Re: [Uta] RequireTLS: Revised text on message origination
Jim Fenton <fenton@bluepopcorn.net> Wed, 17 April 2019 19:08 UTC
Return-Path: <fenton@bluepopcorn.net>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58556120387 for <uta@ietfa.amsl.com>; Wed, 17 Apr 2019 12:08:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bluepopcorn.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bpcuEm9CK3kT for <uta@ietfa.amsl.com>; Wed, 17 Apr 2019 12:08:43 -0700 (PDT)
Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [IPv6:2607:f2f8:a994::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF7521203C9 for <uta@ietf.org>; Wed, 17 Apr 2019 12:08:25 -0700 (PDT)
Received: from steel.local ([IPv6:2601:647:4300:2290:51ba:1e4a:8ad0:9781]) (authenticated bits=0) by v2.bluepopcorn.net (8.14.4/8.14.4/Debian-8+deb8u2) with ESMTP id x3HJ8HOv017022 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 17 Apr 2019 12:08:19 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bluepopcorn.net; s=supersize; t=1555528100; bh=SyTwiIVWmwXqshhxOOjELdsoVzcm/6xegMb0TKSLyAE=; h=Subject:To:References:From:Date:In-Reply-To; b=Pw54pCBi/TLroi5odyacxw8bbMZph0mJ4xiZPj9Dkn7/kXm3LuHplNGWbmWTR8Kdz lDlLHKvgCT7K1bnMJ1qEW9M4M5m6aCtrlGaQTKwhTAnuUEK4l35TI2OIm7yKB/+0D/ 2RJaNf5lRh8hjQU8wk8qXrgNdBA90z8r7uA9Pj+w=
To: "Rolf E. Sonneveld" <R.E.Sonneveld@sonnection.nl>, "uta@ietf.org" <uta@ietf.org>
References: <e64c8216-12c8-2fa6-bc5e-d9cc0445e22f@bluepopcorn.net> <5db81038-a286-5165-32a2-106674700cb1@sonnection.nl>
From: Jim Fenton <fenton@bluepopcorn.net>
Openpgp: preference=signencrypt
Autocrypt: addr=fenton@bluepopcorn.net; prefer-encrypt=mutual; keydata= mQINBFJNz0MBEADME6UoNSsTvSDJOdzL4yWfH4HTTOOZZPUcM/at38j4joeBb2PdatlwCBtk 9ZjupxFK+Qh5NZC19Oa6CHo0vlqw7V1hx1MUhmSPbzKRcNFhJu0KcQdniI8qmsqoG50IELXN BPI5OEZ3chYHpoXXi2+VCkjXJyeoqRNwNdv6QPGg6O1FMbB+AcIZj3x5U18LnJnXv1i+1vBq CxbMP43VmryPf8BLufcEciXpMEHydHbrEBZb/r7SBkUhdQXjxRNcWOLeYvOVUOOrr1c+jvqm DEbTWUJVRnUro/WpZQBffFnymR0jjkdAa8eOVl/nF2oMLbaBsOMvxCRSSEcGhuqwbEappNVT 1nuBTbkJT/GGcXxc+lEx9uNj86oYC4384VZJMTd1BRI4qPXImNZCIdmpKegK743B6xxN6Qh1 Tg167pn9429JENQE/AFIVX5B/gpsg7Aq+3rmz9H6GbfovPvFV3TBTgsHCHAMC8XU+S4fhcqN PN0lbUeyb7g6wxaE+dYqC7TExx7G3prw4v66y0qS7ow/Cfw8XXOEkaFQ4XwP7nvfILT+9CcU yS8I40vlDFU9Wnt56CbGz0ZVQgHnwyPXL+S9kCcIwRLFx1M79s6T6qwX1TXadfpbi1uIw7XG TiPDT8Pk6i2y22oSSROyYD4D+wOhVkkvO0S8iZ3+LhAYUx86nwARAQABtCNKaW0gRmVudG9u IDxmZW50b25AYmx1ZXBvcGNvcm4ubmV0PokCVQQTAQIAPwIbAwYLCQgHAwIGFQgCCQoLBBYC AwECHgECF4AWIQS1nUkJe2fEXbvBaacbJaiwFdCfvgUCW4RXswUJCxkNcAAKCRAbJaiwFdCf vjdyD/wNUBktyTqGVI5JGE8TJX6+6bmq5HHJ/I+CgGNtyvjriNZdxZJ86L5Z7MIidBeUOXvl /DZK+1zvS/hq8oMe7rPMbSepHHdhMyVTBuWnUG3n48dYOMqQjttBxisauC9GXrejhDJeGP+y WDLRdkMs1h5M48MKpEHf69pvkb+CCewbJeJH3kpPc5Iv9lJEOM/SrGlR72RUsMHeBcc3ykPR CeW0MpXGKAo5QCRw51uvuy7jZdlxOrLMMvMSyqCVanaW2Iz8mXQKufahkDfjff/eBUgXSfxS L1H2ZUN8XeyLttn6iei0Jqs1aSTmU1y0XxMM5k0rgA+3PoZrkgYTSvVBQMhE+sIyeoiB9oat 5h7M7nZBXc4LQTEwMFCamE4GIaSkpLFwBBwZwPa487XKnPbGV6zr7sYEzDaCvkQGJdfw6NqA 