Re: [lamps] Martin Duke's Yes on draft-ietf-lamps-e2e-mail-guidance-15: (with COMMENT)
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 14 March 2024 00:04 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B584C1516EB; Wed, 13 Mar 2024 17:04:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.312
X-Spam-Level:
X-Spam-Status: No, score=-1.312 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b="ANptFr31"; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b="Btps4ktv"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qewI6-sFuAdq; Wed, 13 Mar 2024 17:04:31 -0700 (PDT)
Received: from che.mayfirst.org (unknown [162.247.75.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5170CC14F60D; Wed, 13 Mar 2024 17:04:29 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1710374667; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=cHcgHmtnUq+w/g37hNDzdZdV+lezuQypdL5HHsXZoPA=; b=ANptFr31ssgDWqFcg9EL0lnUMzZoC20sqvDkvf8WUaI0AgaKfggT5icYEp0HSAz3iRddC lErtN/VJ9YoQNM4BA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1710374667; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=cHcgHmtnUq+w/g37hNDzdZdV+lezuQypdL5HHsXZoPA=; b=Btps4ktvEzKXBSldzswbhfmJdxJnIyv3d+PwALpPvDDIYJGbc3MomQGXO5kPsSFhHyK9h EulTDFm3l5FvvOsBNxCAyicRKLN8YdCcdJecYuxDpOTAKbmkRcQE2xxm16hWKPdSyn0R9qo 5fDNUojonxHKIXIPqCCN21VSkaG7eTe5Az4QZii3P1yixFE8c/feWh8VBc2Lpyi5ZUayUqE OiEtrBIkARn+iRab88Wo+mzNnewTcDwZ56kJI7MS4jjLU8sZqr343JF6PreAZB89w8GF6pC CHJI2uByd1kwhW6XIs0ZUzxX3IZNrk0R78EyNrXntIJ5nxy4bkropBh0ivDw==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 8DC87F9D8; Wed, 13 Mar 2024 20:04:27 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id F3C2020462; Wed, 13 Mar 2024 20:04:24 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Martin Duke <martin.h.duke@gmail.com>, The IESG <iesg@ietf.org>
Cc: draft-ietf-lamps-e2e-mail-guidance@ietf.org, lamps-chairs@ietf.org, spasm@ietf.org, housley@vigilsec.com, housley@vigilsec.com
In-Reply-To: <170967311991.24872.5143269839183143624@ietfa.amsl.com>
References: <170967311991.24872.5143269839183143624@ietfa.amsl.com>
Autocrypt: addr=Daniel Kahn Gillmor; prefer-encrypt=mutual; keydata= xjMEZXEJyxYJKwYBBAHaRw8BAQdA5BpbW0bpl5qCng/RiqwhQINrplDMSS5JsO/YO+5Zi7HCi QQfFgoAMQWCZadnIAUJBdtHCwMLCQcDFQoIApsBAh4BFiEE1HcEDHDCFWpcKYVJu36RAUlea/ cACgkQu36RAUlea/edDQD+M2QjnoEyu/TjI+gRXBpXQ5jCsnnp9FdYhaSSUW/vZ8kBAJByWlj A9aMfVaVrmvgcYw7jzJz+gmZspBRB++5LZ20NzRc8ZGtnQGZpZnRoaG9yc2VtYW4ubmV0PsLA EQQTFgoAeQMLCQdHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnEu/CS CeyWwC6j4ihJr2u/z6delsF1pvYW3ufgf1L538DFQoIApsBAh4BFiEE1HcEDHDCFWpcKYVJu3 6RAUlea/cFAmWnX5AFCQXZ8EUACgkQu36RAUlea/cjVwD+ONjdHM74rAa6EEiiqaPjlptiaZx CVqFYXnib6EbZARkBAPnnR8pW8vCBnDXHKu65jNqwF3aH761NaOqqMFfppg8GzjMEZXEJyxYJ KwYBBAHaRw8BAQdAjX25Fq2Q9IUFeHy6yByIQPBnFOedFliuEiCIUzJsENDCwMUEGBYKAS1HF AAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnwqKWsw56uoWVLIFcs7ZecJ gwpsSNevWCzbviKQ8yRLUCmwK+oAQZFgoAbwWCZXEJywkQdy0WHjXNS4FHFAAAAAAAHgAgc2F sdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnEIJSOxuw2y/UJmg5M3BLpN0JYjODZpXiEVFu 1byARzMWIQR0vATEPYYIS+hnLAZ3LRYeNc1LgQAAsH8BAKg1C5LK/D7pSkXCD+jfTSP+CqM58 iHLjh4vKhpOKsTJAQCHldtEjxJ1ksPTFgG9HihHH7qc6/wvvLw77ETMpwlrAxYhBNR3BAxwwh VqXCmFSbt+kQFJXmv3BQJlp1+rBQkCF4lgAAoJELt+kQFJXmv3ydsA/2roQZ2Jm/7iUrg/2C5 ClWA/xbvPC31LyMkGGH2/rq8tAP9BgqLuCPnNTVPqeX9+9qqMmaFq7wmvjq5I+yycAw9CDc44 BGVxCcsSCisGAQQBl1UBBQEBB0BZMsRrRaaeFSYMF1ZdfRmVgBriDUIr99eDQ085BK14DgMBC AfCwAYEGBYKAG5HFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnsazAWX tEHUPmSTmcRZAIsAsNiO8k0hdjsfRlRVipgJgCmwwWIQTUdwQMcMIValwphUm7fpEBSV5r9wU CZadfqwUJAheJYAAKCRC7fpEBSV5r90AjAPwLgY1iKiFJEj32SVD5f721929l79VxQB5FlQss x1n5kQEA6Uct2tPvbB6T7p5KG3Gl+tbi7oJAuxFmpkpW5/N2Owg=
Date: Wed, 13 Mar 2024 20:04:23 -0400
Message-ID: <87y1al8yrc.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/LatpXJZpzW_yitwk6-BgqG_Vh2Y>
