[lamps] AD Review of draft-ietf-lamps-rfc5751-bis-06.txt
Eric Rescorla <ekr@rtfm.com> Sat, 07 October 2017 18:33 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 3BE92134B0F
for <spasm@ietfa.amsl.com>; Sat, 7 Oct 2017 11:33:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001,
RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 0zwdRK_unesv for <spasm@ietfa.amsl.com>;
Sat, 7 Oct 2017 11:33:49 -0700 (PDT)
Received: from mail-qt0-x236.google.com (mail-qt0-x236.google.com
[IPv6:2607:f8b0:400d:c0d::236])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 12B80134B0E
for <spasm@ietf.org>; Sat, 7 Oct 2017 11:33:49 -0700 (PDT)
Received: by mail-qt0-x236.google.com with SMTP id n61so8865800qte.10
for <spasm@ietf.org>; Sat, 07 Oct 2017 11:33:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=rtfm-com.20150623.gappssmtp.com; s=20150623;
h=mime-version:from:date:message-id:subject:to;
bh=ynjNu7SXtnyB9h+vv5BQ19B8bM88rPChMgSPfYDwc/8=;
b=Tam+GtljtkWmHnpq+lYNWDtEBjtnc1uwlTK/Z7CNwvqyFER/G6kMJ5KuWoAm3eiZms
Y7srGXfCJ26++nNTQNhWovg29Rtxa6vsaEAo73qd5F7H7pmVO3hnqL50uQgURocjpeGo
qUvKxJDgnZ5mGFrr+soj75W8iy9+qMBvNN8olUgbh9ty288+WpWPfy731YZIe/iF2oPr
SVfxtba+P9l2QhtD0GzwucNR3N81yaqQjLF40AiPyJbPVxh4lq9UEnzaF32GvP2XcVUr
31t4Y1jQqKvMVaqJVC47gLLeQtbtyXmD802fvLRr5k8B5kn9idRvVppW+e5wK9+OosFD
/KlQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=ynjNu7SXtnyB9h+vv5BQ19B8bM88rPChMgSPfYDwc/8=;
b=R++AeAmpGuRzL/uSkAjRpkMtWQrwKcJLsIHjEWB9rlmJZLs/xqIDUDnIJjmw+Omtcm
T7oy2lAcIboAgz0o5TDeWTCWJv4FSrTKIn6lO0lyeEnaYFr18iO/woTZF/O8+IDbKHKD
+3hZaOzRmKnMVY5LlzbF4Ul4Ta3Hn7b6x9WWI5xDCEEQzzAZHW8IeiAZKqr1lFJA8mpV
j4A53aSm/xwJPK06q+EvWCfXs1N01a4UCOSUoM0ypjTeuVMWBZzzs22bfccHxKzYuEsf
KaVjGTECivhIQBQo1QV4SVsB4GlGC4EQgt67LeuDSVEjVjpP/HwqV4Tuz08aKlJVCNbO
hxig==
X-Gm-Message-State: AMCzsaXP3k85DwXecTiNP/RNQgUsXgwMrwAtM9jQ5QW37ZKM3cw7uzYt
LDnhEiIvVlr3TwfubBn5sJ1+3mRxNbY73SWzDwIsuNJo
X-Google-Smtp-Source: AOwi7QAYdGXL3WHwdI9SHO1i5f4wiZd07s79e4BbM5WRBQfZDaYJp3LJ3c1YyitnQRyyQANc0WOETys1kTLHvnAf//U=
X-Received: by 10.37.105.203 with SMTP id e194mr4693557ybc.71.1507401227900;
Sat, 07 Oct 2017 11:33:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.75.194 with HTTP; Sat, 7 Oct 2017 11:33:07 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 7 Oct 2017 11:33:07 -0700
Message-ID: <CABcZeBNG7dB5QP1LvrMuzOoNS2hWAvs7vTkapy=16nzp83C0TA@mail.gmail.com>
To: SPASM <spasm@ietf.org>, draft-ietf-lamps-rfc5750-bis@ietf.org
Content-Type: multipart/alternative; boundary="94eb2c14ebc8b92bdc055af9325e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Wh73Ys2OqIo_LaR075QBCXGWoj4>
Subject: [lamps] AD Review of draft-ietf-lamps-rfc5751-bis-06.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime
\(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>,
<mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>,
<mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Oct 2017 18:33:53 -0000
See https://mozphab-ietf.devsvcdev.mozaws.net/D8 for a more full-featured version of this review. This document appears to be in generally good shape. I have marked a number of issues below. Please spell check this document. I found a rather large number of typos. *INLINE COMMENTS* View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-265> draft-ietf-lamps-rfc5751-bis.txt:230 Certificate: A type that binds an entity's name to a public key with a digital signature. Nit: I'm not sure "type" is the cleanest word here. I suppose this comes from ASN.1 but it's really more like a message or a credential View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-266> draft-ietf-lamps-rfc5751-bis.txt:263 Data Integrity Service: A security service that protects againist unauthorized changes to data by ensuring that Typo: against View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-267> draft-ietf-lamps-rfc5751-bis.txt:267 Data Confidentiality: The property that data is not discolsed to system entities unless they have been authorized Typo: disclosed View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-268> draft-ietf-lamps-rfc5751-bis.txt:272 Data Origination: The corroboration that