This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
-This Internet-Draft will expire on December 25, 2019.
+This Internet-Draft will expire on December 26, 2019.
Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
@@ -490,81 +490,81 @@No mechanism for header protection has been standardized for PGP (Pretty Good Privacy) yet.
End-to-end protection for the email headers section is currently not widely implemented – neither for messages protected by means of S/MIME nor PGP. At least two variants of header protection are known to be implemented.
-This document describes the problem statement, generic use cases (Section 4) and requirements for header protection (Section 5) Additionally it drafts possible solutions to address the challenge. However, the final solution will be determined by the IETF LAMPS WG. Finally, some best practices are collected.
+This document describes the problem statement, generic use cases (Section 3) and requirements for header protection (Section 4) Additionally it drafts possible solutions to address the challenge. However, the final solution will be determined by the IETF LAMPS WG. Finally, some best practices are collected.
[…]
-The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in [RFC2119].
-The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in [RFC2119].
+The following terms are defined in this document:
+The following terms are defined for the scope of this document:
The LAMPS charter contains the folllowing Work Item:
+The LAMPS charter contains the folllowing Work Item:
[…]
-[…]
+In the following, we show the generic use cases that need to be addressed independently of whether S/MIME, PGP/MIME or any other technology is used for which Header Protection (HP) is to be applied to.
-In the following, we show the generic use cases that need to be addressed independently of whether S/MIME, PGP/MIME or any other technology is used for which Header Protection (HP) is to be applied to.
+The main interaction case for Header Protection (HP) is:
+The main interaction case for Header Protection (HP) is:
1) Both peers (sending and receiving side) fully support HP-
For backward compatibility of legacy clients – unaware of any HP – the following intermediate interactions need to be considered as well:
+For backward compatibility of legacy clients – unaware of any HP – the following intermediate interactions need to be considered as well:
2) The sending side fully supports HP, while the receiving side does
not support any HP
@@ -642,7 +642,7 @@
(trivial case)
-The following intermediate use cases may need to be considered as well for backward compatibility with legacy HP systems, such as S/MIME since version 3.1 (cf. [RFC8551]), in the following designated as legacy HP:
+The following intermediate use cases may need to be considered as well for backward compatibility with legacy HP systems, such as S/MIME since version 3.1 (cf. [RFC8551]), in the following designated as legacy HP:
5) The sending side fully supports HP, while the receiving side
supports legacy HP only
@@ -659,22 +659,22 @@
supports legacy HP only (trivial case)
-Note: It is to be decided whether to ensure legacy HP systems do not conflict with any new solution for HP at all or whether (and to which degree) backward compatibility to legacy HP systems shall be maintained.
-Note: It is to be decided whether to ensure legacy HP systems do not conflict with any new solution for HP at all or whether (and to which degree) backward compatibility to legacy HP systems shall be maintained.
+The following protection levels need to be considered:
-a) signature and encryption
-b) signature only
-c) encryption only [[ TODO: verify whether relevant ]]
-The following protection levels need to be considered:
+a) signature and encryption
+b) signature only
+c) encryption only [[ TODO: verify whether relevant ]]
+In the following a list of requirements that need to be addressed independently of whether S/MIME, PGP/MIME or any other technology is used to apply HP to.
-In the following a list of requirements that need to be addressed independently of whether S/MIME, PGP/MIME or any other technology is used to apply HP to.
+This subsection is listing the requirements to address use case 1) (cf. Section 4.1).
+This subsection is listing the requirements to address use case 1) (cf. Section 3.1).
G1: Define the format for HP for all protection levels. This includes
MIME structure, Content-Type (including charset and name),
@@ -695,8 +695,8 @@ G4: Ensure that man-in-the-middle attack (MITM) cf. {{RFC4949}}, in
-GS1: Determine which Header Fields (HFs) should or must be protected @@ -715,8 +715,8 @@ GS3: Determine which HF should not or must not be included in the GS4: Determine which HF to not to include to any HP part (e.g. Bcc).-
GR1: Determine how HF should be displayed to the user in case of
@@ -727,18 +727,18 @@ GR2: Ensure that man-in-the-middle attack (MITM) cf. {{RFC4949}}, in
particular downgrade attacks, can be detected.
-This sub-section addresses the use cases 2) - 4) (cf. Section 4.1)
+This sub-section addresses the use cases 2) - 4) (cf. Section 3.1)
B1: Depending on the solution, define a means to distinguish between
forwarded messages and encapsulated messages using new HP
mechanism.