5IxLgmAoCAWnp3h26OtUJ0lmgpRy/Vy4yinbVAvkBq1CB1gRlNDYn0Ton06Bz0ltSpBTWTzj m6zvnA2JLzyFrTc30PR22WD/m18/qgua7YCiP1xu88AsnY5HPgxDj88PDiiyuFftYHhSY0Dy nV+iz+NEPal/LaklqVmA1+l8qj/SPAdycbD/s2X6MHjPBamdBmzytuEZnv+LImPTkdswExLD AORVDaH2SYuznhFs7xZ/t1rB5Yo1l5eDGdTQ6KLsDLkCDQRSTc9DARAAwZaXYs3OzGlpqvSH 3HR9GjSzIeP0EmsBCjpfIdZbQBwQ3ZREiMGInNxV+xkdjLDg0ctrWzUCUe3plWe5NJkpjqm+ KMc7GKhyeWJ5MZRtVrh0VpFTqi8UwYPWumAYqE1y/U1me/zHpfG9EDwdSYqMkPF76Fy5W+vh ZP2ILKaY8qWSLyH8TPl5mFGBypfT8Q6UuzlRs2aTbsTtBX/qwH7gztMRJSjQtYo20AqCgBBH IA/0xV5qDH7CVYyKyPQ4tJLQ8/xyTysUS5fewrj8lZo/G9SaNtC3CEvrJYwyA0nvYB6+hJPM qMP/tyRXM/9XY3qO4Vxuc+m5fYbTZa5GYAZNNuB5dvqI1U0sFTWBEbpAeabqCQ40ZnFSj+t1 tBuwfj4ey/oJ78WRyg5+VTvPKRRubOmZcnzj5yfTS3VGxAZb4Nsj1S2f3KLP0Z+Cv4dt893I 2JWTChw7jA1omF0QTQaBq140n084PFndBHudrZ3cz+APC89iie2HQ4jGQldXZXnGySHnHlA+ WUyZ9wgOplW9F4Q/Lps1bnuh5VttPVpNfjX8hiV48al+b+ut4nfzXAripIRWF3TL72/6JqgE KNhRKyRn0S6BidieSyHWzqJR3Roi/YNTvyXyLh6i6jtByb3FbnhYf/9olobDpj0E+kTemLrw owre85gwupSphqlzVSUAEQEAAYkCPAQYAQIAJgIbDBYhBLWdSQl7Z8Rdu8FppxslqLAV0J++ BQJbhFZUBQkLF7qRAAoJEBslqLAV0J++wvgP/jPjfjH3zEGYhdv89B0vFsRIBDDZzJuMxZZL EW/FyqKqswTHt6HD2ScuiGNEsNWebKEZbj2+Y673KqWnBGMFuJovAzlLeNNxQToJq03pzm/9 4A0ePYk9xzrMgtW+DEUemWElvMbSwZYid8Zj4lAx+U/X6Dh7HPSTx8DO4BKRA4cLrASOaUuS /w8/2eTXNEJssqc8Shwq6bNO5cPXrjb/qJgbb/MOLp0Nn1vNIPjoi/88910pyOV9chYJJFRX zOofGwaRjvcO55X57lveBrNEgH453EHa7QAHL4wD2dbCd445YOPkn0mBNJe3Un5JTsi6IQaK NHUMfwTWrVWN8RapFaPv6YXVBEvpA13G88TFkR5UHlz6YEUMATmgJQpmTFRkPYT0DTEbL4/O ywFgqMzmY1ojKV/Z6iWCAHqVnyFr6NtTFmT/qkOtb933YWJZW6Pg/Us2rZHro7uvQ/bf7Uxb vkn4lX+VneDBjsk3RPnHO/6k8lY2xQ343O7QOedSkM6rJpB9IbgXvHJNJfAWV+L89ElZeKJr VNaQqAw/1uXM7s8MVc+qwoT+DN0jsdqkBcuBxnbYeyM/8X6wcZHopV74r7SAbH4TrtjcBft5 nyM0UroVaEXvJxLzL3kQTsHIiDtGVuYwDTHzVl9591fuyEe0cYZVP2WckXcuM7EUn4CPBUYJ
Message-ID: <d6b5f74c-2a08-8966-ef4f-8bb6f399d599@bluepopcorn.net>
Date: Wed, 17 Apr 2019 12:08:12 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <5db81038-a286-5165-32a2-106674700cb1@sonnection.nl>
Content-Type: multipart/alternative; boundary="------------85317D85AE0B46497FB561E3"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/2RXQUPqSrkqb2r6H0EuuQk5aI8E>
Subject: Re: [Uta] RequireTLS: Revised text on message origination
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Apr 2019 19:08:46 -0000
Hi Rolf, On 4/15/19 2:06 PM, Rolf E. Sonneveld wrote: > Hi, Jim, > > On 12-04-19 21:44, Jim Fenton wrote: >> >> One of the significant discussions at the Prague meeting (and >> originally resulting from IESG comments) was that the Section 6, >> "Mailing list considerations" was incomplete because it didn't >> consider other causes of origination such as Sieve and vacation >> programs. So I have drafted an alternative Section 6, below. Please >> review and comment. (Thanks Barry L. for reviewing first draft). >> >> 6. Reorigination considerations >> >> In a number of situations, an agent for the addressee of a message >> originates a new message as a result of an incoming message. These >> situations include, but are not limited to, mailing