the source of the data received is as claimed. [RFC4949]. This phrase does not seem to appear in the document, and this is an odd definition. View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-269> draft-ietf-lamps-rfc5751-bis.txt:305 S/MIME version 4.0 agents ought to attempt to have the greatest interoperability possible with agents for prior versions of S/MIME. Should "ought to" be SHOULD View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-270> draft-ietf-lamps-rfc5751-bis.txt:390 Section 3.4.3.2: Replace micalg parameter for SHA-1 with sha-1. This might be easier to read with quotes. View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-271> draft-ietf-lamps-rfc5751-bis.txt:466 - MUST- support RSA with SHA-256. I think it would be clearest when you have RSA PKCS#1 1.5 next to PSS if you clearly stated 1.5. I think it's fine elsewhere. View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-275> draft-ietf-lamps-rfc5751-bis.txt:482 - MUST NOT support EdDSA using the pre-hash mode. Can you explain why you are prohibiting this mode? I'm not endorsing it, but I don't see a prohibition on (for instance) secp256k1 though that's presumably also inadvisable. View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-272> draft-ietf-lamps-rfc5751-bis.txt:488 section of the community which believes that there might be a backdoor to these curves. The EdDSA curves were, in part, created in response to this feeling. However, there are still significant This seems like it's kind of controversial for no good reason. These curves are more modern, faster, and were standardized in IETF. Isn't that a good enough reason? View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-273> draft-ietf-lamps-rfc5751-bis.txt:491 sections of the industry which need to have NIST approved algorithms. For this reason, both sets of curves are represented in the recieving agent list, but there is only a requirement for curve in the sending Typo: receiving View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-274> draft-ietf-lamps-rfc5751-bis.txt:495 See Section 4.1 for information on key size and algorithm references. It might be worth noting that these requirements are intended to guarantee that any pair of sender and receiver can interoperate. View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-276> draft-ietf-lamps-rfc5751-bis.txt:518 with AES-128 content encryption algorithm). As both 128 and 256 bit AES modes are mandatory-to-implment as content encryption algorithms (Section 2.7), both the AES-128 and AES-256 key wrap algorithms MUST Typo: implement. View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-277> draft-ietf-lamps-rfc5751-bis.txt:546 2.4.2. SignedData Content Type Note to self: order of signature and encryption View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-279> draft-ietf-lamps-rfc5751-bis.txt:640 implies that the sender can deal with the algorithm as well as undertanding the ASN.1 structures associated with that algorithm. There are also several identifiers that indicate support for other Typo: understanding. View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-280> draft-ietf-lamps-rfc5751-bis.txt:649 If present, the SMIMECapabilities attribute MUST be a SignedAttribute; it MUST NOT be an UnsignedAttribute. CMS defines SignedAttributes as a SET OF Attribute. The SignedAttributes in a IMPORTANT: there are a number of conformance requirements here. You need to specify how one should behave if you receive a misformatted message. View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-281> draft-ietf-lamps-rfc5751-bis.txt:653 SMIMECapabilities attribute. CMS defines the ASN.1 syntax for Attribute to include attrValues SET OF AttributeValue. A SMIMECapabilities attribute MUST only include a single instance of This seems ungrammatical. Perhaps "as a SET OF" View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-282> draft-ietf-lamps-rfc5751-bis.txt:656 AttributeValue. There MUST NOT be zero or multiple instances of AttributeValue present in the attrValues SET OF AttributeValue. How