[lamps] AD Review of draft-ietf-lamps-header-protection-18
Roman Danyliw <rdd@cert.org> Fri, 26 January 2024 16:16 UTC
Return-Path: <rdd@cert.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 717AFC14CEE3 for <spasm@ietfa.amsl.com>; Fri, 26 Jan 2024 08:16:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lwq0DzBiZg8m for <spasm@ietfa.amsl.com>; Fri, 26 Jan 2024 08:16:12 -0800 (PST)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0113.outbound.protection.office365.us [23.103.209.113]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87984C14F5EE for <spasm@ietf.org>; Fri, 26 Jan 2024 08:16:12 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=TGLl42qRfLOYKy/c0Vq2e0oVCoC/NjEzQwt1AtEw1lWAa858EPPXFHxLybYfc2Zf4Ewt22tg2cHsY2F7onhp1Vzx+mGcybsuCX5S/dG6H5nwiMJJixm3+x9ucuRG9iU5OFaeE64S14G5Ij4hWNf5gzTFp4xF4QvuiU1vi6gI8e2u5OkUPEHFI8KVGlkRh/RdFpcINXYWBArNjXlv3pdnd+hV5RPivlpn0Znq6PXVgPA0RRvAL4o3hGrj1n4EwEGy5/eVEW7cld4gAY2k2mGSJ0FoRj2sSPJWc0rldfvQDUjCRhGlPgnBgy5NMgPmIRUyn26bCQUe8t7Sl+AVLYKpSg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Y7XjAhcLd/SP5JhH5tSFnQRldzT0NEoBeeHgmI4UZeU=; b=so+aaa3qJ4bCqQpc1Wv55vsEhGGdzIuoSOtuPunxOalCiA4QGr7UcGjtmPE5vS5WCm1D91x9ukMOgo8IG/pC+Pw+MCnTYbHYkNF33RoUSv0U9huFvU681DPuOxFAAsQ/jur8OxLzqIJ3TQZlLUKyXvAQ3IB8D5cCWxtdiBhG3ukLvcXGWyKBIvWp58mlJHZwfEI//6a0d0LX/mVvi/MIn5HbfDO+q10KSN5H9Yq1k06bAOfuDM18uOB+3yhO+lrwH7O4tl+tYjtNwDY6mCAE38YH8gCR7jHRNDrFE8OeF+S93K3IHv6cTUsdpddqyUCQaHLJaykaTWDVc6A3nJN88w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Y7XjAhcLd/SP5JhH5tSFnQRldzT0NEoBeeHgmI4UZeU=; b=Gz/B9xYVoOeoAJ9PtNmvgUkpDUpwdZTK0kHOLvzh8VN7RBm2UivkwYi0Wv1wLu6XEzPSuPJ8/ne9/3DrLGo5FfAoDNs6VS2LPeM4XNY6XcQItserhfFg9uai9z9CeTNb1UBkFeoaKyTiLW0IW9msFw3PzOiNz3fIAsLFgStCVuY=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1446.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:178::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7202.34; Fri, 26 Jan 2024 16:16:10 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::364:96fe:e2d6:b29f]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::364:96fe:e2d6:b29f%4]) with mapi id 15.20.7228.026; Fri, 26 Jan 2024 16:16:10 +0000
From: Roman Danyliw <rdd@cert.org>
To: "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: AD Review of draft-ietf-lamps-header-protection-18
Thread-Index: AdpQcrV++3vEfJzvTAenDG/2tgIpTQ==
Date: Fri, 26 Jan 2024 16:16:10 +0000
Message-ID: <BN2P110MB11078726E331DA060A7BC611DC79A@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1446:EE_
x-ms-office365-filtering-correlation-id: 5b2a44ec-e72a-4708-1d7e-08dc1e8a1be6