lists (including >> administrative traffic such as message approval requests), Sieve [RFC >> 5228], "vacation" responders, and other filters to which incoming >> messages may be piped. These newly originated messages may essentially >> be copies of the incoming message, such as with a forwarding service >> or a mailing list expander. > > I wonder whether it's not better to refer to c.q. use the terminology > as defined by RFC5598. Something like: > > In a number of situations, a mediator originates a new message as a result of an incoming message. See [RFC5598] chapter 5 for a non-exhaustive list of examples of mediators. These newly originated messages may essentially > be copies of the incoming message. I like "mediator" and the reference to RFC 5598 rather than "agent". I think I'd like to keep the examples rather than refer everyone to 5598 to see what is meant by a mediator. [aside: RFC 5598 doesn't seem to have up-to-date information about mailing list mediators. Specifically, it says that they leave the From address alone, which is frequently not the case with "DMARC-friendly" mailing lists.] > >> In other cases, such as with a vacation >> message or a delivery notification, they will be different but might >> contain parts of the original message or other information for which >> the original message sender wants to influence the requirement to use >> TLS transmission. > > I think this section clearly shows the limited guarantees that > REQUIRETLS can provide. It may give the sender a false sense of > safety/security. How is an implementor supposed to implement this spec > conveying all nuances of the rich e-mail eco-system to the user? How > can we expect an average user to understand the warning that's in the > Security Considerations section? Suppose a MUA implementor implements > this spec by giving the user a nice button labelled 'when recipient > does not support encryption, return the message and do not deliver' > (this won't fit on a button anyway ;-)). The user may find this meets > his/her privacy requirements, presses this REQUIRETLS button and sends > the mail. There are plenty of scenarios where the expectation of the > end user is not met: > > * the recipients mail system returns an out-of-office message, > including the decrypted contents of the message; > * some intermediate MTA sends a forensic DMARC report including the > decrypted contents of the message; > * anywhere along the chain of MTA's someone eavesdrop on the message; > * a mailing list, which in the remainder of your text for chapter 6, > does not apply REQUIRETLS to the messages it distributes; > * et cetera > Most implementations of REQUIRETLS are relay MTAs that have no connection with the user at all. An MUA that provides a nice button should tell the user clearly what that means and not oversell the capability. I'm not a UX designer but I have seen ways to give more information on a feature when it is first used or until the user clicks a "don't