Re: [lamps] Header Protection, summary of my today's suggestion
Russ Housley <housley@vigilsec.com> Mon, 08 November 2021 20:02 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFBAC3A10D8 for <spasm@ietfa.amsl.com>; Mon, 8 Nov 2021 12:02:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id whmCrLjaCJRq for <spasm@ietfa.amsl.com>; Mon, 8 Nov 2021 12:02:07 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 036D63A11E7 for <spasm@ietf.org>; Mon, 8 Nov 2021 12:01:30 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 67A12300BDC for <spasm@ietf.org>; Mon, 8 Nov 2021 15:01:31 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id mBSmisfccvnR for <spasm@ietf.org>; Mon, 8 Nov 2021 15:01:29 -0500 (EST)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id 7D291300B8C; Mon, 8 Nov 2021 15:01:29 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <alpine.DEB.2.22.394.2111081837490.239825@softronics.hoeneisen.ch>
Date: Mon, 08 Nov 2021 15:01:26 -0500
Cc: IETF LAMPS WG <spasm@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <B1F835F7-56F5-4DD1-A8AF-1249608A5771@vigilsec.com>
References: <alpine.DEB.2.22.394.2111081837490.239825@softronics.hoeneisen.ch>
To: Bernie Hoeneisen <bernie@ietf.hoeneisen.ch>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/FEWP9m1S9IHqlpxzXtvHlCGP6aY>
Subject: Re: [lamps] Header Protection, summary of my today's suggestion
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Nov 2021 20:02:13 -0000
Thanks Bernie. I think the next step is for the authors update the draft to reflect his way forward (or whatever recommend that comes from a sided discussion). Russ > On Nov 8, 2021, at 2:44 PM, Bernie Hoeneisen <bernie@ietf.hoeneisen.ch> wrote: > > Dear LAMPS WG > > As requested I am trying to summarize my suggestion for a compromise to deblock the discussions on the Header Protection Draft. https://datatracker.ietf.org/doc/draft-ietf-lamps-header-protection/ > > > Background: > > Over the last time we assessed pro and cons of the two proposals "wrapped" (current S/MIME Standard) and "injected" (an alternative) header protection schemes; (the latter with two variants, adding "Legacy Display" variant for signed&encrypted). > > > IMHO the summary on the results of the assessment was roughly: > > - None of the protection schemes is clearly superior to the others > > - In Signed&Encrypted case the "wrapped" scheme clearly prevails > > - While with the "wrapped" scheme some clients require opening an > attachment, with the "injected" scheme all assessed clients do NOT > render ANY subject. The "legacy display" improves the situation > with some clients, but makes things much worse with Outlook. > > - In Signed-Only there is a difference between S/MIME aware and > non-S/MIME aware clients > > - For S/MIME aware clients there is no clear "winner". (With the > "wrapped" scheme some clients require opening an attachment, while > with "injected" scheme all assessed clients can not render the > protected subject (unprotected subject only). > > - For S/MIME unaware legacy clients in certain cases, it seems more > likely that the messages can be rendered with the "injected" scheme > using multipart (however also with the unprotected Subject only) > compared to the "wrapped" scheme. (Note: This aspect was not assessed > thoroughly) > > In short: The only case, where the "injected" scheme seems to a better choice than the currently standardized "wrapped" scheme is for signed-only messages sent to with S/MIME unaware clients. > > For more complete information, please refer to the streams of LAMPS@IETF-111 (July 2021). > > > My Sugggestion: > > - Keep the "wrapped" header protection scheme as the default in the S/MIME standard for all cases. > > - Provide clear instructions to help implementors on how to update S/MIME clients that still need the reader to click on the attachment to render a wrapped message. > > - Allow "injected" as an option for the case "Signed-Only & multipart", to provide a mechanism for sending-clients to help S/MIME unaware receiving-clients to render the message. > > > Note: > > Fixing clients to automatically render "wrapped" messages is a fairly easy and straight-forward change. Clients like Apple-Mail or Thunderbird do this already, while for Outlook there is a Plugin implementing such a rendering functionality for pEp (cf. https://pep.software/outlook/ ). > > Hope that helps and that I did not leave out important information in an attempt to keep this summary shortish. > > All the best, > Bernie > > > -- > > http://ucom.ch/ > Modern Telephony Solutions and Tech Consulting for Internet Technology > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm
- [lamps] Header Protection, summary of my today's … Bernie Hoeneisen
- Re: [lamps] Header Protection, summary of my toda… Russ Housley
- Re: [lamps] Header Protection, summary of my toda… Daniel Kahn Gillmor