-
BS1: Define how full HP support can be indicated to outgoing
@@ -751,17 +751,17 @@ BS3: Ensure a HP unaware receiving side easily can display the
"Subject" HF to the user.
-BR1: Define how full HP support can be detected in incoming messages.-
This sub-section addresses the use cases 5) - 9) (cf. Section 4.1).
+This sub-section addresses the use cases 5) - 9) (cf. Section 3.1).
LS1: Depending on the solution, define a means to distinguish between
forwarded messages, legacy encapsulated messages, and
@@ -772,8 +772,8 @@ LS2: The solution should be backward compatible to existing solutions
for existing solutions.
-
LSS1: Determine how legacy HP support can be indicated to outgoing
@@ -783,47 +783,47 @@ LSS2: Determine how legacy HP support of the receiver can be detected
or guessed.
-
LSR1: Determine how legacy HP support can be detected in incoming
messages.
-In the following a set of Options to achieve Email Header Protection. It is expected that the IETF LAMPS WG chooses an option to update [RFC8551] wrt. Header Protection.
-In the following a set of Options to achieve Email Header Protection. It is expected that the IETF LAMPS WG chooses an option to update [RFC8551] wrt. Header Protection.
+Memory Hole approach works by copying the normal message header fields into the MIME header section of the top level protected body part. Since the MIME body part header section is itself covered by the protection mechanisms (signing and/or encryption) it shares the protections of the message body.
-[[ TODO: [DKG] add more information on memory hole]]
-Memory Hole approach works by copying the normal message header fields into the MIME header section of the top level protected body part. Since the MIME body part header section is itself covered by the protection mechanisms (signing and/or encryption) it shares the protections of the message body.
+[[ TODO: [DKG] add more information on memory hole]]
+Wrapping with message/rfc822 (or message/global) works by copying the normal message header fields into the MIME header section of the top level protect body part
-[[ HB: Not sure this is well expressed: In option 2 the whole message is copied into the MIME body part as message/rfc822 element. ]]
-and then prepending them with “Content-Type: message/rfc822; forwarded=no\r\n” or “Content-Type: message/global; forwarded=no\r\n”, where \r\n is US-ASCII CR followed by US-ASCII LF. Since the MIME body part header section is itself covered by the protection mechanisms (signing and/or encryption) it shares the protections of the message body.
-Wrapping with message/rfc822 (or message/global) works by copying the normal message header fields into the MIME header section of the top level protect body part
+[[ HB: Not sure this is well expressed: In option 2 the whole message is copied into the MIME body part as message/rfc822 element. ]]
+and then prepending them with “Content-Type: message/rfc822; forwarded=no\r\n” or “Content-Type: message/global; forwarded=no\r\n”, where \r\n is US-ASCII CR followed by US-ASCII LF. Since the MIME body part header section is itself covered by the protection mechanisms (signing and/or encryption) it shares the protections of the message body.
+This section outlines how the new “forwarded” Content-Type header field parameter could be defined (probabely in a separate document) and how header section wrapping works:
-This document defines a new Content-Type header field parameter [RFC2045] with name “forwarded”. The parameter value is case- insensitive and can be either “yes” or “no”. (The default value being “yes”). The parameter is only meaningful with media type “message/rfc822” and “message/global” [RFC6532] when used within S/MIME signed or encrypted body parts. The value “yes” means that the message nested inside “message/rfc822” (“message/global”) is a forwarded message and not a construct created solely to protect the inner header section.
-Instructions in [RFC8551] describing how to protect the Email message header section [RFC5322], by wrapping the message inside a message/ rfc822 container [RFC2045] are thus updated to read:
+This section outlines how the new “forwarded” Content-Type header field parameter could be defined (probabely in a separate document) and how header section wrapping works:
+This document defines a new Content-Type header field parameter [RFC2045] with name “forwarded”. The parameter value is case- insensitive and can be either “yes” or “no”. (The default value being “yes”). The parameter is only meaningful with media type “message/rfc822” and “message/global” [RFC6532] when used within S/MIME signed or encrypted body parts. The value “yes” means that the message nested inside “message/rfc822” (“message/global”) is a forwarded message and not a construct created solely to protect the inner header section.
+Instructions in [RFC8551] describing how to protect the Email message header section [RFC5322], by wrapping the message inside a message/ rfc822 container [RFC2045] are thus updated to read:
[[This section needs more work. Don’t treat anything in it as unchangeable.]]