should I behave in this case as well? View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-283> draft-ietf-lamps-rfc5751-bis.txt:671 matches. For instance, the DER-encoding for the SMIMECapability for AES-128 CBC MUST be identically encoded regardless of the implementation. Because of the requirement for identical encoding, Is this a normative reference or a statement of fact? View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-284> draft-ietf-lamps-rfc5751-bis.txt:717 signerInfo MUST NOT include multiple instances of the SMIMEEncryptionKeyPreference attribute. CMS defines the ASN.1 syntax for Attribute to include attrValues SET OF AttributeValue. A It would be clearer if here and above you said "Although CMS defines... the SignedAttributes ... MUST NOT include multiple" to make clear you are narrowing the CMS rules. View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-285> draft-ietf-lamps-rfc5751-bis.txt:745 In order to determine the key management certificate to be used when sending a future CMS EnvelopedData message for a particular "key management" seems like an unclear name. Perhaps "encryption key" to match 2.5.3? View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-286> draft-ietf-lamps-rfc5751-bis.txt:758 the same subject name as the signer of a X.509 certificate that can be used for key management. IMPORTANT: Does this certificate itself have to be valid? View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-287> draft-ietf-lamps-rfc5751-bis.txt:863 agent chooses not to use AES-256 GCM in this step, it SHOULD use AES-128 CBC. Why not AES-128 GCM, as that is also a MUST. View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-288> draft-ietf-lamps-rfc5751-bis.txt:965 fields. It is up to the receiving client to decide how to present this "inner" header along with the unprotected "outer" header. IMPORTANT: I think some guidance here is probably needed, at least to explain that if you intermix them it causes confusion. We have seen plenty of issues here. View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-290> draft-ietf-lamps-rfc5751-bis.txt:1013 S/MIME implementations SHOULD however use transfer encoding described in Section 3.1.3 for all MIME entities they secure. The reason for securing only 7-bit MIME entities, even for enveloped data that are This seems to conflict with the next paragraph. Maybe "In general" here and "In the case where" in front of the next would help it read better. View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-289> draft-ietf-lamps-rfc5751-bis.txt:1029 (such as base64) would unnecessarily expand the message size. Implementations MAY "know" that recipient implementations are capable of handling inner binary MIME entities either by interpreting the id- If you change "know" to "determine" here you can lose the scare quotes. View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-291> draft-ietf-lamps-rfc5751-bis.txt:1072 multipart/signed message with 8-bit or binary data in the first part, it would have to return the message to the sender as undeliverable. Nit: "encounters" and "would have to" disagree. I believe you want "encountered" View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-292> draft-ietf-lamps-rfc5751-bis.txt:1208 assigned, then this can be omitted. Thus, since "certs-only" can only be signed, "signed-" is omitted. Isn't it "verification" and "decryption" which are applied? View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-293> draft-ietf-lamps-rfc5751-bis.txt:1232 possible to replace ciphertext in such a way that the processed message will still be valid, but the meaning can be altered. IMPORTANT: this is not correct if an AEAD algorithm is used. I'm just getting into this, but it appears that you have the following choices: - EnvelopedData with an encryption algorithm - EnvelopedData with an AEAD algorithm - AuthEnvelopedData with an encryption algorithm and a MAC - AuthEnvelopedData with an AEAD algorithm The second and fourth of these seem to differ in whether you have authenticated attributes. Or is #2 prohibited? It