Re: [lamps] Common Protected Header practice documented (was "Memory Hole")
Alexey Melnikov <alexey.melnikov@isode.com> Thu, 09 July 2020 09:44 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEE2B3A09EB for <spasm@ietfa.amsl.com>; Thu, 9 Jul 2020 02:44:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G4isrtaMgJg2 for <spasm@ietfa.amsl.com>; Thu, 9 Jul 2020 02:44:07 -0700 (PDT)
Received: from waldorf.isode.com (waldorf.isode.com [62.232.206.188]) by ietfa.amsl.com (Postfix) with ESMTP id 00C8E3A09E9 for <spasm@ietf.org>; Thu, 9 Jul 2020 02:44:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1594287845; d=isode.com; s=june2016; i=@isode.com; bh=pfYgv60DMLT4clTi8jh3OcyN64ZZ3vNwqvZ75EU8b50=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=SHvx9MR/6NxgRHzoWO4PwZEUgI97M8lsHnowdRMyZ952GnfBmcAGnJkixeEWU6ChdKePj8 0tADTQO9ecglw3j2/vjIT8IPrl1CG42oNPMhOO65uQyZV+rTGtyHTlupqvo1wKuBdFhgb6 QKciuo6dIVOhxOIEEVCMdf97sI0rmWs=;
Received: from [192.168.1.222] (host81-151-37-172.range81-151.btcentralplus.com [81.151.37.172]) by waldorf.isode.com (submission channel) via TCP with ESMTPSA id <Xwbm5AAkBjm-@waldorf.isode.com>; Thu, 9 Jul 2020 10:44:05 +0100
To: Bernie Hoeneisen <bernie@ietf.hoeneisen.ch>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: IETF LAMPS WG <spasm@ietf.org>
References: <87ftj3pczs.fsf@fifthhorseman.net> <alpine.DEB.2.22.394.2006141339010.57529@softronics.hoeneisen.ch>
From: Alexey Melnikov <alexey.melnikov@isode.com>
Message-ID: <63b2a258-b471-084a-37dc-695f6de2fb75@isode.com>
Date: Thu, 09 Jul 2020 10:43:42 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0
In-Reply-To: <alpine.DEB.2.22.394.2006141339010.57529@softronics.hoeneisen.ch>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------8CA5C91DAB121BB1F459F4EF"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/R-3YEtmvKRrAflUwodTv0xkTIZE>
Subject: Re: [lamps] Common Protected Header practice documented (was "Memory Hole")
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jul 2020 09:44:10 -0000
Hi Bernie,
Just to close the loop on this:
On 14/06/2020 15:10, Bernie Hoeneisen wrote:
> Hi Daniel
>
> Thanks for this great document! I was finally able to read and assess
> it. I believe it is quite useful to assist in finding a solution for
> our chartered work item on Header Protection.
>
> I have some questions related to the S/MIME examples:
>
> 1) The examples you provide for S/MIME have a simple structure, i.e.
> the body consist of a single MIME entity. How would an example look
> with the solution your are proposing, if it was a tree of MIME
> entities (e.g. text and html as multipart/alternative)?
>
> 2) In the examples (e.g. 9.2.) you are using "Content-Type:
> text/plain", however the content appears to be a full "message/rfc822"
> email. To me this looks like a mismatch between Media-Type and
> Content. To my understanding, whatever is in "Content-Type:
> text/plain" is unformated and is not guaranteed to be parsable.
> However your proposal suggests to parse this to replace the outer
> header fields. Have I misunderstood anything?
So the protected body part in that example is:
Content-Type: text/plain; charset="us-ascii"; protected-headers="v1"
From: Alice Lovelace <alice@smime.example>
To: Bob Babbage <bob@smime.example>
Date: Tue, 26 Nov 2019 20:03:00 -0400
Subject: The FooCorp contract
Message-ID: <smime-multipart-signed@protected-headers.example>
Bob, we need to cancel this contract.
Please start the necessary processes to make that happen today.