-For a signed-only message, it is RECOMMENDED that all “outer” header fields are copied into the “inner” protected body part. This would mean that all header fields are signed. In this case, the “outer” header fields simply match the protected header fields. And in the case that the “outer” header fields differ, they can simply be replaced with their protected versions when displayed to the user.
-When generating encrypted or encrypted+signed S/MIME messages which protect header fields:
+[[This section needs more work. Don’t treat anything in it as unchangeable.]]
+For a signed-only message, it is RECOMMENDED that all “outer” header fields are copied into the “inner” protected body part. This would mean that all header fields are signed. In this case, the “outer” header fields simply match the protected header fields. And in the case that the “outer” header fields differ, they can simply be replaced with their protected versions when displayed to the user.
+When generating encrypted or encrypted+signed S/MIME messages which protect header fields:
Note that recommendations listed above typically only apply to non MIME header fields (header fields with names not starting with “Content-“ prefix), but there are exception, e.g. Content-Language.
-Note that the above recommendations can also negatively affect antispam processing.
-When displaying S/MIME messages which protect header fields (whether they are signed-only, encrypted or encrypted+signed):
+Note that recommendations listed above typically only apply to non MIME header fields (header fields with names not starting with “Content-“ prefix), but there are exception, e.g. Content-Language.
+Note that the above recommendations can also negatively affect antispam processing.
+When displaying S/MIME messages which protect header fields (whether they are signed-only, encrypted or encrypted+signed):
field to display
-[[TBD: describe how to recurse to find the innermost protected root body part, extract header fields from it and propogate them to the top level. This should also work for triple-wrapped messages.]]
-field to display
+[[TBD: describe how to recurse to find the innermost protected root body part, extract header fields from it and propogate them to the top level. This should also work for triple-wrapped messages.]]
+This option is similar to Option 2 (cf. Section 6.2). It also makes use the Content-Type property “forwarded” (cf. Section 6.2.1).
-This option is similar to Option 2 (cf. Section 5.2). It also makes use the Content-Type property “forwarded” (cf. Section 5.2.1).
+pretty Easy privacy (pEp) [I-D.birk-pep] is working on bringing state-of-the-art automatic cryptography known from areas like TLS to electronic mail (email) communication. pEp is determined to evolve the existing standards as fundamentally and comprehensively as needed to gain easy implementation and integration, and for easy use for regular Internet users. pEp for email wants to attaining to good security practice while still retaining backward compatibility for implementations widespread.
-To provide the required stability as a foundation for good security practice, pEp for email defines a fixed MIME structure for its innermost message structure, so to remove most attack vectors which have permitted the numerous EFAIL vulnerabilities. (TBD: ref)
-Security comes just next after privacy in pEp, for which reason the application of signatures without encryption to messages in transit is not considered purposeful. pEp for email herein referenced, and further described in [I-D.marques-pep-email], either expects to transfer messages in cleartext without signature or encryption, or transfer them encrypted and with enclosed signature and necessary public keys so that replies can be immediately upgraded to encrypted messages.
-The pEp message format is equivalent to the S/MIME standard in ensuring header protection, in that the whole message is protected instead, by wrapping it and providing cryptographic services to the whole original message. The pEp message format is different compared to the S/MIME standard in that the pEp protocols propose opportunistic end-to-end security and signature, by allowing the transport of the necessary public key material along with the original messages.
-For the purpose of allowing the insertion of such public keys, the root entity of the protected message is thus nested once more into an additional multipart/mixed MIME entity. The current pEp proposal is for PGP/MIME, while an extension to S/MIME is next.
-pEp’s proposal is strict in that it requires that the cryptographic services applied to the protected message MUST include encryption. It also mandates a fixed MIME structure for the protected message, which always MUST include a plaintext and optionally an HTML representation (if HTML is used) of the same message, and requires that all other optional elements to be eventually presented as attachments. Alternatively the whole protected message could represent in turn a wrapped pEp wrapper, which makes the message structure fully recursive on purpose (e.g., for the purpose of anonymization through onion routing).
-For the purpose of implementing mixnet routing for email, it is foreseen to nest pEp messages recursively. A protected message can in turn contain a protected message due for forwarding. This is for the purpose to increase privacy and counter the necessary leakage of plaintext addressing in the envelope of the email.
-The recursive nature of the pEp message format allows for the implementation of progressive disclosure of the necessary transport relevant header fields just as-needed to the next mail transport agents along the transmission path.
