Re: [lamps] WG Last Call for draft-ietf-lamps-header-protection-14
Nicolas Lidzborski <nlidz+ietf@google.com> Fri, 21 April 2023 22:23 UTC
Return-Path: <nlidz@google.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6718C1522D3 for <spasm@ietfa.amsl.com>; Fri, 21 Apr 2023 15:23:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.096
X-Spam-Level:
X-Spam-Status: No, score=-17.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QvLTf64_F2Aa for <spasm@ietfa.amsl.com>; Fri, 21 Apr 2023 15:23:21 -0700 (PDT)
Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7195FC14F73F for <spasm@ietf.org>; Fri, 21 Apr 2023 15:23:21 -0700 (PDT)
Received: by mail-qt1-x834.google.com with SMTP id d75a77b69052e-3ef36d50182so421cf.1 for <spasm@ietf.org>; Fri, 21 Apr 2023 15:23:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1682115800; x=1684707800; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=9leL6rVSlKwYxXMSFeLXmOmDAy0qzaTSQMVVXa43En4=; b=kHN5RIsydE827yoE/o90IwhhefnSzhWNsRZhZWqeMQgh+5PN/pjRB4J6alvPfrJH8B eKflgEpcCw8JwD64G6ywhr/kqZtqUV2nxwwEXroxVioWMVrzgK8sC6lvNix5XYsqrn0Y fN+/nFuW0AaUKR3jIw0woRsiycVM0/dvaKwzxkVzUq6IKvikEtznESdh03lqdiRK457D nRsU1vKzOxp7HBV61vHaGgmEHl4JQYAGqGF93D21G95YRa98oYob/P/5jKEI4Yd42uVG 8kDm7BLD0yPxd2GxzlH9wa7XxcfJ7vhQ7VEOzy0gCuga39/6jQWCesrAT++pxIxxboEk U7iQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682115800; x=1684707800; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=9leL6rVSlKwYxXMSFeLXmOmDAy0qzaTSQMVVXa43En4=; b=UBJLTZCSCMChXE2MvrnFrh6CGC27pshEDumIqg1SbeeNNOM/x5CDbNbkjogmGindSQ SRWqscfiDaLf5LDgjMu2Kdp40X7X/DCgqnjfaO5mDzuYxOs9rKoP2+kYjDdvakrsRExa 98OtnTGVCbtuh91n4D2c/5abZGcN52AYNJYmzeixS5GQkaV2nAc0ydcfs71sIKpXr/fC RDsy2YySLDHZmfH+TgMnlXy3fqUnoNne810ksx9QYdDoiXJvQN7A9ykX2jzoWJ0sFHTA vCsj8JU4y4Kzc+zyJ+5w19M49MZrCdXQgvCSvT8LSzfFSJfc0Rq6WCnM5muqzyGnHRKJ bFWw==
X-Gm-Message-State: AAQBX9er565JE5R39aUl7rHW1uV0yxKmj8PgItg7sTlUBLtjqmX0arcb ubpU40xpKe0IJQblhHt3UpXqLgkilqnQuFR2cqgfpD2LxZELFbtTDE0=
X-Google-Smtp-Source: AKy350a3UYxs4AHOXsjaiKlMOyMOAajAOOgsww0UA+Ms7joG0P8DGd3ugQHz0WS3gPPPS6ERDf5hP5uNpPb51n+oB+c=
X-Received: by 2002:a05:622a:229b:b0:3ed:ee95:7676 with SMTP id ay27-20020a05622a229b00b003edee957676mr3204qtb.1.1682115799305; Fri, 21 Apr 2023 15:23:19 -0700 (PDT)
MIME-Version: 1.0
References: <50AEFA36-6AEC-47BA-B0A7-3EDC6C88FCED@vigilsec.com>
In-Reply-To: <50AEFA36-6AEC-47BA-B0A7-3EDC6C88FCED@vigilsec.com>
From: Nicolas Lidzborski <nlidz+ietf@google.com>
Date: Fri, 21 Apr 2023 15:22:45 -0700
Message-ID: <CAAYYu_tV0fZgmet2z_--5YFph6SSe0d9nXvtX_hJWO12-5kZsg@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: LAMPS <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b3413d05f9e01a4e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/my2hF1_F0r8vKPv-Gkv1xIT1CEo>
Subject: Re: [lamps] WG Last Call for draft-ietf-lamps-header-protection-14
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Apr 2023 22:23:26 -0000
Thanks for this proposal. A few comments based on draft-ietf-lamps-header-protection-14 (some may be corrected on your separate git instance). Page 4: Style for Appendix titles: I noted that the appendix chapters do not use uppercase for words, which makes them inconsistent with the rest of the doc and seems to go against RFC standards. This appears to be covered by https://www.rfc-editor.org/rfc/rfc7322#section-3.4 Page 6: "interpret such messages": I am wondering whether it would make sense to split this RFC in two components. One focused on the actual schemes you introduce and define (hcp) and then another one focused on MUA suggestions. The rationale to do this would be that the generated messages are permanent, while the MUA capabilities and UX can change a lot over time. I also believe that UX would greatly benefit from extensive user studies rather than "setting it in stone" via RFC. Page 7: "Two Schemes of Header Protection": I think it would be valuable to focus effort on a single scheme rather than having the complexity of multiple mechanisms supported. I think more complexity here increases the time required for implementation, the risk of bugs as well as UX confusion for end-users. Page 7: "several legacy MUAs": can you clarify what those MUA and bugs were? One source I found was https://stackoverflow.com/questions/60380150/encrypting-headers-s-mime-message-rfc822, which paints a pretty bleak picture with no significant MUA adequately supporting the Wrapped Message header protection scheme. Back to my earlier point, let's focus on ONE scheme and ensure it is properly defined and supported by multiple providers. Page 7: "some mail user agents cannot render message/rfc822 message": I suggest not using "worst cases" as it is definitely judgemental. Imho, implementation of the RFC that exposes users to more harm (for example phishing) are worse for security and privacy end goals. Page 8: "email" vs "e-mail": I suggest staying consistent throughout the document for which one you use. Page 8: "such as the message Subject": Did we consider having explicit Subject versus EncryptedSubject headers (with supporting UX) actually enable users to understand the difference better (and have backwards compatibility)? Page 9: Is "DKIM+DMARC" used as singular or plural? Adjust the verbs accordingly. Maybe be explicit with "DKIM+DMARC suite" or "DKIM+DMARC messages"? Page 9: "DKIM+DMARC not provide" -> "DKIM+DMARC do(es) not provide" Page 11: "Header Protection" -> "Header Protection (HP)" as HP abbreviation is used later on. Page 12: "Out of scope": I think it is a bit harsh to cast aside a significant amount of existing constructions. In particular, triple-wrapped messages are used at scale today and explicitly mentioned in RFC 2634. I think it is worth identifying how we can land a common standard rather than continue to have plenty of different, complex and incompatible schemes that will likely provide a high likelihood of misleading users and impacting security + privacy gal here. Page 13: Typo: "MIME part of the Cryptograhic Payload" -> "MIME part of the Cryptographic Payload" Page 16: Can you explain better the role of the HP-Removed and HP-Obscured headers? Wouldn't it be simple to just have the encrypted headers just override the external headers? Page 17: "Composing with "Injected Headers" Header Protection": given the current poor and uneven support for header protection, do we need to add so much complexity here? I appreciate the effort of handling legacy, but it may be better to not end up with endless backwards compatibility complexity. Page 17: "Composing with "Injected Headers" Header Protection": is it really acceptable for the MUA to modify the main message body like this after the user clicks send? Basically, the MUA is adding main body content that will be digitally signed without clear callout that this is happening. Page 24: "are surprised": this depends on the users and training. Also people will stay confused given the many other schemes possible in MUA. See my point earlier about explicitly having an Encrypted Subject (or renaming the normal subject "Cleartext Subject" throughout the MUA compose UI to stay consistent). Page 24: "unlikely to cause deliverability or usability problems": in the absence of wide support, there is a high likelihood that messages will be flagged by anti-spam systems or reported as spam by end-users. Page 26: Where is "cryptographic summary" defined? This seems like a new notion here. Page 26: "Updating the Cryptographic Summary": going header by header may be problematic for something presented as a summary. Given this is "complex and messy", do we really want to include this unclearly defined part in the RFC? Page 27: "Example Signed-only Message with Injected Headers": I thought we defined earlier that hcp and legacy are effectively ignored if crypto does not contain encryption, so Signed-only should NOT have injected headers. Page 28: "Do Not Render Legacy Display Elements": training end-users to trust the email HTML body seems like a way to mislead recipients. Page 29: Typo: "MIME subpart with within the" -> "MIME subpart within the" Page 30: MUA would typically not allow the styles and CSS to propagate like this. More likely the MUA should use an HTML sanitizer that will explicitly target those. Page 31: "should improve the system's security": complexity of standard may go against that goal also until reaching mass adoption, security will likely still be limited by the most common denominator. Page 32: Typo: "decrypts the incoming mssages" -> "decrypts the incoming messages" Page 32: "adjust the status of a tracked issue by a specially-formatted": I think such design would need a LOT more attention, for instance avoiding replay attacks. Page 33: "pEp": can we simplify and obsolete to focus on minimizing complexity and bugs? Page 35: "ignore any unprotected header fields": did we consider the risk associated with leakage of MUA capabilities by getting different behavior when the user replies? Page 36: "MUA MAY prefer to verify that the header fields in question": which MUA are verifying DKIM themselves? This is not standard and likely to be very brittle. Page 37: "Dropping Legacy Display Elements": it is hard to envision backward compatibility that will not have to last forever for email. Page 46: "intervening transport agent