Subject: Re: [lamps] Martin Duke's Yes on draft-ietf-lamps-e2e-mail-guidance-15: (with COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2024 00:04:35 -0000
Hi Martin-- Thanks for your review of draft-ietf-lamps-e2e-mail-guidance. On Tue 2024-03-05 13:11:59 -0800, Martin Duke via Datatracker wrote: > Would it be worthwhile to discuss the handling of encrypted email with obsolete > ciphers, as is done in (6.4) for signatures? This is a great point, since the document deals with store-and-forward systems and historical/legacy data, some of which is likely to contain this kind of stale mechanic. I'm tracking this as: https://gitlab.com/dkg/e2e-mail-guidance/-/issues/17 I've also proposed a new subsection, next to the "signature failures" subsection, to address this concern in a similar way to the way the draft already handles "Errant Encryption Layers": https://gitlab.com/dkg/e2e-mail-guidance/-/merge_requests/14 The proposed text reads: ------ ## Weak Encryption Sometimes, a MUA might encounter a message with a well-formed Cryptographic Envelope that uses a form of encryption with substantial known flaws. For example, a PGP/MIME message might use a Symmetrically Encrypted Data packet, which is known to have malleable ciphertext (see {{Section 5.7 of I-D.ietf-openpgp-crypto-refresh-13}}). ِAs another example, an S/MIME message may use an `enveloped-data` MIME part with a `contentEncryptionAlgorithm` of `rc2-cbc` with `rc2ParameterVersion` of 160, meaning a 40-bit key (see {{Section 5.2 of ?RFC3370}}), which is widely considered breakable via brute force with moderate hardware investment in 2024. As cryptanalysis and hardware capacities advance, an implementation may widen the scope of what encryption mechanisms are considered weak. A receiving MUA MUST warn the user that such a message has a known weakness. The receiving MUA MAY decline to decrypt such a message at all. If it decides to decrypt a message with a weak encryption layer, it MUST NOT indicate in the message's Cryptographic Summary that the message was encrypted, as the confidentiality of the message is suspect. This is similar to the approach taken in {{errant-encryption-layer}} for messages with an Errant Encryption Layer. Like the Errant Encryption Layer situation, there is an asymmetry between rendering and replying to a message with weak encryption. The guidance in {{reply-to-errant-encryption}} should be followed when replyingn to a message with weak encryption as well. A receiving MUA MAY also treat historically archived messages with weak encryption differently from modern messages. For example, if an encryption algorithm was known to be weak in 2005, then a message that appears to have been encrypted with that algorithm in 1995 might decrypted with a warning, as an archival service. But a message that appears to have been encrypted with that same weak algorithm in 2015 might be quarantined as a likely attack. There are several possible ways to distinguish a historical message from a modern one, including: - The message timestamp (e.g., the `Date` header field) - The time the message was first observed on the network (e.g., delivery of a new message via IMAP from a mailbox that had recently checked) - The timestamp in any signature observed in the message - The message structure (a message composed using protocol elements that were invented after the encryption algorithm was known weak is likely to be an attack than a legitimate archival message) ----- If this proposed text is too controversial to accept, and we can't manage to arrive at non-controversial guidance, i'd be happy to consider a short note in the Future Work appendix to flag this as something to be considered later. Regards, --dkg
- [lamps] Martin Duke's Yes on draft-ietf-lamps-e2e… Martin Duke via Datatracker
- Re: [lamps] Martin Duke's Yes on draft-ietf-lamps… Daniel Kahn Gillmor
- Re: [lamps] Martin Duke's Yes on draft-ietf-lamps… Martin Duke