-pEp has also implemented the above (in Section 6.2.1) described Content-Type property “forwarded” to distinguish between encapsulated and forwarded emails.
-pretty Easy privacy (pEp) [I-D.birk-pep] is working on bringing state-of-the-art automatic cryptography known from areas like TLS to electronic mail (email) communication. pEp is determined to evolve the existing standards as fundamentally and comprehensively as needed to gain easy implementation and integration, and for easy use for regular Internet users. pEp for email wants to attaining to good security practice while still retaining backward compatibility for implementations widespread.
+To provide the required stability as a foundation for good security practice, pEp for email defines a fixed MIME structure for its innermost message structure, so to remove most attack vectors which have permitted the numerous EFAIL vulnerabilities. (TBD: ref)
+Security comes just next after privacy in pEp, for which reason the application of signatures without encryption to messages in transit is not considered purposeful. pEp for email herein referenced, and further described in [I-D.marques-pep-email], either expects to transfer messages in cleartext without signature or encryption, or transfer them encrypted and with enclosed signature and necessary public keys so that replies can be immediately upgraded to encrypted messages.
+The pEp message format is equivalent to the S/MIME standard in ensuring header protection, in that the whole message is protected instead, by wrapping it and providing cryptographic services to the whole original message. The pEp message format is different compared to the S/MIME standard in that the pEp protocols propose opportunistic end-to-end security and signature, by allowing the transport of the necessary public key material along with the original messages.
+For the purpose of allowing the insertion of such public keys, the root entity of the protected message is thus nested once more into an additional multipart/mixed MIME entity. The current pEp proposal is for PGP/MIME, while an extension to S/MIME is next.
+pEp’s proposal is strict in that it requires that the cryptographic services applied to the protected message MUST include encryption. It also mandates a fixed MIME structure for the protected message, which always MUST include a plaintext and optionally an HTML representation (if HTML is used) of the same message, and requires that all other optional elements to be eventually presented as attachments. Alternatively the whole protected message could represent in turn a wrapped pEp wrapper, which makes the message structure fully recursive on purpose (e.g., for the purpose of anonymization through onion routing).
+For the purpose of implementing mixnet routing for email, it is foreseen to nest pEp messages recursively. A protected message can in turn contain a protected message due for forwarding. This is for the purpose to increase privacy and counter the necessary leakage of plaintext addressing in the envelope of the email.
+The recursive nature of the pEp message format allows for the implementation of progressive disclosure of the necessary transport relevant header fields just as-needed to the next mail transport agents along the transmission path.
+pEp has also implemented the above (in Section 5.2.1) described Content-Type property “forwarded” to distinguish between encapsulated and forwarded emails.
+By default, all headers of the original message SHOULD be wrapped with the original message, with one exception:
+By default, all headers of the original message SHOULD be wrapped with the original message, with one exception:
The outer message requires a minimal set of headers to be in place for being eligible for transport. This includes the “From”, “To”, “Cc”, “Bcc”, “Subject” and “Message-ID” header fields. The protocol hereby defined also depends on the “MIME-Version”, “Content-Type”, “Content-Disposition” and eventually the “Content-Transport-Encoding” header field to be present.
-Submission and forwarding based on SMTP carries “from” and “receivers” information out-of-band, so that the “From” and “To” header fields are not strictly necessary. Nevertheless, “From”, “Date”, and at least one destination header field is mandatory as per [RFC5322]. They SHOULD be conserved for reliability.
-The following header fields should contain a verbatim copy of the header fields of the inner message:
+The outer message requires a minimal set of headers to be in place for being eligible for transport. This includes the “From”, “To”, “Cc”, “Bcc”, “Subject” and “Message-ID” header fields. The protocol hereby defined also depends on the “MIME-Version”, “Content-Type”, “Content-Disposition” and eventually the “Content-Transport-Encoding” header field to be present.
+Submission and forwarding based on SMTP carries “from” and “receivers” information out-of-band, so that the “From” and “To” header fields are not strictly necessary. Nevertheless, “From”, “Date”, and at least one destination header field is mandatory as per [RFC5322]. They SHOULD be conserved for reliability.
+The following header fields should contain a verbatim copy of the header fields of the inner message:
The entries with an asterisk mark (*) should only be set if also present in the original message.
-The entries with an asterisk mark (*) should only be set if also present in the original message.
+More information on progressive header disclosure can be found in [I-D.marques-pep-email] and [I-D.luck-lamps-pep-header-protection]. The latter is a predecessor of this document.
