IETF Logo Mail Archive

Re: [Spasm] Suggestions for draft-schaad-rfc5751-bis-00.txt

Wei Chuang <weihaw@google.com> Mon, 02 May 2016 19:04 UTC

Return-Path: <weihaw@google.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12E8512D617 for <spasm@ietfa.amsl.com>; Mon, 2 May 2016 12:04:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.696
X-Spam-Level:
X-Spam-Status: No, score=-3.696 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1bCXttpzC_Zm for <spasm@ietfa.amsl.com>; Mon, 2 May 2016 12:04:18 -0700 (PDT)
Received: from mail-ob0-x22e.google.com (mail-ob0-x22e.google.com [IPv6:2607:f8b0:4003:c01::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C002B12D607 for <spasm@ietf.org>; Mon, 2 May 2016 12:04:17 -0700 (PDT)
Received: by mail-ob0-x22e.google.com with SMTP id dm5so23220586obc.1 for <spasm@ietf.org>; Mon, 02 May 2016 12:04:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=OMD9uEzeysPWSJROGppdJiTV2pF/PZygm6a8MpgnyE4=; b=bvI0X302bgOWtxdS4nJIR89oJntpsJRZ2hQsLWg1pW6Rd4kdWL/EvNzDxPR2dZIXQG SAcP4r5ToIDRu2wCt5XTinuRrYJGpAbBw1u7JuCD/2b8a5o7umTLjvTfmYqjgg0HXUXH SwaoOtdwOFTX/zs4SI7CKGRA77nYJRAGyPiiM2zoJ6MdOVuzLGvoYTGKf+7AQPhbfQRZ qZKStjeMCTvRtz5ORHL5/oV11AHQrX25U586UvvOa4NeWTh1X5tIagE+2pCEb4S88gy/ 7pzZt5Pza64C18cAF+KgX/N5hrwjDnl0NMRR/Erdi3iYucZK/q5MBZvmCnx4OOWNbMsG x5YA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=OMD9uEzeysPWSJROGppdJiTV2pF/PZygm6a8MpgnyE4=; b=EsZi0SfD8iF0JRqWYBGZTObsr2kjyS9DFoC3xJ02NTvxhadLlT5vNbGMqKcF3bDwTi Th7NLscD+sZRT4MHx7WypdSv4EhYuHAFL/nlzFR1dPkVNzwPyNJ2qw+tMXeUyWOoJ+4h Jq21LKovBK9cCqOa3DE4czsnZs5J+K/7UiP6F6aphSpGCYN40IMFT+KZsEksU0WCnX45 WuCHRFSqzLwWO6ZCInz0QXHemdcBB5F82tcuO4bypQSLpXMt0TWUXN+ATwYlG8iabXEv GFDzzgVHxnX//J2FdUS5KhPz9MawnFO69zXeW2C2HS5Wy5qhSOWyR4+S2LBxhvUyGIL6 a9xg==
X-Gm-Message-State: AOPr4FVFwyLmIpgQWExCbYpX2YmSmmtoOA9DVYHwMFfNq2YtaXtJm8IhXR6YEXf3BL9p/b5KUMJhD5GBGcJMvW1O
MIME-Version: 1.0
X-Received: by 10.182.18.208 with SMTP id y16mr1376689obd.32.1462215856997; Mon, 02 May 2016 12:04:16 -0700 (PDT)
Received: by 10.157.35.36 with HTTP; Mon, 2 May 2016 12:04:16 -0700 (PDT)
In-Reply-To: <0afc01d1a35a$667346f0$3359d4d0$@augustcellars.com>
References: <CAFTDvC5g5CeY0V4xO3NahYc226BMOF5QCCK41_admqiz88ZZ3Q@mail.gmail.com> <CAAFsWK1J3baG7=KHpD67q9Uzt48tja=Dejud5xJrUT0HWp=HBw@mail.gmail.com> <0afc01d1a35a$667346f0$3359d4d0$@augustcellars.com>
Date: Mon, 02 May 2016 12:04:16 -0700
Message-ID: <CAAFsWK0N0fMcA03KGc0vBHJc9dQmY1Aw=X3mnHCWeZn8bvVScg@mail.gmail.com>
From: Wei Chuang <weihaw@google.com>
To: Jim Schaad <ietf@augustcellars.com>
Content-Type: multipart/alternative; boundary="f46d043be138be437a0531e0a891"
Archived-At: <http://mailarchive.ietf.org/arch/msg/spasm/JxECL80GnsNjfmLLrRPO6PRPllM>
Cc: spasm@ietf.org, Laetitia Baudoin <lbaudoin@google.com>
Subject: Re: [Spasm] Suggestions for draft-schaad-rfc5751-bis-00.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 May 2016 19:04:33 -0000

On Sat, Apr 30, 2016 at 8:34 PM, Jim Schaad <ietf@augustcellars.com> wrote:

