[lamps] Paul Wouters' Discuss on draft-ietf-lamps-e2e-mail-guidance-15: (with DISCUSS and COMMENT)
Paul Wouters via Datatracker <noreply@ietf.org> Wed, 06 March 2024 03:19 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: spasm@ietf.org
Delivered-To: spasm@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 95F89C14F5E3; Tue, 5 Mar 2024 19:19:30 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Paul Wouters via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-lamps-e2e-mail-guidance@ietf.org, lamps-chairs@ietf.org, spasm@ietf.org, housley@vigilsec.com, housley@vigilsec.com
X-Test-IDTracker: no
X-IETF-IDTracker: 12.6.1
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Paul Wouters <paul.wouters@aiven.io>
Message-ID: <170969517060.45916.11010011783885804824@ietfa.amsl.com>
Date: Tue, 05 Mar 2024 19:19:30 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/mpYarGR5BYK2HixKUxRX6cZrEcU>
Subject: [lamps] Paul Wouters' Discuss on draft-ietf-lamps-e2e-mail-guidance-15: (with DISCUSS and COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2024 03:19:30 -0000
Paul Wouters has entered the following ballot position for draft-ietf-lamps-e2e-mail-guidance-15: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-lamps-e2e-mail-guidance/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Thanks for this document. It contains good advise for implementers. I have a few issues that I would like to DISCUSS, although perhaps some of those marked as DISCUSS are between DISCUSS and COMMENT. The document suggests that encrypted but unsigned messages should be considered a bug and prevented. However, at times I purposefully send encrypted but unsigned mesages as a way to not give someone mathemathical proof that I said something. Sort of a "gossip message" or within proprietry clients this could be a "auto-destructing message". By blocking this usage, I would in the future have to opt for sending a non-encrypted message if I am unwilling to sign a message. Section 6: the certificate used to verify the signature does not correspond to the author of the message. (for X.509, there is no subjectAltName of type rfc822Name whose value matches an e-mail address found in From: or Sender:) So how about: From: "Daniel Kahn Gillmor <paul@nohats.ca>" ? Section 9.1 talks about storing Sent Mail encrypted, but does not talk about how one would "search" their email content. Perhaps it can also mention keeping a Sent Mail folder on the user's own device, such as a laptop with whole disk encryption. But I feel not mentioning this issue at all is missing an important point of why people want decrypted Sent Mail or why they don't want encrypted Sent Mail. Section 9.4 asks: When a message is encrypted, if there is a mechanism to include the certificates of the recipients, whose certificates should be included? I think that answer is always "not the BCC'ed recipients", so I wonder why this is a question and not a requirement. Also the last bullet in 9.4.1 states that too. Maybe restate it as a description to solve in 9.4.1 by saying it more like "When a message is encrypted and recipient certificates are included, the Bcc:ed recipients need to be carefully considered". Section 9.4.1: * No cryptographic payload contains any Bcc header field. Since headers are not encrypted, isn't this always the case? * The main copy of the message is signed and encrypted to all named recipients and to the sender. A copy of this message is also stored in the sender's Sent folder. Maybe this should more clearly state that it includes the BcC: header? * To the extent that spare certificates are included in the message, each generated copy of the message should include certificates for the sender and for each named recipient. Certificates for Bcc'ed recipients are not included in any message. So here is another possible leak. Earlier text said certificates could be omited if one knew for sure the parties already knew each other's certificate. So if the sender and recipient know each other's certificate, but the sender doesn't know if the Bcc:ed recipient knows the (openly) recipients certificate, it must not add the certificate or else the Bcc: to "someone" becomes exposed to the recipient. I think the bullet point is better reframed as "Any Bcc:ed recipient MUST NOT be taken into consideration when determining which certificates to include along the message.". Section 9.6 it seems option 1 and 2 are really not worth considering or mentioning. It also seems a 5th option is missing - compose two seperate emails with only the seperated recipients in each of the emails. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Section 2: so interface elements that get in the way of communication should be avoided where possible. That "in the way" carries a lot of weight :P on every alternate messaging service Maybe remove "alternate"? or so "on all of the many" ? For comprehensibility, a conformant MUA SHOULD NOT create multiple copies of a given message that differ in the types of end-to-end cryptographic protections afforded Can it be clarified whether this is meant "to the same email user" ? A message send to multiple people, of whom only a subset support encryption, should still send "multiple copies of a given message that differ in the types of end-to-end cryptographic protections For example, the sender cannot indicate via SMTP whether or not a given message should be encrypted (some messages, like those sent to a publicly archived mailing list, are pointless to encrypt) Clearly, the mailing list would not have a valid certificate to use to encrypt, so how could it ever encrypt? Also a mailinglist could have given all members the list private key so members can decrypt all messages sent encrypted to the list. This might not be super secure, but a reasonable approach for "somewhat secret" list traffic, eg a vendor security vulnerability mailing list. NITS: Petpeeve: the use of the word "novel". non-comment: It seems the authors do not like my openpgpkey-milter solution :)
- [lamps] Paul Wouters' Discuss on draft-ietf-lamps… Paul Wouters via Datatracker
- Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Daniel Kahn Gillmor
- Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Paul Wouters
- Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Daniel Kahn Gillmor