-More information on progressive header disclosure can be found in [I-D.marques-pep-email] and [I-D.luck-lamps-pep-header-protection]. The latter is a predecessor of this document.
+Examples in subsequent sections assume that an email client is trying to protect (sign) the following initial message:
+Examples in subsequent sections assume that an email client is trying to protect (sign) the following initial message:
Date: Mon, 25 Sep 2017 17:31:42 +0100 (GMT Daylight Time) From: "Alexey Melnikov" <alexey.melnikov@example.net> @@ -931,10 +931,10 @@ O: boundary=.cbe16d2a-e1a3-4220-b821-38348fc97237-
The following example demonstrates how header section and payload of a protect body part might look like. For example, this will be the first body part of a multipart/signed message or the signed and/or encrypted payload of the application/pkcs7-mime body part. Lines prepended by “O: “ are the outer header section. Lines prepended by “I: “ are the inner header section.
+The following example demonstrates how header section and payload of a protect body part might look like. For example, this will be the first body part of a multipart/signed message or the signed and/or encrypted payload of the application/pkcs7-mime body part. Lines prepended by “O: “ are the outer header section. Lines prepended by “I: “ are the inner header section.
O: Date: Mon, 25 Sep 2017 17:31:42 +0100 (GMT Daylight Time)
O: Message-ID: <e4a483cb-1dfb-481d-903b-298c92c21f5e@mattingly.example.net>
@@ -968,10 +968,10 @@ I: Content-Type: text/plain; charset=us-ascii
--.cbe16d2a-e1a3-4220-b821-38348fc97237--
-The following example demonstrates how header section and payload of a protect body part might look like. For example, this will be the first body part of a multipart/signed message or the signed and/or encrypted payload of the application/pkcs7-mime body part. Lines prepended by “O: “ are the outer header section. Lines prepended by “I: “ are the inner header section. Lines prepended by “W: “ are the wrapper.
+The following example demonstrates how header section and payload of a protect body part might look like. For example, this will be the first body part of a multipart/signed message or the signed and/or encrypted payload of the application/pkcs7-mime body part. Lines prepended by “O: “ are the outer header section. Lines prepended by “I: “ are the inner header section. Lines prepended by “W: “ are the wrapper.
O: Date: Mon, 25 Sep 2017 17:31:42 +0100 (GMT Daylight Time)
O: Message-ID: <e4a483cb-1dfb-481d-903b-298c92c21f5e@mattingly.example.net>
@@ -1007,35 +1007,35 @@ I: Content-Type: text/plain; charset=us-ascii
--.cbe16d2a-e1a3-4220-b821-38348fc97237--
-This looks similar as in option 2. Specific examples can be found in [I-D.luck-lamps-pep-header-protection].
+This looks similar as in option 2. Specific examples can be found in [I-D.luck-lamps-pep-header-protection].
+This document talks about UI considerations, including security considerations, when processing messages protecting header fields. One of the goals of this document is to specify UI for displaying such messages which is less confusing/misleading and thus more secure.
+The document is not defining new protocol, so it doesn’t create any new security concerns not already covered by S/MIME [RFC8551], MIME [RFC2045] and Email [RFC5322] in general.
This document talks about UI considerations, including security considerations, when processing messages protecting header fields. One of the goals of this document is to specify UI for displaying such messages which is less confusing/misleading and thus more secure.
-The document is not defining new protocol, so it doesn’t create any new security concerns not already covered by S/MIME [RFC8551], MIME [RFC2045] and Email [RFC5322] in general.
+[[ TODO ]]
[[ TODO ]]
+This document requests no action from IANA.
+[[ RFC Editor: This section may be removed before publication. ]]
This document requests no action from IANA.
-[[ RFC Editor: This section may be removed before publication. ]]
-Special thanks go to Krista Bennett and Volker Birk for valuable input to this draft and Hernani Marques for reviewing.
-[[ TODO [AM]: Do we need to mention: Wei Chuang, Steve Kille, David Wilson and Robert Williams (copied from Acknowledgements section of [I-D.melnikov-lamps-header-protection] ]]
-Special thanks to Claudio Luck who authored a predecessor of this document. Essential parts of his work have been merged into this one.
-David Wilson came up with the idea of defining a new Content-Type header field parameter to distinguish forwarded messages from inner header field protection constructs.
+Special thanks go to Krista Bennett and Volker Birk for valuable input to this draft and Hernani Marques for reviewing.