> Wei,
>
>
>
> See below.
>
>
>
> *From:* Spasm [mailto:spasm-bounces@ietf.org] *On Behalf Of *Wei Chuang
> *Sent:* Friday, April 29, 2016 1:52 PM
> *To:* Laetitia Baudoin <lbaudoin@google.com>
> *Cc:* spasm@ietf.org
> *Subject:* Re: [Spasm] Suggestions for draft-schaad-rfc5751-bis-00.txt
>
>
>
> First thanks goes to the authors of draft-schaad-rfc5751-bis-00 for doing
> the update.
>
>
>
> On Fri, Apr 29, 2016 at 12:44 PM, Laetitia Baudoin <lbaudoin@google.com>
> wrote:
>
> Hi,
>
> Could we update the text in section 3.4 [Creating an Authenticated
> Enveloped-Only Message]?
>
>
> Currently it states:
> -----
>
> This section describes the format for enveloping a MIME entity
>    without signing it.  It is important to note that sending
>    authenticated enveloped but not signed messages does not provide for
>    authentication or non-repudiation.  It is possible to replace
>    ciphertext in such a way that the processed message will still be
>    valid, but the meaning can be altered.
>
> -----
>
> Which is incorrect: alterations to the encrypted part of the message
> would be detected.
> The problem is that authenticated encryption alone does not prove
> anything about the sender.
>
>
> An alternative to the last sentence could be something like "It is
> possible to change the sender without altering the validity of the
> processed message".
>
>
>
>
> +1   Also I'm bothered by the second sentence as too alarming as potential
> uses would presumably find a means to authenticate.
>
>
>
> [JLS] See my comments to Laetitia on why I don’t think authentication is
> a viable option here.
>
>
>
> As this update also adds AES-GCM, can draft-housley-cms-chacha20-poly1305-00
> be considered too?  That would help authenticated encryption algorithm
> diversity.
>
>
>
> [JLS]  As Russ said in his mail, the actual draft is not going through
> this proposed working group.  I would be open to having both AES-GCM and
> ChaCha/Pol1305 as being listed as AEAD algorithms to be supported by the
> message specification.  I added in AES-GCM only because I needed to place
> some algorithm in the draft to motivate the reason for adding the CMS
> authenticated encryption algorithm.
>
>
>
> Also does this means that updating algorithms in general will be covered
> in this pass?  If so, can keysize and algorithm deprecation occur e.g. drop
> md5?
>
>
>
> [JLS] Sean is unhappy, but I do believe that since the draft is open all
> of these issues are open as well.  I am not really sure what I want to say
> about MD5 the current draft says it is supported so you can talk to (and
> potentially read old message from) S/MIME v2 implementations.  Are we
> really sure that we want to shut off this option given that S/MIME v2 was
> only made historical by RFC 5751 in 2010.  I think we need to be careful
> about how we make recommendations on MD5, but potentially doing a verify
> but don’t send makes sense.
>

I understand backwards compatibility is going to be a thorny issue, but at
the same time (and I'm sure this is preaching to choir) the overall
security depends upon the weakest link.  And for md5 and weak 512b RSA key
sizes have (well) known attacks (e.g Flame, and DKIM email hack to Larry
Page hack just as examples).  It'll be much harder to trust a security
protocol that already at the specification level  allows vulnerable
messages as authentic and private.

How about a different approach.  What about allowing support for historic
keysizes and algorithms (of which I think md5 belongs) so archived messages
can be read.  However no assertion about the authenticity, integrity or
privacy of messages using historic key sizes and algorithm be made, and
supporting UI's must not provide assurances as such.  And only messages
using updated v3.5 S/MIME key sizes and algorithm are allowed to be
considered authentic and private.


>
>
> We need to have a strawman to discuss on key sizes, but this is normally a
> very controversial topic.
>
>
>
> For possible work much farther down the road, I would suggest that section
> 3.1 and details of wrapping messages in "message/rfc822" be clarified.
>
>
>
> [JLS] What are the things you want to be able to do that is not covered?
> This was heavily discussed at the time the original RFC was done and it was
> not possible to get any consensus about how to make this clearer than what
> it is.
>

Indeed I was wondering as such.  Hopefully things may be easier this time
as there was strong interest in header privacy recently (certainly at
IETF-94).

Perhaps it might be possible to limit the scope to make it more feasible?
The most useful header will be finding a specification for allowing
"Subject:" to be hidden in the message/rfc822 part, and for it to be
restored upon decryption.  Followed by "Date:".  Ideally the sender and
recipient headers could be protected as well but there's the issues that
you point out.


> Indeed, there were tons of problems with deciding how to address what
> fields are to be duplicated, what fields can be hidden, how to
> show/highlight what happens in the event of a conflict between the fields.
> Think about the situation of sending a signed message to the spasm mailing
> list.  In that event you get a new header added called sender that changes
> how Outlook displays who the message is coming from.  (Consider a case
> where sender privacy is enforced by the mailing list.)   The headers which
> are authenticated by DKIM are no longer the same as the ones in the
> message.
>

Would it help to start a separate discussion thread about this?  Perhaps
break out the scenarios for the different headers of interest?

-Wei


> There are lots of problems that need to be dealt with if we are going to
> “clarify” this language.
>
>
>
> Jim
>
>
>
>
> Thanks,
>
> -Wei
>
>
>
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
>
>
>

v2.23.0 | Report a Bug | By Email