wasn't entirely clear to me from 5083 and I haven't chased it yet. View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-294> draft-ietf-lamps-rfc5751-bis.txt:1276 valid, but the meaning can be altered. However this is substantially more difficult than it is for an enveloped-only message as the Can you elaborate more on this attack? It seems like you could just swap in your own ciphertext, but that's like the same as just crafting a new message, right? View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-295> draft-ietf-lamps-rfc5751-bis.txt:1589 it will not yield significant compression. Base64 encrypted data could very well benefit, however. Incidentally, this is not strictly true. Consider the case where you use AES-GCM to encrypt data which you know to itself be 7-bit clean. In that case you can easily obtain a 12.5% compression ratio by stripping the high bit and replacing it with zeros on decompression. For the more general case see: https://pdfs.semanticscholar.org/6072/b10c4ab2851047464fe4fff766693a 4184e6.pdf View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-296> draft-ietf-lamps-rfc5751-bis.txt:1661 automatically generate a message to an intended recipient requesting that recipient's certificate in a signed return message. Receiving and sending agents SHOULD also provide a mechanism to allow a user to This is just like textually requesting it, right? Or is there an indicator for this? View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-297> draft-ietf-lamps-rfc5751-bis.txt:1878 Using weak cryptography in S/MIME offers little actual security over sending plaintext. However, other features of S/MIME, such as the This seems inconsistent with the definition of "weak" as <= 112 bits. That still offers significant security View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-298> draft-ietf-lamps-rfc5751-bis.txt:1937 Many people assume that the use of an authenticated encryption algorithm is all that is needed to be in a situtation where the sender of the message will be authenticated. In almost all cases Typo: situation View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-264> draft-ietf-lamps-rfc5751-bis.txt:1989 a concern need to provide some type of padding so that the length of the message does not provide this information. IMPORTANT: You also need to talk about compression oracles. View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-299> draft-ietf-lamps-rfc5751-bis.txt:2343 Appendix A. ASN.1 Module Note: I did not review this on the premise that it was done so in 3851. View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-300> draft-ietf-lamps-rfc5751-bis.txt:2456 statement on SHA-1 can be found in [RFC6194] but it is out-of-date relative to the most recient advances. Typo: recent. View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-301> draft-ietf-lamps-rfc5751-bis.txt:2498 the binding of the public key to the identity that signed the message as well. You should note that because these weaknesses are recent (at least in the public sector) if you know you have had the message for a long time, it may be safer to accept it. View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-302> draft-ietf-lamps-rfc5751-bis.txt:2517 some issues have been created that can cause interopatability problems: Typos: mandatory, interoperability View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-303> draft-ietf-lamps-rfc5751-bis.txt:2565 to encrypt new emails. B.4. KeyEncryptionAlgorithmIdentifier Did you mean to use RFC 2119 normative language here? View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D8#inline-304> draft-ietf-lamps-rfc5751-bis.txt:2589 it is recommended that RFC 2311 [SMIMEv2] be moved to Historic status. Are you actually moving it, or just suggesting that the IESG do so? *REPOSITORY* rIETFREVIEW ietf-review *REVISION DETAIL* https://mozphab-ietf.devsvcdev.mozaws.net/D8 *EMAIL PREFERENCES* https://mozphab-ietf.devsvcdev.mozaws.net/settings/panel/emailpreferences/ *To: *ekr-moz, ekr
- [lamps] AD Review of draft-ietf-lamps-rfc5751-bis… Eric Rescorla