Re: [lamps] LAMPS sample keys and certificates

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 20 December 2019 23:48 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 410541209D3 for <spasm@ietfa.amsl.com>; Fri, 20 Dec 2019 15:48:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=Mu9nh3a0; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=hd6+Zq/H
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YIu6JCEGxZ0t for <spasm@ietfa.amsl.com>; Fri, 20 Dec 2019 15:48:45 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 799351208D5 for <spasm@ietf.org>; Fri, 20 Dec 2019 15:48:45 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1576885724; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=bBND5WK9fA9L/LRxes9PFCOJzXhCWQcveqCF4Kph3CA=; b=Mu9nh3a09XDr4YC7Dysx2MRlT/BL/P9CG1tdbKFiJSlPop6Sqb+Yl5z3 Lt1NTqGJB0/5HQv28l+nU9leQQiJAw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1576885724; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=bBND5WK9fA9L/LRxes9PFCOJzXhCWQcveqCF4Kph3CA=; b=hd6+Zq/HP5lQ2HOd8TXds4U26Fc2Pj5JdLCdNCpF4yPjJ2h0UIrLCb3C zpcc7hAQHLvWL27FKFRvKaPi3oKhZi94g75Fb5wuRZeXnC97La9NuhNJQE Ll/w+5iDlluy0qHHyoTvvGb2GmhSrPDmc3yHXDnmA6UJK29BbrM8zMyexz BsUb8bUKoudKXfYnrQRnGh5Gkp2pLyU04PP5vCobRU648U3qpd3CQh4PML o5sArNROITiaY8tGr/bad5vxBAp96opKEci2PSK7c+W/1dG6dTogC/axEK iQA1gqj7DYjkNzswIc+4cSiqaAeET4UpRSMNPcTYg9AVnPqYVuRVRQ==
Received: from fifthhorseman.net (unknown [38.109.115.130]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 3463CF9A5; Fri, 20 Dec 2019 18:48:43 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 17E99203D6; Fri, 20 Dec 2019 18:48:40 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Russ Housley <housley@vigilsec.com>, LAMPS WG <spasm@ietf.org>
In-Reply-To: <23953F0E-F919-4BBD-998F-11FF0DDBD95F@vigilsec.com>
References: <878sodm0j3.fsf@fifthhorseman.net> <23953F0E-F919-4BBD-998F-11FF0DDBD95F@vigilsec.com>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw==
Date: Fri, 20 Dec 2019 18:48:39 -0500
Message-ID: <87r20ya78o.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/hjhKbS5loQ_ZBxrjXzuxcxNSYBU>
Subject: Re: [lamps] LAMPS sample keys and certificates
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Dec 2019 23:48:47 -0000

Hi LAMPS folks--

On Thu 2019-12-19 18:32:28 -0500, Russ Housley wrote:

> We set a goal at IETF 106 of learning how different user agents handle
> the two approaches to header protection.  I would like to see reports
> on the mail list so that we can choose a way forward.  Please help!

Thanks for the nudge, Russ.  Turns out i've learned a lot more about
S/MIME than i ever wanted to know, in the process of creating S/MIME
test vectors for the Autocrypt-style protected headers.

I've just published
https://www.ietf.org/id/draft-autocrypt-lamps-protected-headers-02.html

From the in-document changelog:


    Significant changes between version -01 and -02:

      - Added S/MIME test vectors in addition to PGP/MIME

      - Legacy Display parts should now be text/plain and not
        text/rfc822-headers (see
        https://github.com/autocrypt/protected-headers/issues/23)

      - Cryptographic Payload must have protected-headers parameter set
        to v1 (see
        https://github.com/autocrypt/protected-headers/issues/21)

      - Test vector sample Message-Ids have been normalized

      - Added encrypted-only (unsigned) test vectors, at the suggestion of
        Russ Housley

In addition, the test vectors are programmatically available at:

    imap://bob@protected-headers.cmrg.net/inbox

(use any password, should be a read-only mailbox, with ephemeral IMAP
tags)

I'm asking folks who have clients capable of handling cryptographic
e-mail (either S/MIME or PGP/MIME or both, you don't have to handle
everything!) to submit screenshots!

It should be useful to collect screenshots following the guidance
outlined here:

    https://github.com/autocrypt/protected-headers/tree/master/screenshots

If you'd an example, take a look at the Thunderbird + Enigmail
screenshots here:

    https://github.com/autocrypt/protected-headers/tree/master/screenshots/thunderbird%2Benigmail/68.3.1%2B2.1.3

I'd appreciate any feedback about this work, particularly on:

 - the screenshot process (can we make it easier for people to generate
   screenshots from a given client)?

 - the test vectors themselves (are problems with any of them? do they
   follow the draft correctly?)

 - the text in the draft (as an implementer, is it easy to understand
   and implement)?

Regards,

        --dkg