IETF Logo Mail Archive

Re: [Spasm] Suggestions for draft-schaad-rfc5751-bis-00.txt

Wei Chuang <weihaw@google.com> Mon, 02 May 2016 20:33 UTC

Return-Path: <weihaw@google.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A58312D62A for <spasm@ietfa.amsl.com>; Mon, 2 May 2016 13:33:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.696
X-Spam-Level:
X-Spam-Status: No, score=-3.696 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bQ2RFVHRE62S for <spasm@ietfa.amsl.com>; Mon, 2 May 2016 13:33:14 -0700 (PDT)
Received: from mail-oi0-x22f.google.com (mail-oi0-x22f.google.com [IPv6:2607:f8b0:4003:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95C8F12D637 for <spasm@ietf.org>; Mon, 2 May 2016 13:33:13 -0700 (PDT)
Received: by mail-oi0-x22f.google.com with SMTP id x19so205698344oix.2 for <spasm@ietf.org>; Mon, 02 May 2016 13:33:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=gIO9efmTNJ4ILRsRNsp5ayc6/CsowOWORk6mgOLKP/k=; b=U2nTdALJuAc3vrLeqAizVOUZS8EDqaokni1X1Jq91CU7FzloEqEd4thpV9cvkTlYKM K1rVApPJeg0y4PG0M4NJKjjXPQztwhrM2ZDUBmXPNR5ohp7JrLfdwU0bBZwjLLVsBb+G SAu/krYSNW1gHTWCLjdCGCl+bgwE7iobrnoE4Xtuwrv8ABqPNUJ1HQ0KuGbMohPFCm+w ktSn3U/GFl0V/5NM85N+OxsKUCyOi90cFtqqd0HG+Fn/PP5HnSGycgf/B0auj05TBqIP wO6NJs6TlYpxRUfOwVjMb2YSVeJ5khmqk4j5Sr2n6En7QcHnj2W6ES+rL7K8LdFbmTpd yZ3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=gIO9efmTNJ4ILRsRNsp5ayc6/CsowOWORk6mgOLKP/k=; b=lk23xASrEeu3QSG1xSKQ1kGgAZWuN3Icgr1N5qkDwWDQM2VAxhWM8tXzKwQoGoR/xm W36Xhc7C0jfUTW+wEFTgJ8TAYIq9+qCrKkQl2BlWjPvxhRKw+V/yXaLorppwDQKGqcWw hV4ENHCQAWy0lQpVTN8FIOHxukrHl4VyI9WyCrZqyQ46Kjq0+W6TK7LG6hD8fx6slmyC FqPSX+vuCr2KH7SLcLZirWNFEXTkEyxf+BnqhomFiSfcotDH4R7cGl4PBAGQTrThoSfl jtasQiuoB2+5AUNffLhbVFbl2vedpepvg+3JJgDGN3LZItx3u34CIIT5lNCgPZwVdXse Qx5Q==
X-Gm-Message-State: AOPr4FUXJfI25tEd0M6eZu6Ouy7XowUHfBoh9OGAr/G0yyhG8043udqincsKoh6jdW6iTb/gedLo3Su7T/7Bf/aZ
MIME-Version: 1.0
X-Received: by 10.202.202.143 with SMTP id a137mr14268475oig.128.1462221190010; Mon, 02 May 2016 13:33:10 -0700 (PDT)
Received: by 10.157.35.36 with HTTP; Mon, 2 May 2016 13:33:09 -0700 (PDT)
In-Reply-To: <CAAFsWK0N0fMcA03KGc0vBHJc9dQmY1Aw=X3mnHCWeZn8bvVScg@mail.gmail.com>
References: <CAFTDvC5g5CeY0V4xO3NahYc226BMOF5QCCK41_admqiz88ZZ3Q@mail.gmail.com> <CAAFsWK1J3baG7=KHpD67q9Uzt48tja=Dejud5xJrUT0HWp=HBw@mail.gmail.com> <0afc01d1a35a$667346f0$3359d4d0$@augustcellars.com> <CAAFsWK0N0fMcA03KGc0vBHJc9dQmY1Aw=X3mnHCWeZn8bvVScg@mail.gmail.com>
Date: Mon, 02 May 2016 13:33:09 -0700
Message-ID: <CAAFsWK0sn_rMUKc+y2LQPryR__gGqkRvy1w_egN0EYyXKiXsUA@mail.gmail.com>
From: Wei Chuang <weihaw@google.com>
To: Jim Schaad <ietf@augustcellars.com>
Content-Type: multipart/alternative; boundary="001a1134faf29d63c90531e1e6c0"
Archived-At: <http://mailarchive.ietf.org/arch/msg/spasm/UO0qUsiX5inndhVPCHeFEcMdCZQ>
Cc: spasm@ietf.org, Laetitia Baudoin <lbaudoin@google.com>
Subject: Re: [Spasm] Suggestions for draft-schaad-rfc5751-bis-00.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 May 2016 20:33:17 -0000

On Mon, May 2, 2016 at 12:04 PM, Wei Chuang <weihaw@google.com> wrote:

>
>
> On Sat, Apr 30, 2016 at 8:34 PM, Jim Schaad <ietf@augustcellars.com>
> wrote:
>
>> Wei,
>>
>>
>>
>> See below.
>>
>>
>>
>> *From:* Spasm [mailto:spasm-bounces@ietf.org] *On Behalf Of *Wei Chuang
>> *Sent:* Friday, April 29, 2016 1:52 PM
>> *To:* Laetitia Baudoin <lbaudoin@google.com>
>> *Cc:* spasm@ietf.org
>> *Subject:* Re: [Spasm] Suggestions for draft-schaad-rfc5751-bis-00.txt
>>
>>
>>
>> First thanks goes to the authors of draft-schaad-rfc5751-bis-00 for
>> doing the update.
>>
>>
>>
>> On Fri, Apr 29, 2016 at 12:44 PM, Laetitia Baudoin <lbaudoin@google.com>
>> wrote:
>>
>> Hi,
>>
>> Could we update the text in section 3.4 [Creating an Authenticated
>> Enveloped-Only Message]?
>>
>>
>> Currently it states:
>> -----
>>
>> This section describes the format for enveloping a MIME entity
>>    without signing it.  It is important to note that sending
>>    authenticated enveloped but not signed messages does not provide for
>>    authentication or non-repudiation.  It is possible to replace
>>    ciphertext in such a way that the processed message will still be
>>    valid, but the meaning can be altered.
>>
>> -----
>>
>> Which is incorrect: alterations to the encrypted part of the message
>> would be detected.
>> The problem is that authenticated encryption alone does not prove
>> anything about the sender.
>>
>>
>> An alternative to the last sentence could be something like "It is
>> possible to change the sender without altering the validity of the
>> processed message".
>>
>>
>>
>>
>> +1   Also I'm bothered by the second sentence as too alarming as
>> potential uses would presumably find a means to authenticate.
>>
>>
>>
>> [JLS] See my comments to Laetitia on why I don’t think authentication is
>> a viable option here.
>>
>>
>>
>> As this update also adds AES-GCM, can draft-housley-cms-chacha20-poly1305-00
>> be considered too?  That would help authenticated encryption algorithm
>> diversity.
>>
>>
>>
>> [JLS]  As Russ said in his mail, the actual draft is not going through
>> this proposed working group.  I would be open to having both AES-GCM and
>> ChaCha/Pol1305 as being listed as AEAD algorithms to be supported by the
>> message specification.  I added in AES-GCM only because I needed to place
>> some algorithm in the draft to motivate the reason for adding the CMS
>> authenticated encryption algorithm.
>>
>>
>>
>> Also does this means that updating algorithms in general will be covered
>> in this pass?  If so, can keysize and algorithm deprecation occur e.g. drop
>> md5?
>>
>>
>>
>> [JLS] Sean is unhappy, but I do believe that since the draft is open all
>> of these issues are open as well.  I am not really sure what I want to say
>> about MD5 the current draft says it is supported so you can talk to (and
>> potentially read old message from) S/MIME v2 implementations.  Are we
>> really sure that we want to shut off this option given that S/MIME v2 was
>> only made historical by RFC 5751 in 2010.  I think we need to be careful
>> about how we make recommendations on MD5, but potentially doing a verify
>> but don’t send makes sense.
>>
>
> I understand backwards compatibility is going to be a thorny issue, but at
> the same time (and I'm sure this is preaching to choir) the overall
> security depends upon the weakest link.  And for md5 and weak 512b RSA key
> sizes have (well) known attacks (e.g Flame, and DKIM email hack to Larry
> Page hack just as examples).  It'll be much harder to trust a security
> protocol that already at the specification level  allows vulnerable
> messages as authentic and private.
>

I just saw mention of warning for key sizes less 1024 in 6. Security
Considerations.  Can the same be done for md5 digest, and generalized so
that future obsolete algorithm and key sizes can be treated similarly?

-Wei


>
> How about a different approach.  What about allowing support for historic
> keysizes and algorithms (of which I think md5 belongs) so archived messages
> can be read.  However no assertion about the authenticity, integrity or
> privacy of messages using historic key sizes and algorithm be made, and
> supporting UI's must not provide assurances as such.  And only messages
> using updated v3.5 S/MIME key sizes and algorithm are allowed to be
> considered authentic and private.
>
>
>>
>>
>> We need to have a strawman to discuss on key sizes, but this is normally
>> a very controversial topic.
>>
>>
>>
>> For possible work much farther down the road, I would suggest that
>> section 3.1 and details of wrapping messages in "message/rfc822" be
>> clarified.
>>
>>
>>
>> [JLS] What are the things you want to be able to do that is not covered?
>> This was heavily discussed at the time the original RFC was done and it was
>> not possible to get any consensus about how to make this clearer than what
>> it is.
>>
>
> Indeed I was wondering as such.  Hopefully things may be easier this time
> as there was strong interest in header privacy recently (certainly at
> IETF-94).
>
> Perhaps it might be possible to limit the scope to make it more feasible?
> The most useful header will be finding a specification for allowing
> "Subject:" to be hidden in the message/rfc822 part, and for it to be
> restored upon decryption.  Followed by "Date:".  Ideally the sender and
> recipient headers could be protected as well but there's the issues that
> you point out.
>
>
>> Indeed, there were tons of problems with deciding how to address what
>> fields are to be duplicated, what fields can be hidden, how to
>> show/highlight what happens in the event of a conflict between the fields.
>> Think about the situation of sending a signed message to the spasm mailing
>> list.  In that event you get a new header added called sender that changes
>> how Outlook displays who the message is coming from.  (Consider a case
>> where sender privacy is enforced by the mailing list.)   The headers which
>> are authenticated by DKIM are no longer the same as the ones in the
>> message.
>>
>
> Would it help to start a separate discussion thread about this?  Perhaps
> break out the scenarios for the different headers of interest?
>
> -Wei
>
>
>> There are lots of problems that need to be dealt with if we are going to
>> “clarify” this language.
>>
>>
>>
>> Jim
>>
>>
>>
>>
>> Thanks,
>>
>> -Wei
>>
>>
>>
>>
>> _______________________________________________
>> Spasm mailing list
>> Spasm@ietf.org
>> https://www.ietf.org/mailman/listinfo/spasm
>>
>>
>>
>
>

v2.23.0 | Report a Bug | By Email