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: PSLpu5ak035MOkQlwR+n8i4e2FfiKOgwRkMGwWDf+FVAaPx3GRvc1hdFu5VCWqZTNWcwhN6ESOr0EO3DHjqqMZ/2wGMZ10sqAj5RK87bQE5lBwk1sU9ulX8+ZIVIeTtaORhSZWsbEvdR2kxFAcdXLFLIysLsYTC9ssEtDI1jl82JidvXHquXkpUmLPlMLGj4d81HRmRxhp4a7pN8pYFOXBiD08DLFdlP/f7HNy/2++Zy72EiAEN81z2VmX62th60sI4pxIpuOl0Sq5lUC2M4E6jpbm1Xio/sylgVMDtArqj43Dl4MLfkxrUcE/n6YtvT4EB+7MJyUMjtP6ylVFEzE8lyhS/s3LANyAALV+yXsux4XajphZ5xrkizPv8eMwmEhKHtZvLE6/NkmS22qf0sU/TTmyxF4qMmggPaoz4Mwtt+E7enzOb5/c+YmuVOX1Y9HmO30T3izG0WZIUGTehDCuMzomAfnFM+KJ007Hv5/ZoYDZInTUcwnsn4aS+s9Lwf/uYwJdvFxXyuNc93gqnJOyWnZxRj7u3eveUx2YtFbh8gKNS4mDM4NJi6hNez9tuiPCbU7RNzdIVbHUpZl15MvA0FXxVhhqM/jDx2rBzsaN3amM6NbCz4BTbsxYuZ5eK0IbAUSPlGpjRuLL+JeG/3pQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(366004)(39830400003)(136003)(396003)(230922051799003)(230473577357003)(230373577357003)(186009)(1800799012)(451199024)(64100799003)(41320700001)(8936002)(508600001)(8676002)(83380400001)(26005)(82960400001)(76116006)(38100700002)(66574015)(52536014)(41300700001)(66946007)(66476007)(71200400001)(9686003)(5660300002)(64756008)(2906002)(66446008)(66556008)(6506007)(122000001)(45080400002)(7696005)(6916009)(966005)(38070700009)(33656002)(86362001)(66899024)(55016003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: oKijvD983qilR30ib+51YFQiPd/SuZMLYMQmBmGu+3ynxuQBlODuD4eOH02am8jDWUPRTcb+xyMgAHseyJA/UbOoWzspJPUauthrPpl+DP4CtwaiXtz9ZUz98wA3cox7y4SQYMP9UoiiaoozzidhVSnmdqIwc5WSMkmF6jkM592luqvOOQJ/UsIxzoWaBVbav76HhdkWN4j++lyeD7rvdsvDBnQHKxyVUveky7/fFhK83Q2wWrA/rXr9j931bCbA9X0J0qym2DtfCazdI+lKJc5dzifFtP8wvueZ1iILZDgOjzyPnrcr9+ZjH3ub+gOh3u4QByNPkHt4sU8G0qT7bFkHMTJ1Ab0FAgEmvBC2quFk0AezG0HC9AXTxkIgvHPuIFIachSr5Ny5BEyKLH/qMUFttTMvFpqfCZpyfNwwJ/zT34TI7gSfEqjQy1OCAusdCV/QOxhV/T2P+hrY0JTtOlMqgK8R+hGv90jRGMsi2J2kj31r+aFNMQQbnE2syYYPpPDpQwKrFJ3rKmwAlI2FZr/usXKFtYKv/jicpy/I2hn+n+wzZzTkYkglUfF1HsmOL4qFUA6a0RCCh7SPmbv7j6dO/BKLwJHnP1j+DLY1BLVeOr6U7XRqkGWD4sJ6talftpJgfFIzqdp0njPZEktHMFN0HdatyLH4dWicRI2nhpIkYO6pg0muUXeWpSuZ8RDGfm5aFav39MJj2bxgOZ6WVVmXiRJNeQIJh0h/70KPVvgqC/l30eGOvYRa3IlQ9r4xeBCx8u1V9TxSoWebibSCQJM6e/5j7U/oJFJ8bK4ixv4E7tV9xYlzwDs3mTD96fq9R5RbF8TFm9uRnEmboD+HSvGEDX96THABXjBB/mEb+Dy34+2sUMCuPJDZvt7hYmvxS/Fmtg6OMx5AH3wozY8A/TzDWu5LvZawSgSyiAhaJTJOcWLz5mamf/kNVnqFIk6U7lNFBXbYVSpxK+ZcDvxVQjuVuGzdNGlgx5jfZoCiYzXtdWM4EkguIvoh5OraIqkaC+7R33fjg0Vezty0JeKk4inYrF7QvxPGORVdxD1uAKTjCwT3v0JE+9vXaW0T1//J5YfQnKgNWEi3OEj2l2T5+6YPQHmD2UT4Ukug0Y3alPkjJZTQu2FL8RxDufgGUzheEv/N8aJhPN2pNuSMZInICuE7EzaKd1H8PhNXqZnjhc/wnjlY+D3z8vxacQ3Txxbrk6EvDIBqiD7TkNLg1iCQfqzXFGN8b1tw25KE2gJuJLEMMa4XVfhc70WtS/u7lPuuIJPB4j6M7Q8dl6PErR4v+JyoZZ4zI5wENsqdL24b56TF1ZQZp+OyfRKzM0agtz8/v3gJA3A7rpzNvzkuAHMCYdQos/goTlQGGAtNBbkFBBF0oXym9XDr+lKmuupdbJJvE+SCreWb+PssgwJD/3S/+xM3PdGt+rtrN1OozQJFryekamyX/kYPpLZdFCzEXxBNwzNQQ6V5hEGxWlelMjDTr1c73QfezduwfD9n8V8LXsQ=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 5b2a44ec-e72a-4708-1d7e-08dc1e8a1be6
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jan 2024 16:16:10.1737 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1446
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/sXJmFS5w7EQy-Y-SNWx_j4nxnic>
Subject: [lamps] AD Review of draft-ietf-lamps-header-protection-18
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jan 2024 16:16:17 -0000
Hi!
