed; BOUNDARY="8323329-1676082590-1592137052=:57529"
Content-ID: <alpine.DEB.2.22.394.2006141513250.57529@softronics.hoeneisen.ch>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: bernie@ietf.hoeneisen.ch
X-SA-Exim-Scanned: No (on softronics.hoeneisen.ch); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/9wPyv7nGYR8AZlfzUrVfWM7ETU0>
Subject: Re: [lamps] Common Protected Header practice documented (was "Memory Hole")
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Jun 2020 14:10:36 -0000
Hi Daniel Thanks for this great document! I was finally able to read and assess it. I believe it is quite useful to assist in finding a solution for our chartered work item on Header Protection. I have some questions related to the S/MIME examples: 1) The examples you provide for S/MIME have a simple structure, i.e. the body consist of a single MIME entity. How would an example look with the solution your are proposing, if it was a tree of MIME entities (e.g. text and html as multipart/alternative)? 2) In the examples (e.g. 9.2.) you are using "Content-Type: text/plain", however the content appears to be a full "message/rfc822" email. To me this looks like a mismatch between Media-Type and Content. To my understanding, whatever is in "Content-Type: text/plain" is unformated and is not guaranteed to be parsable. However your proposal suggests to parse this to replace the outer header fields. Have I misunderstood anything? Looking forward to your answer! cheers, Bernie -- http://ucom.ch/ Modern Telephony Solutions and Tech Consulting for Internet Technology On Mon, 4 Nov 2019, Daniel Kahn Gillmor wrote: > Hey LAMPS folks-- > > At (and shortly after) the OpenPGP e-mail summit [0], a group of MUA > developers went ahead and documented the way that several of us have > been handling header protection in a backward-compatible way. > > This bundle of techniques used to be known as "Memory Hole" a while back > but for a couple years now we've been calling it just "Protected > Headers", since "Memory Hole" was confusing and weird for some people. > > Hopefully this document can serve as input for appendix A.1.1 of > draft-ietf-lamps-header-protection-requirements-01 [1]. > > The new draft is at: > > https://datatracker.ietf.org/doc/draft-autocrypt-lamps-protected-headers/ > > (it's "draft-autocrypt-…" because it's not a single-person draft, and > because most of the experience we have in this comes from > implementations actively engaged in the Autocrypt project [2]. But it is > not a formal part of the Autocrypt specifications at this time, and it > is not intended to ever be limited to Autocrypt implementations.) > > To whet your appetite, the summary: > > ------- > The Protected Headers scheme relies on three backward-compatible > changes to a cryptographically-protected e-mail message: > > * Headers known to the composing MUA at message composition time are > (in addition to their typical placement as Exposed Headers on the > outside of the message) also present in the MIME header of the > root of the Cryptographic Payload. These Protected Headers share > cryptographic properties with the rest of the Cryptographic > Payload. > > * When the Cryptographic Envelope includes encryption, any Exposed > Header MAY be _obscured_ by a transformation (including deletion). > > * If the composing MUA intends to obscure any user-facing headers, > it MAY add a decorative "Legacy Display" MIME part to the > Cryptographic Payload which additionally duplicates the original > values of the obscured user-facing headers. > > When a composing MUA encrypts a message, it SHOULD obscure the > "Subject:" header, by using the literal string "..." (three U+002E > FULL STOP characters) as the value of the exposed "Subject:" header. > > When a receiving MUA encounters a message with a Cryptographic > Envelope, it treats the headers of the Cryptographic Payload as > belonging to the message itself, not just the subpart. In > particular, when rendering a header for any such message, the > renderer SHOULD prefer the header's Protected value over its Exposed > value. > > A receiving MUA that understands Protected Headers and discovers a > Legacy Display part SHOULD hide the Legacy Display part when > rendering the message. > ------- > > Please don't be put off by the draft length -- nearly half of the > document consists of test vectors that implementers can use to verify > their ability to consume well-formed, protected-header messages. > > I'd be happy to present this work in Singapore if there's space on the > agenda. > > Feedback, critiques, comments, etc, are all welcome. > > Regards, > > --dkg > > [0] https://wiki.gnupg.org/OpenPGPEmailSummit201910 > [1] https://tools.ietf.org/html/draft-ietf-lamps-header-protection-requirements-01#appendix-A.1.1 > [2] https://autocrypt.org/ >
- [lamps] Common Protected Header practice document… Daniel Kahn Gillmor
- Re: [lamps] Common Protected Header practice docu… Bernie Hoeneisen
- Re: [lamps] Common Protected Header practice docu… Alexey Melnikov
- Re: [lamps] Common Protected Header practice docu… Bernie Hoeneisen