to drop the message entirely": where did you observe that non-standard behavior? It is extremely common to deliver emails without the recipient in To/Cc/Bcc fields (mailing lists,...) Page 46: Typo: "Bcced" -> "Bcc'ed" Page 54: Link to https://header-protection.cmrg.net which has an expired certificate (Expires On Sunday, March 5, 2023 at 12:34:10 AM). Page 54: "Test Vectors" while it is great to have so many vectors here, I feel we should have better IETF infrastructure for hosting those rather than being painfully paginated, indented and taking 2/3 of the document length. Consider providing tooling allowing extraction of all the samples in the RFC (which would help verifying they are correct). Generally, given this mechanism is potentially breaking traditional MUA capabilities based on headers, are we suggesting for the MUAs to decrypt and interpret emails as soon as they are delivered (not waiting for the end-user to open the messages) and possibly persist the decrypted headers to be able to provide normal MUA capabilities (sort, filter, search,...)? This may be problematic for end-users that store cryptographic materials on a separate hardware device and/or require interaction for each cryptographic operation. Take care, Nico On Fri, Apr 7, 2023 at 7:53 AM Russ Housley <housley@vigilsec.com> wrote: > Title: Header Protection for Cryptographically Protected E-mail > > Authors: D. K. Gillmor, B. Hoeneisen, A. Melnikov > > Datatracker: > https://datatracker.ietf.org/doc/draft-ietf-lamps-header-protection > > Please respond to this WG last Call by 21 April 2022. > > For the LAMPS WG Chairs, > Russ > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm >
- [lamps] WG Last Call for draft-ietf-lamps-header-… Russ Housley
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Carl Wallace
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Daniel Kahn Gillmor
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Jonathan Hammell
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Carl Wallace
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Daniel Kahn Gillmor
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Russ Housley
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Daniel Kahn Gillmor
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Daniel Kahn Gillmor
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Jonathan Hammell
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Russ Housley
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Daniel Kahn Gillmor
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Jonathan Hammell
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Carl Wallace
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Carl Wallace
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Jonathan Hammell
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Carl Wallace
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Nicolas Lidzborski
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Daniel Kahn Gillmor
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Russ Housley
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Daniel Kahn Gillmor
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Alexey Melnikov
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Daniel Kahn Gillmor
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Daniel Kahn Gillmor
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Alexey Melnikov
- [lamps] WG Last Call for draft-ietf-lamps-header-… Russ Housley
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Stephen Farrell
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Russ Housley
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Russ Housley
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Nicolas Lidzborski
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Daniel Kahn Gillmor
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Alexey Melnikov
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Alexey Melnikov
- [lamps] Definition of Header Field [was: Re: WG L… Daniel Kahn Gillmor
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Michael StJohns
- Re: [lamps] WG Last Call for draft-ietf-lamps-hea… Daniel Kahn Gillmor
- [lamps] Call for LAMPS WG adoption of draft-bonne… Russ Housley
- Re: [lamps] Call for LAMPS WG adoption of draft-b… Salz, Rich
- Re: [lamps] Call for LAMPS WG adoption of draft-b… Sean Turner
- Re: [lamps] Call for LAMPS WG adoption of draft-b… Clint Wilson
- Re: [lamps] Call for LAMPS WG adoption of draft-b… Joseph Mandel
- Re: [lamps] Call for LAMPS WG adoption of draft-b… Tomofumi Okubo
- Re: [lamps] Call for LAMPS WG adoption of draft-b… Russ Housley