I performed an AD review of draft-ietf-lamps-header-protection-18. Thank you for all of the work on this document and for the extremely robust set of examples associated with it. My feedback is as follows:
** What is the formal relationship between this draft and the S/MIME specification(s)? A few quotes from the document:
(a) Abstract. “This document updates the S/MIME specification to offer a different mechanism that provides the same cryptographic protections but with fewer downsides when handled by legacy clients.”
(b) Section 1.1. “This document calls this scheme "Wrapped Message", and it is documented in more detail in [RFC8551].”
(c) Section 2.3.5. “The Wrapped Message header protection scheme is briefly documented in Section 3.1 [RFC8551]. This section provides a more detailed explanation of how to build such a message, and augments it with the protected-headers parameter with the value wrapped.”
-- The meta data of the document has no update tag, but (a) uses language suggesting it does. Should this document update RFC8851?
-- I read (b) as saying RFC8551 has the canonical definition of “Wrapped Messages” but (c) then seems to say this document has more guidance on protecting the message and the additional (new to this document) guidance on headers. I’m looking for some declarative statement for implementers on what needs to get read to use “Wrapped Messages”. Does Section 2.3.5 supersede (replace) Does this guidance replace of some text in RFC8551? Is an implementer supposed to combine Section 3.5.1 + this document for the totality of the guidance?
** Section 1.4. Editorial.
For example, a legacy signed message has a signature that covers the
body but not the header fields.
What’s a legacy signed message? “Legacy MUA” was defined as not supporting either injected or wrapped headers.
** Section 2.3.2. Typo. s/it mean/it means/
** Section 2.4.3. Typo. s/The/the/
** Section 2.3.4.2
The content and formatting of this decorative <div> have no strict
requirements, but they SHOULD represent all the obscured header
fields in a readable fashion.
Why isn’t this a MUST. When should the obscured headers be represented in an _un_readable fashion?
** Section 2.4
An MUA SHOULD have a sensible default Header Confidentiality Policy,
and SHOULD NOT require the user to select one.
...
Any default Header Confidentiality Policy SHOULD provide
confidentiality for the Subject header field by replacing it with the
literal string "[...]".
-- I agree with this guidance in a natural language sense. However, from a conformance perspective what makes a policy “sensible”. Beyond Section 2.4.1, what else would be “sensible” as an alternative?
-- When is a sensible policy not appropriate to field (i.e., a sensible possible is not actually required)?
-- Saying default to me already implies that local policy might override things. Did the WG discuss the possibility of something more straightforward like say:
==[ snip ]==
An MUA MUST have a default Header Confidentiality Policy of at least the protections provided by the minimum policy described in Section 2.4.1 to ensure that the user does not have to select one. Local policy and configuration may alter this policy.
==[ snip ]==
My line of inquiry is whether it is too strong of a statement to say implementers of an MUA supporting this draft need to have a “secure default config”.
** Section 2.4.3
A MUA offering header protection SHOULD NOT use hcp_null by default.
Same line of reasoning as above. Why couldn’t this be a MUST where the default configuration is Section 2.4.1 and local policy/configuration could decide to weaken things.
** Section 2.4.4.
However, the first
Internet Draft that attempts to define another HCP as a possible
recommendation for the public should ask IANA to establish such a
registry to avoid potential future namespace confusion.
-- If this is important to do to prevent namespace confusion, why doesn’t this document define a registry?
-- If a future document did define HCP registry to prevent name collision, is this document the owner of hpc_null/hpc_minimal/etc or could it take that namespace?
-- Could the situation where there is namespace confusion be clarified. Is the thinking that one could evaluate MUAs on their support of say “hcp_strong”? That label would mean some kind of agreed upon configuration?