(this is the 'smime-multipart-signed' message)
Thanks, Alice
--
Alice Lovelace
President
Example Corp
This is a correct body part (using RFC 2045 terminology) of media type
"text/plain". Presence of "From" or "Subject" doesn't change its media
type. BNF for body part header is described in Section 3 of RFC 2045:
MIME-part-headers := entity-headers
[ fields ]
; Any field not beginning with
; "content-" can have no defined
; meaning and may be ignored.
; The ordering of the header
; fields implied by this BNF
; definition should be ignored.
Best Regards,
Alexey
> Looking forward to your answer!
>
> cheers,
> Bernie
>
> --
>
> http://ucom.ch/
> Modern Telephony Solutions and Tech Consulting for Internet Technology
>
>
> On Mon, 4 Nov 2019, Daniel Kahn Gillmor wrote:
>
>> Hey LAMPS folks--
>>
>> At (and shortly after) the OpenPGP e-mail summit [0], a group of MUA
>> developers went ahead and documented the way that several of us have
>> been handling header protection in a backward-compatible way.
>>
>> This bundle of techniques used to be known as "Memory Hole" a while back
>> but for a couple years now we've been calling it just "Protected
>> Headers", since "Memory Hole" was confusing and weird for some people.
>>
>> Hopefully this document can serve as input for appendix A.1.1 of
>> draft-ietf-lamps-header-protection-requirements-01 [1].
>>
>> The new draft is at:
>>
>> https://datatracker.ietf.org/doc/draft-autocrypt-lamps-protected-headers/
>>
>> (it's "draft-autocrypt-…" because it's not a single-person draft, and
>> because most of the experience we have in this comes from
>> implementations actively engaged in the Autocrypt project [2]. But it is
>> not a formal part of the Autocrypt specifications at this time, and it
>> is not intended to ever be limited to Autocrypt implementations.)
>>
>> To whet your appetite, the summary:
>>
>> -------
>> The Protected Headers scheme relies on three backward-compatible
>> changes to a cryptographically-protected e-mail message:
>>
>> * Headers known to the composing MUA at message composition time are
>> (in addition to their typical placement as Exposed Headers on the
>> outside of the message) also present in the MIME header of the
>> root of the Cryptographic Payload. These Protected Headers share
>> cryptographic properties with the rest of the Cryptographic
>> Payload.
>>
>> * When the Cryptographic Envelope includes encryption, any Exposed
>> Header MAY be _obscured_ by a transformation (including deletion).
>>
>> * If the composing MUA intends to obscure any user-facing headers,
>> it MAY add a decorative "Legacy Display" MIME part to the
>> Cryptographic Payload which additionally duplicates the original
>> values of the obscured user-facing headers.
>>
>> When a composing MUA encrypts a message, it SHOULD obscure the
>> "Subject:" header, by using the literal string "..." (three U+002E
>> FULL STOP characters) as the value of the exposed "Subject:" header.
>>
>> When a receiving MUA encounters a message with a Cryptographic
>> Envelope, it treats the headers of the Cryptographic Payload as
>> belonging to the message itself, not just the subpart. In
>> particular, when rendering a header for any such message, the
>> renderer SHOULD prefer the header's Protected value over its Exposed
>> value.
>>
>> A receiving MUA that understands Protected Headers and discovers a
>> Legacy Display part SHOULD hide the Legacy Display part when
>> rendering the message.
>> -------
>>
>> Please don't be put off by the draft length -- nearly half of the
>> document consists of test vectors that implementers can use to verify
>> their ability to consume well-formed, protected-header messages.
>>
>> I'd be happy to present this work in Singapore if there's space on the
>> agenda.
>>
>> Feedback, critiques, comments, etc, are all welcome.
>>
>> Regards,
>>
>> --dkg
>>
>> [0] https://wiki.gnupg.org/OpenPGPEmailSummit201910
>> [1]
>> https://tools.ietf.org/html/draft-ietf-lamps-header-protection-requirements-01#appendix-A.1.1
>> [2] https://autocrypt.org/
>>
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
- [lamps] Common Protected Header practice document… Daniel Kahn Gillmor
- Re: [lamps] Common Protected Header practice docu… Bernie Hoeneisen
- Re: [lamps] Common Protected Header practice docu… Alexey Melnikov
- Re: [lamps] Common Protected Header practice docu… Bernie Hoeneisen