show me this any more" thing. But, of the users that even know that email is only sometimes encrypted in transit, how many know that any verification of the certificate is probably ignored? That middleboxes can interfere with TLS negotiation to cause messages to be sent in the clear so that they can be intercepted? Yes, REQUIRETLS doesn't address every situation, but it greatly limits the scope of this problem. The intent of this section is to inform implementors of the limitations so that they can educate their users and not oversell it. > >> Agents that reoriginate messages should apply REQUIRETLS requirements >> in incoming messages (both requiring TLS transmission and requesting >> that TLS not be required) > > This is rather confusing. I assume you mean: > > ... incoming messages (requiring TLS transmission) and requesting that > TLS not be required to the reoriginated messages ...? Not quite. I'm saying that agents (now mediators) should reoriginate messages with the same REQUIRETLS characteristics -- both applying the REQUIRETLS SMTP option if it was on the incoming message, and the use of the TLS-Required header field if the originator's intent is to not require the use of TLS for the message. > >> to the reoriginated messages to the extent >> feasible. A limitation to this might be that for a message requiring >> TLS, redistribution to multiple addresses while retaining the TLS >> requirement could result in the message not being delivered to some of >> the intended recipients. >> User-side reorigination (such as use of Sieve rules on a user agent) >> typically does not have access to the SMTP details, and therefore may >> not be aware of the REQUIRETLS requirement on a delivered message. >> Operators of user-side agents that expect sensitive traffic should >> consider this possibility, and if operationally feasible (when >> forwarding to a specific, known address; when appropriate >> configuration options are available) should > > SHOULD instead of should? It's an action by the operator, not the protocol, so the non-normative "should" was used. > >> apply REQUIRETLS whenever >> feasible to messages that do not contain the "TLS-Required: No" header >> field. > > Operators of these user-side agents are often the end users > themselves. I don't think anyone can expect from the average user that > constructs a sieve filter (e.g. using a form in a webmail client) that > he/she will honor the REQUIRETLS settings of the original message (the > more because they won't have this REQUIRETLS information available, as > you describe). > > Apart from this, I find this sentence difficult to read, maybe you'd > better split up this sentence in shorter parts? I'll try to break it up into more manageable pieces, yes. Thanks for your review. -Jim
- [Uta] RequireTLS: Revised text on message origina… Jim Fenton
- Re: [Uta] RequireTLS: Revised text on message ori… Rolf E. Sonneveld
- Re: [Uta] RequireTLS: Revised text on message ori… Jim Fenton