-- If there is an ecosystem of HPCs envisioned, how does one define them? There is pseudo-code here with no defined semantics. What is here looks almost like Python.
** Section 2.5.4.1.
The MUA SHOULD ignore header fields from part J for the purposes of
rendering.
What would it mean for the MUA NOT to ignore the headers in rendering? Is this UI advice?
** Section 2.5.5.2
In this case, the automated system that decrypts the incoming
messages and scans the relevant MIME part SHOULD identify when the
MIME part contains a legacy display element (see Section 2.5.3.3.1),
and it SHOULD parse the relevant MIME part with the legacy display
element removed.
What happens if these SHOULDs are not followed by certain MUA? Doesn’t that produce inconsistent rendering of the same message across MUAs? Is this flexibility needed?
** Section 2.5.7. Editorial. I don’t understand this section. The title suggests that there are other rendering schemes, but it lists exactly one, pEp. As an implementer, what do I do with this section?
** Section 2.5.9.
An MUA that depends on any implicitly-rendered header field in a
message with header protection SHOULD use the value from the
protected header field, and SHOULD NOT use any value found outside
the cryptographic protection.
-- I’m trying to understand if this guidance is saying “if the implicitly-rendered header fields are protected, use those instead of any implicitly rendered field that are not protected”, or something else?
-- The construction of this guidance also has me confused about the situation where header protection exists for say the Subject field (hpc_minimum) but not for any of the implicit rendering fields? Is the “SHOULD NOT” then applicable to using those unprotected implicit-rendered headers?
** Section 3.1. Editorial. There is a raw markdown reference of “{#compose-injected-headers}” suggesting there is a typo.
** Section 4.2. Typo. s/not not/not/
** Section 4.2.
In the event that a MUA implementer gets user complaints about
problems with removed or obscured header fields due to the MUA's
defined HCP, the implementer may offer the user an option to drop
header confidentiality altogether for freshly composed messages
(thereby reverting to hcp_null).
The roles as described here don’t seem right. Let me try to fill in the role names with specifics to explain.
“In the event that Microsoft gets a user complaint about problems with removed … fields due to Outlook’s defined HCP, Microsoft may offer the user ...”
“In the event that Google gets a user complained about problems with removed fields due to Gmail’s defined HCP, Google may offer …”?
-- How does the implementer offer to the user anything without going through the MUA? Should the second clause be some version of s/the implementer may offer the user/the MUA UI may offer more robust configuration options that let the user .../
-- Maybe end-users in the consumer space complain to the MUA implementers, but in the enterprise space, aren’t the complaints sent to an IT department of some kind? Wouldn’t the HCP policy also be controlled by local policy in those cases?
** Section 4.3. Typo. s/outboud/outbound/
** Section 4.2
A MUA should not expose the ordinary user to any configuration option
where they are expected to manually select, enable, or disable header
protections for new cryptographically-protected messages.
What’s an “ordinary user”? Thunderbird shouldn’t give me the option to configure which of these I want to use?
** Section 5. Do RFC8551-S/MIME Security Considerations apply here?
** Section 6.2. Editorial. Recommend s/powerful HCP/aggressive HCP” since that terminology was used earlier.
** Section 6.2.
Instead, the composing MUA MUST judiciously
populate the origheaders list for any outbound message with only
information that the user reasonably intends the recipient to have
access to.
Is it possible to be more specific on what a “user reasonably intends” or to soften the language.
** Section 6.2.4
A receiving MUA should be cautious about how it represents the
cryptographic status of encrypted-only and signed-and-encrypted
header fields to the user, to avoid overpromising.
What does overpromising mean here? Can this be tied back to more specific guidance mentioned here or to the e2e-mail-guidance document?
** Section 7. Table 1 has the column of “Author/Change Control” but I don’t see that as a field in https://www.iana.org/assignments/message-headers/message-headers.xhtml#perm-headers
** Section 7.
If a registry of Content-Type parameters is created, the parameter
protected-headers should refer to this document. Its possible values
are v1 (meaning Injected Headers, see Section 2.1) and wrapped
(meaning Wrapped Message, see Section 2.2).
Was there any discussion inside the WG or with the ART area (the place with the most concentrated knowledge of MIME) on creating such a registry?
Regards,
Roman
- [lamps] AD Review of draft-ietf-lamps-header-prot… Roman Danyliw
- Re: [lamps] AD Review of draft-ietf-lamps-header-… Daniel Kahn Gillmor