+[[ TODO [AM]: Do we need to mention: Wei Chuang, Steve Kille, David Wilson and Robert Williams (copied from Acknowledgements section of [I-D.melnikov-lamps-header-protection] ]]
+Special thanks to Claudio Luck who authored a predecessor of this document. Essential parts of his work have been merged into this one.
+David Wilson came up with the idea of defining a new Content-Type header field parameter to distinguish forwarded messages from inner header field protection constructs.
| [RFC2045] | @@ -1059,7 +1059,7 @@ I: Content-Type: text/plain; charset=us-ascii
| [I-D.birk-pep] | diff --git a/ietf-lamps-header-protection/draft-ietf-lamps-header-protection-req-00-pre20190623.txt b/ietf-lamps-header-protection/draft-ietf-lamps-header-protection-req-00-pre20190623.txt index 06593d0f..058de218 100644 --- a/ietf-lamps-header-protection/draft-ietf-lamps-header-protection-req-00-pre20190623.txt +++ b/ietf-lamps-header-protection/draft-ietf-lamps-header-protection-req-00-pre20190623.txt @@ -5,10 +5,10 @@ Network Working Group A. Melnikov Internet-Draft Isode Ltd Intended status: Informational B. Hoeneisen -Expires: December 25, 2019 Ucom.ch +Expires: December 26, 2019 Ucom.ch D. Gillmor American Civil Liberties Union - June 23, 2019 + June 24, 2019 Problem Statement and Requirements for Header Protection @@ -43,7 +43,7 @@ Status of This Memo time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on December 25, 2019. + This Internet-Draft will expire on December 26, 2019. Copyright Notice @@ -53,7 +53,7 @@ Copyright Notice -Melnikov, et al. Expires December 25, 2019 [Page 1] +Melnikov, et al. Expires December 26, 2019 [Page 1] Internet-Draft Header Protection requirements June 2019 @@ -71,55 +71,55 @@ Internet-Draft Header Protection requirements June 2019 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 - 2. Conventions Used in This Document . . . . . . . . . . . . . . 4 - 2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 - 3. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 4 - 4. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 4 - 4.1. Interactions . . . . . . . . . . . . . . . . . . . . . . 5 - 4.2. Protection Levels . . . . . . . . . . . . . . . . . . . . 6 - 5. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 6 - 5.1. General Requirements . . . . . . . . . . . . . . . . . . 6 - 5.1.1. Sending Side . . . . . . . . . . . . . . . . . . . . 6 - 5.1.2. Receiving Side . . . . . . . . . . . . . . . . . . . 7 - 5.2. Additional Requirements for Backward-Compatibility With + 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 + 1.2. Terms . . . . . . . . . . . . . . . . . . . . . . . . . . 4 + 2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 4 + 3. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 4 + 3.1. Interactions . . . . . . . . . . . . . . . . . . . . . . 5 + 3.2. Protection Levels . . . . . . . . . . . . . . . . . . . . 6 + 4. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 6 + 4.1. General Requirements . . . . . . . . . . . . . . . . . . 6 + 4.1.1. Sending Side . . . . . . . . . . . . . . . . . . . . 6 + 4.1.2. Receiving Side . . . . . . . . . . . . . . . . . . . 7 + 4.2. Additional Requirements for Backward-Compatibility With Legacy Clients Unaware of Header Protection . . . . . . . 7 - 5.2.1. Sending side . . . . . . . . . . . . . . . . . . . . 7 - 5.2.2. Receiving side . . . . . . . . . . . . . . . . . . . 8 - 5.3. Additional Requirements for Backward-Compatibility with + 4.2.1. Sending side . . . . . . . . . . . . . . . . . . . . 7 + 4.2.2. Receiving side . . . . . . . . . . . . . . . . . . . 8 + 4.3. Additional Requirements for Backward-Compatibility with Legacy Header Protection Systems (if supported) . . . . . 8 - 5.3.1. Sending Side . . . . . . . . . . . . . . . . . . . . 8 - 5.3.2. Receiving Side . . . . . . . . . . . . . . . . . . . 8 - 6. Options to Achieve Header Protection . . . . . . . . . . . . 8 - 6.1. Option 1: Memory Hole . . . . . . . . . . . . . . . . . . 8 - 6.2. Option 2: Wrapping with message/rfc822 or message/global 9 - 6.2.1. Content-Type property "forwarded" . . . . . . . . . . 9 - 6.2.2. Handling of S/MIME protected header . . . . . . . . . 10 - 6.2.3. Mail User Agent Algorithm for deciding which version + 4.3.1. Sending Side . . . . . . . . . . . . . . . . . . . . 