Re: [lamps] Paul Wouters' Discuss on draft-ietf-lamps-e2e-mail-guidance-15: (with DISCUSS and COMMENT)
Paul Wouters <paul.wouters@aiven.io> Sun, 17 March 2024 08:16 UTC
Return-Path: <paul.wouters@aiven.io>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4149DC151991 for <spasm@ietfa.amsl.com>; Sun, 17 Mar 2024 01:16:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zb_JuCfTXsvX for <spasm@ietfa.amsl.com>; Sun, 17 Mar 2024 01:16:14 -0700 (PDT)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4C80C151069 for <spasm@ietf.org>; Sun, 17 Mar 2024 01:16:14 -0700 (PDT)
Received: by mail-ed1-x52c.google.com with SMTP id 4fb4d7f45d1cf-56899d9bf52so4406596a12.2 for <spasm@ietf.org>; Sun, 17 Mar 2024 01:16:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1710663373; x=1711268173; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=F9WfAm7SgSdGqFZDkE0VgNztwjhNI848ZGp98C85+m4=; b=MmVjGW+FGTaVXucUe+CyL1n4fXWSUfrwNDeby2YUQW7eI6Clik3vOEaKT9WJ+Dw968 J8Y/bwPVCR+tPj9hW9JxnfXCbKpGWy7z3JpKv/PYgnjM4UNZ2v0JNxvOFUSJ95wxdWTm Tff66XviVK/or2CGYQT6NlvbpT8uyyBNLiRQc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710663373; x=1711268173; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=F9WfAm7SgSdGqFZDkE0VgNztwjhNI848ZGp98C85+m4=; b=PHmY7gccQq52Gs2J5fndSSgyLNEsWNTmOutJw63KmXtA+qDv7jDbrIVfYU7x3m5HOU lg7sOrMvw6NqXP6n/zzH1c9JmxNa3Gs2L178IxN848x6WCCAlxB2n67W1iDatlLEXbT1 V66STR9MnSocx9muMg60+avXUbXV0s8Y9oVofk2mxwzfT4t7E6HBtZ60e+4UPw4wr1DL JXOyCsLclmuLqfZPKCJkNUh/K0MvXgjwZgLJTBb6aFNE6zvlTewf71EGxT/cmuZSSaQz OutNjtBfEEtLhdGE9uowAhc70Hf8Yk6WHl9szNCeU2hw/gd7r54GOKi6iVUyyK+LIyFB M9FQ==
X-Forwarded-Encrypted: i=1; AJvYcCXzQeoma8EjbcaCUSCszlrfEFnh9AQGqvkJGw7O8vSysB73exAraeKv9/J+i9FHyLUJ/zbqKXr2K15iOdcQ/Q==
X-Gm-Message-State: AOJu0YxBNRIemeTUZkqUgLD4KG8ZMuLBW5vJ6dYBg9Ku8sPDUW5fdqXD T4BSI9gGxJrysja6LocyjOAyNV+2UFkckOdKkEhuAqSJMQl7TBMZvUELFhDJQ7wi2ZyyQGMlp+W WB0pZ2H4MRurGGu4wB+lUx6w1/UZE4p++DH4Fh91fWkzNhBEfp5fgmg==
X-Google-Smtp-Source: AGHT+IFGT/wrJ64QjdTYov2Nq/+EGf7jdb48POfNEGquuGS5LnEch3On86nR2Et/vz2KgNEjYEjfSvofS9iaQCf4U5E=
X-Received: by 2002:a05:6402:28c8:b0:565:a6a4:2ecc with SMTP id ef8-20020a05640228c800b00565a6a42eccmr6399770edb.2.1710663372826; Sun, 17 Mar 2024 01:16:12 -0700 (PDT)
MIME-Version: 1.0
References: <170969517060.45916.11010011783885804824@ietfa.amsl.com> <87a5n29bk7.fsf@fifthhorseman.net>
In-Reply-To: <87a5n29bk7.fsf@fifthhorseman.net>
From: Paul Wouters <paul.wouters@aiven.io>
Date: Sun, 17 Mar 2024 18:16:01 +1000
Message-ID: <CAGL5yWbfoX8SnQyAQzggN-2Z1HhTTkMSeebEh-P9k5EhkDmzzw@mail.gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: The IESG <iesg@ietf.org>, draft-ietf-lamps-e2e-mail-guidance@ietf.org, lamps-chairs@ietf.org, spasm@ietf.org, housley@vigilsec.com
Content-Type: multipart/alternative; boundary="000000000000ab70210613d6dae1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/MwWbLQch-4FMPaV0kyBSnqHZvzU>
Subject: Re: [lamps] Paul Wouters' Discuss on draft-ietf-lamps-e2e-mail-guidance-15: (with DISCUSS and COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Mar 2024 08:16:19 -0000
On Thu, Mar 14, 2024 at 6:48 AM Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote: > > I think what you want here are also known as "deniable" messages. On > more sophisticated platforms (e.g., OTR), those messages are still > authenticatable by the recipient (because they are authenticated with an > established shared secret between the pair of communicants), but they > are repudiable by both parties involved because either party can claim > the other party generated the message. > > The fact that the messages are authenticatable is critical for many of > the systems that use e2ee mail, including things like verification of > protected headers. > I am not sure I'd agree with "critical". I see it more as a user option, a choice of the sender to hand out such cryptographic proof or not. There is an unmistakable difference if we sit at a bar and I tell you "Roman is impossible to work with", versus a crypto graphically signed message of the same. In other words, mandating digital signatures can surely stifle free speech via email. > However, there are no standardized mechanisms for producing > authenticatable-yet-repudiable e-mail messages in 2024 that i'm aware > of. Encrypted-only messages do not meet this requirement, because they > are not authenticatable by the recipient. Rather, they are trivially > forgeable by someone outside the conversation. > We don't disagree here. > Even if we did have a standardized mechanism for providing > authenticatable-but-repudiable e-mail messages, it's not clear what the > actual use case for this is. If the concern is repudiation in front of > a third-party arbiter that is bound by law, most of those arbiters are > just fine accepting "cryptographically deniable" evidence as evidence > (e-mail messages with no e2e cryptographic protections have been > introduced in court cases in every jurisdiction i'm aware of). If your > concern is a third-party arbiter who is not bound by law, then i'm not > sure why they