Re: [Uta] RequireTLS: Revised text on message origination
"Rolf E. Sonneveld" <R.E.Sonneveld@sonnection.nl> Mon, 15 April 2019 21:06 UTC
Return-Path: <R.E.Sonneveld@sonnection.nl>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0DF812021F for <uta@ietfa.amsl.com>; Mon, 15 Apr 2019 14:06:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T48HbNmGNAdW for <uta@ietfa.amsl.com>; Mon, 15 Apr 2019 14:06:52 -0700 (PDT)
Received: from mx10.mailtransaction.com (mx10.mailtransaction.com [88.198.59.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5124120232 for <uta@ietf.org>; Mon, 15 Apr 2019 14:06:49 -0700 (PDT)
Received: from mx34.mailtransaction.com (D57E1703.static.ziggozakelijk.nl [213.126.23.3]) by mx10.mailtransaction.com (Postfix) with ESMTP id 44jgzW1ygDz2qF0l; Mon, 15 Apr 2019 23:06:47 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.10.3 mx10.mailtransaction.com 44jgzW1ygDz2qF0l
Authentication-Results: mx1.mailtransaction.com; dkim=none; dkim-atps=neutral
Received: from tiger.sonnection.nl (tiger.sonnection.nl [192.168.20.2]) by mx34.mailtransaction.com (Postfix) with ESMTP id 44jgzW0f5Rz2nGHx; Mon, 15 Apr 2019 23:06:47 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1]) by tiger.sonnection.nl (Postfix) with ESMTP id 0B8F3422320; Mon, 15 Apr 2019 23:06:47 +0200 (CEST)
X-Virus-Scanned: amavisd-new at tiger.sonnection.nl
Received: from tiger.sonnection.nl ([127.0.0.1]) by localhost (tiger.sonnection.nl [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id kv2MkBzhkC1H; Mon, 15 Apr 2019 23:06:46 +0200 (CEST)
Received: from [192.168.40.49] (cat.sonnection.nl [192.168.40.49]) by tiger.sonnection.nl (Postfix) with ESMTPSA id E20DE42231D; Mon, 15 Apr 2019 23:06:46 +0200 (CEST)
To: Jim Fenton <fenton@bluepopcorn.net>, "uta@ietf.org" <uta@ietf.org>
References: <e64c8216-12c8-2fa6-bc5e-d9cc0445e22f@bluepopcorn.net>
From: "Rolf E. Sonneveld" <R.E.Sonneveld@sonnection.nl>
Organization: Sonnection B.V.
Message-ID: <5db81038-a286-5165-32a2-106674700cb1@sonnection.nl>
Date: Mon, 15 Apr 2019 23:06:46 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <e64c8216-12c8-2fa6-bc5e-d9cc0445e22f@bluepopcorn.net>
Content-Type: multipart/alternative; boundary="------------124DDA0AD2BF0FE39AEBB17C"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/YDHZ30_Qtm5Tq4yaza73F1CbB4M>
Subject: Re: [Uta] RequireTLS: Revised text on message origination
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2019 21:06:55 -0000
Hi, Jim, On 12-04-19 21:44, Jim Fenton wrote: > > One of the significant discussions at the Prague meeting (and > originally resulting from IESG comments) was that the Section 6, > "Mailing list considerations" was incomplete because it didn't > consider other causes of origination such as Sieve and vacation > programs. So I have drafted an alternative Section 6, below. Please > review and comment. (Thanks Barry L. for reviewing first draft). > > 6. Reorigination considerations > > In a number of situations, an agent for the addressee of a message > originates a new message as a result of an incoming message. These > situations include, but are not limited to, mailing lists (including > administrative traffic such as message approval requests), Sieve [RFC > 5228], "vacation" responders, and other filters to which incoming > messages may be piped. These newly originated messages may essentially > be copies of the incoming message, such as with a forwarding service > or a mailing list expander. I wonder whether it's not better to refer to c.q. use the terminology as defined by RFC5598. Something like: In a number of situations, a mediator originates a new message as a result of an incoming message. See [RFC5598] chapter 5 for a non-exhaustive list of examples of mediators. These newly originated messages may essentially be copies of the incoming message. > In other cases, such as with a vacation > message or a delivery notification, they will be different but might > contain parts of the original message or other information for which > the original message sender wants to influence the requirement to use > TLS transmission. I think this section clearly shows the limited guarantees that REQUIRETLS can provide. It may give the sender a false sense of safety/security. How is an implementor supposed to implement this spec conveying all nuances of the rich e-mail eco-system to the user? How can we expect an average user to understand the warning that's in the Security Considerations section? Suppose a MUA implementor implements this spec by giving the user a nice button labelled 'when recipient does not support encryption, return the message and do not deliver' (this won't fit on a button anyway ;-)). The user may find this meets his/her privacy requirements, presses this REQUIRETLS button and sends the mail. There are plenty of scenarios where the expectation of the end user is not met: * the recipients mail system returns an out-of-office message, including the decrypted contents of the message; * some intermediate MTA sends a forensic DMARC report including the decrypted contents of the message; * anywhere along the chain of MTA's someone eavesdrop on the message; * a mailing list, which in the remainder of your text for chapter 6, does not apply REQUIRETLS to the messages it distributes; * et cetera > > Agents that reoriginate messages should apply REQUIRETLS requirements > in incoming messages (both requiring TLS transmission and requesting > that TLS not be required) This is rather confusing. I assume you mean: ... incoming messages (requiring TLS transmission) and requesting that TLS not be required to the reoriginated messages ...? > to the reoriginated messages to the extent > feasible. A limitation to this might be that for a message requiring > TLS, redistribution to multiple addresses while retaining the TLS > requirement could result in the message not being delivered to some of > the intended recipients. > > User-side reorigination (such as use of Sieve rules on a user agent) > typically does not have access to the SMTP details, and therefore may > not be aware of the REQUIRETLS requirement on a delivered message. > Operators of user-side agents that expect sensitive traffic should > consider this possibility, and if operationally feasible (when > forwarding to a specific, known address; when appropriate > configuration options are available) should SHOULD instead of should? > apply REQUIRETLS whenever > feasible to messages that do not contain the "TLS-Required: No" header > field. Operators of these user-side agents are often the end users themselves. I don't think anyone can expect from the average user that constructs a sieve filter (e.g. using a form in a webmail client) that he/she will honor the REQUIRETLS settings of the original message (the more because they won't have this REQUIRETLS information available, as you describe). Apart from this, I find this sentence difficult to read, maybe you'd better split up this sentence in shorter parts? /rolf
- [Uta] RequireTLS: Revised text on message origina… Jim Fenton
- Re: [Uta] RequireTLS: Revised text on message ori… Rolf E. Sonneveld
- Re: [Uta] RequireTLS: Revised text on message ori… Jim Fenton