would care about cryptographic claims of repudiation. > The choice of medium can be based on the informal vs formal nature of it. A slack message can be a lot more informal than an email. Or a text message can be seen as informal too. Or a DM on various platforms. My concern is that you are raising the informality of email to a new formality that is not what some people come to expect of it. > At any rate, this document tries to offer guidance on strong, usable > end-to-end cryptographic protections of e-mail messages. Offering the > user the opportunity to generate non-authenticatable messages requires > (a) presenting another choice that most users are not prepared to make > or understand, and (b) makes it harder for the recipient MUA to reason > about messages. That's why the document strongly discourages this > choice. > "Warning: this message was encrypted but not digitally signed. It could be a forgery". I'm not sure if the IETF should step too deep into the UI parts. I'm mostly pushing back at you trying to make sending encrypted unsigned messages a MUST NOT. If you could quantify that, I would be much happier. > > > Section 6: > > > > the certificate used to verify the signature does not > > correspond to the author of the message. (for X.509, there is no > > subjectAltName of type rfc822Name whose value matches an e-mail > > address found in From: or Sender:) > > > > So how about: From: "Daniel Kahn Gillmor <paul@nohats.ca>" ? > > The document currently treats the e-mail address as the sender identity, > and doesn't grapple with the human-readable name at all. > But how useful is the advise of this draft if all these out of scope things are not part of the discussion? > I've opened https://gitlab.com/dkg/e2e-mail-guidance/-/issues/14 I see you addressed it in https://gitlab.com/dkg/e2e-mail-guidance/-/commit/fc7fe640873e2725e2d43c5381975acc59cd45f7 Thanks! > Section 9.1 talks about storing Sent Mail encrypted, but does not > > talk about how one would "search" their email content. Perhaps it > > can also mention keeping a Sent Mail folder on the user's own device, > > such as a laptop with whole disk encryption. But I feel not mentioning > > this issue at all is missing an important point of why people want > > decrypted Sent Mail or why they don't want encrypted Sent Mail. > > You're right that this is a serious issue, but the document does touch > on these concerns (albeit without trying to mandate a particular path > forward), in the "future work" appendix: > > > https://www.ietf.org/archive/id/draft-ietf-lamps-e2e-mail-guidance-15.html#name-indexing-and-search-of-encr > > If you want to propose more text to add to that section, I'm happy to > review. > I guess the text you have is fine. > > > Section 9.4 asks: > > > > When a message is encrypted, if there is a mechanism to include > > the certificates of the recipients, whose certificates should > > be included? > > > > I think that answer is always "not the BCC'ed recipients", so I wonder > > why this is a question and not a requirement. Also the last bullet in > > 9.4.1 states that too. Maybe restate it as a description to solve in > > 9.4.1 by saying it more like "When a message is encrypted and recipient > > certificates are included, the Bcc:ed recipients need to be carefully > > considered". > > Section 9.4 starts with a list of questions that need answering. > Section 9.4.1 provides one straightforward and internally coherent set > of answers for all of those questions, and 9.4.1.1 provides a rationale > for that approach. > I guess it is a style issue, so I will drop my complaint on this. > There could be other approaches which provide an internally coherent and > satisfying response to these open questions, but this document doesn't > try to weigh in on them. > > > Section 9.4.1: > > > > * No cryptographic payload contains any Bcc header field. > > > > Since headers are not encrypted, isn't this always the case? > > Headers are included in the cryptographic payload, because section 9.3 > mandates the use of draft-ietf-lamps-header-protection. > Ah I missed that. thanks. > > > * The main copy of the message is signed and encrypted to all > > named recipients and to the sender. A copy of this message is > > also stored in the sender's Sent folder. > > > > Maybe this should more clearly state that it includes the BcC: header? > > What includes the Bcc header? As i read it, the main copy described > here does *not* include the `Bcc` header field, as the Bcc'ed parties > are neither named recipients nor the sender. > > > * To the extent that spare certificates are included in > > the message, each generated copy of the message should > > include certificates for the sender and for each named > > recipient. Certificates for Bcc'ed recipients are not included > > in any message. > > > > So here is another possible leak. Earlier text said certificates could > > be omited if one knew for sure the parties already knew each other's > > certificate. So if the sender and recipient know each other's > certificate, > > but the sender doesn't know if the Bcc:ed recipient knows the (openly) > > recipients certificate, it must not add the certificate or else the Bcc: > > to "someone" becomes exposed to the recipient. I think the bullet point > > is better reframed as "Any Bcc:ed recipient MUST NOT be taken into > > consideration when determining which certificates to include along the > > message.". > > Good catch, thanks. I've opened > https://gitlab.com/dkg/e2e-mail-guidance/-/issues/15 Thanks. > Section 9.6 it seems option 1 and 2 are really not worth considering > > or mentioning. It also seems a 5th option is missing - compose two > > seperate emails with only the seperated recipients in each of the emails. > > I think option 2 is definitely worth considering. In the situation > where a message must be encrypted, and one of the recipients' keys have > been revoked, for example, it may be critical to exclude that recipient. > I'll drop my issue on this. > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > Section 2: > > > > so interface elements that get in the way of communication should > > be avoided where possible. > > > > That "in the way" carries a lot of weight :P > > changed to "interferes with", but… yeah, that is definitely a > challenging metric either way. > > > on every alternate messaging service > > > > Maybe remove "alternate"? or so "on all of the many" ? > > I think we can change that to "on the various non-e-mail messaging > services". > > > > > For comprehensibility, a conformant MUA SHOULD NOT create > multiple > > copies of a given message that differ in the types of end-to-end > > cryptographic protections afforded > > > > Can it be clarified whether this is meant "to the same email user" ? > > A message send to multiple people, of whom only a subset support > > encryption, should still send "multiple copies of a given message > > that differ in the types of end-to-end cryptographic protections > > The text does not mean "to the same user" -- it deliberately means (and > i think says clearly) "per message" in order to provide a coherent view > to all participants of what kinds of cryptographic properties to > associate with a given message. > I don't understand "per message" for example in the context of BCC:s, where the message to different people have different headers. > Do you want to propose text that would make that even clearer? > I can't because I dont fully understand what you are trying to coney. > The user's typical mental model is that there is a single e-mail message > that is potentially available to multiple parties. the question "did > Juliana get this e-mail?" is a reasonable, understandable, and > answerable question for normal users; yet it relies on this unstated > assumption. If we want users to understand the protections they are > getting (which i think is critical if you really want robust end-to-end > cryptographic protections), we should be discouraging behavior in the > underlying system that breaks the users' assumptions about what is > happening. > I'm not sure I agree, but it's surely not a DISCUSS level item. > > For example, the sender cannot indicate via SMTP whether or not a > > given message should be encrypted (some messages, like those sent > > to a publicly archived mailing list, are pointless to encrypt) > > > > Clearly, the mailing list would not have a valid certificate to use to > > encrypt, so how could it ever encrypt? Also a mailinglist could have > > given all members the list private key so members can decrypt all > messages > > sent encrypted to the list. This might not be super secure, but a > reasonable > > approach for "somewhat secret" list traffic, eg a vendor security > vulnerability > > mailing list. > > There are mailing lists which do have valid certificates (though they > typically are not publicly archived). The document doesn't get into > details about mailing lists with cryptographic protections, but we could > add something to the Future Work appendix if folks are interested. I've > opened https://gitlab.com/dkg/e2e-mail-guidance/-/issues/16 to track that. > I see the commit. Thanks for adding the text. > > > NITS: > > > > Petpeeve: the use of the word "novel". > > I'm fine with changing that word to avoid a pet peeve :) I hope you'll > avoid "utilize" in any future documents on my behalf in exchange! > > > non-comment: > > > > It seems the authors do not like my openpgpkey-milter solution :) > > Your milter is not the only software i've seen that takes this tempting > shortcut! ☺ Do you think that any of these implementations can > effectively avoid the pitfalls described in that section? > No, it is a terrible solution :) I've updated my ballot to No Objection. Paul
- [lamps] Paul Wouters' Discuss on draft-ietf-lamps… Paul Wouters via Datatracker
- Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Daniel Kahn Gillmor
- Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Paul Wouters
- Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Daniel Kahn Gillmor