8 + 4.3.2. Receiving Side . . . . . . . . . . . . . . . . . . . 8 + 5. Options to Achieve Header Protection . . . . . . . . . . . . 8 + 5.1. Option 1: Memory Hole . . . . . . . . . . . . . . . . . . 8 + 5.2. Option 2: Wrapping with message/rfc822 or message/global 9 + 5.2.1. Content-Type property "forwarded" . . . . . . . . . . 9 + 5.2.2. Handling of S/MIME protected header . . . . . . . . . 10 + 5.2.3. Mail User Agent Algorithm for deciding which version of a header . . . . . . . . . . . . . . . . . . . . . 11 - 6.3. Option 3: Progressive Header Disclosure . . . . . . . . . 11 - 6.4. Design principles . . . . . . . . . . . . . . . . . . . . 11 - 6.5. Candidate Header Fields for Header Protection . . . . . . 13 - 6.6. Stub Outside Headers . . . . . . . . . . . . . . . . . . 13 - 6.7. More information . . . . . . . . . . . . . . . . . . . . 14 - 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 14 - 7.1. Option 1: Memory Hole . . . . . . . . . . . . . . . . . . 15 - 7.2. Option 2: Wrapping with message/rfc822 or message/global 16 - 7.3. Option 3 Progressive Header Disclosure . . . . . . . . . 17 - 8. Security Considerations . . . . . . . . . . . . . . . . . . . 17 + 5.3. Option 3: Progressive Header Disclosure . . . . . . . . . 11 + 5.4. Design principles . . . . . . . . . . . . . . . . . . . . 11 + 5.5. Candidate Header Fields for Header Protection . . . . . . 13 + 5.6. Stub Outside Headers . . . . . . . . . . . . . . . . . . 13 + 5.7. More information . . . . . . . . . . . . . . . . . . . . 14 + 6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 14 + 6.1. Option 1: Memory Hole . . . . . . . . . . . . . . . . . . 15 + 6.2. Option 2: Wrapping with message/rfc822 or message/global 16 + 6.3. Option 3 Progressive Header Disclosure . . . . . . . . . 17 + 7. Security Considerations . . . . . . . . . . . . . . . . . . . 17 -Melnikov, et al. Expires December 25, 2019 [Page 2] +Melnikov, et al. Expires December 26, 2019 [Page 2] Internet-Draft Header Protection requirements June 2019 - 9. Privacy Considerations . . . . . . . . . . . . . . . . . . . 18 - 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 - 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18 - 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 - 12.1. Normative References . . . . . . . . . . . . . . . . . . 18 - 12.2. Informative References . . . . . . . . . . . . . . . . . 19 + 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 18 + 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 + 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18 + 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 + 11.1. Normative References . . . . . . . . . . . . . . . . . . 18 + 11.2. Informative References . . . . . . . . . . . . . . . . . 19 Appendix A. Document Changelog . . . . . . . . . . . . . . . . . 20 Appendix B. Open Issues . . . . . . . . . . . . . . . . . . . . 20 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 @@ -159,13 +159,13 @@ Internet-Draft Header Protection requirements June 2019 to be implemented. This document describes the problem statement, generic use cases - (Section 4) and requirements for header protection (Section 5) + (Section 3) and requirements for header protection (Section 4) Additionally it drafts possible solutions to address the challenge. -Melnikov, et al. Expires December 25, 2019 [Page 3] +Melnikov, et al. Expires December 26, 2019 [Page 3] Internet-Draft Header Protection requirements June 2019 @@ -175,15 +175,15 @@ Internet-Draft Header Protection requirements June 2019 [...] -2. Conventions Used in This Document +1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. -2.1. Terminology +1.2. Terms - The following terms are defined in this document: + The following terms are defined for the scope of this document: o Header Field:: cf. [RFC5322] @@ -196,7 +196,7 @@ Internet-Draft Header Protection requirements June 2019 o Man-in-the-middle attack (MITM): cf. [RFC4949] -3. Problem Statement +2. Problem Statement The LAMPS charter contains the folllowing Work Item: @@ -211,7 +211,7 @@ Internet-Draft Header Protection requirements June 2019 [...] -4. Use Cases +3. Use Cases In the following, we show the generic use cases that need to be addressed independently of whether S/MIME, PGP/MIME or any other @@ -221,12 +221,12 @@ Internet-Draft Header Protection requirements June 2019 -Melnikov, et al. Expires December 25, 2019 [Page 4] +Melnikov, et al. Expires December 26, 2019 [Page 4] Internet-Draft Header Protection requirements June 2019 -4.1. Interactions +3.1. Interactions The main interaction case for Header Protection (HP) is: @@ -277,12 +277,12 @@ Internet-Draft Header Protection requirements June 2019 -Melnikov, et al. Expires December 25, 2019 [Page 5] +Melnikov, et al. Expires December 26, 2019 [Page 5] Internet-Draft Header Protection requirements June 2019 -4.2. Protection Levels +3.2. Protection Levels The following protection levels need to be considered: @@ -292,16 +292,16 @@ Internet-Draft Header Protection requirements June 2019 c) encryption only [[ TODO: verify whether relevant ]] -5. Requirements +4. Requirements In the following a list of requirements that need to be addressed independently of whether S/MIME, PGP/MIME or any other technology is used to apply HP to. -5.1. General Requirements +4.1. General Requirements This subsection is listing the requirements to address use case 1) - (cf. Section 4.1). + (cf. Section 3.1). G1: Define the format for HP for all protection levels. This includes MIME structure, Content-Type (including charset and name), @@ -322,7 +322,7 @@ Internet-Draft Header Protection requirements June 2019 -5.1.1. Sending Side +4.1.1. Sending Side @@ -333,7 +333,7 @@ Internet-Draft Header Protection requirements June 2019 -Melnikov, et al. Expires December 25, 2019 [Page 6] +Melnikov, et al. Expires December 26, 2019 [Page 6] Internet-Draft Header Protection requirements June 2019 @@ -354,7 +354,7 @@ Internet-Draft Header Protection requirements June 2019 GS4: Determine which HF to not to include to any HP part (e.g. Bcc). -5.1.2. Receiving Side +4.1.2. Receiving Side GR1: Determine how HF should be displayed to the user in case of conflicting information between the protected and unprotected @@ -364,17 +364,17 @@ Internet-Draft Header Protection requirements June 2019 particular downgrade attacks, can be detected. -5.2. Additional Requirements for Backward-Compatibility With Legacy +4.2. Additional Requirements for Backward-Compatibility With Legacy Clients Unaware of Header Protection - This sub-section addresses the use cases 2) - 4) (cf. Section 4.1) + This sub-section addresses the use cases 2) - 4) (cf. Section 3.1) B1: Depending on the solution, define a means to distinguish between forwarded messages and encapsulated messages using new HP mechanism. -5.2.1. Sending side +4.2.1. Sending side BS1: Define how full HP support can be indicated to outgoing messages. @@ -389,20 +389,20 @@ Internet-Draft Header Protection requirements June 2019 -Melnikov, et al. Expires December 25, 2019 [Page 7] +Melnikov, et al. Expires December 26, 2019 [Page 7] Internet-Draft Header Protection requirements June 2019 -5.2.2. Receiving side +4.2.2. Receiving side BR1: Define how full HP support can be detected in incoming messages. -5.3. Additional Requirements for Backward-Compatibility with Legacy +4.3. Additional Requirements for Backward-Compatibility with Legacy Header Protection Systems (if supported) - This sub-section addresses the use cases 5) - 9) (cf. Section 4.1). + This sub-section addresses the use cases 5) - 9) (cf. Section 3.1). LS1: Depending on the solution, define a means to distinguish between forwarded messages, legacy encapsulated messages, and @@ -413,7 +413,7 @@ Internet-Draft Header Protection requirements June 2019 for existing solutions. -5.3.1. Sending Side +4.3.1. Sending Side LSS1: Determine how legacy HP support can be indicated to outgoing messages. @@ -422,19 +422,19 @@ Internet-Draft Header Protection requirements June 2019 or guessed. -5.3.2. Receiving Side +4.3.2. Receiving Side LSR1: Determine how legacy HP support can be detected in incoming messages. -6. Options to Achieve Header Protection +5. Options to Achieve Header Protection In the following a set of Options to achieve Email Header Protection. It is expected that the IETF LAMPS WG chooses an option to update [RFC8551] wrt. Header Protection. -6.1. Option 1: Memory Hole +5.1. Option 1: Memory Hole Memory Hole approach works by copying the normal message header fields into the MIME header section of the top level protected body @@ -445,14 +445,14 @@ Internet-Draft Header Protection requirements June 2019 -Melnikov, et al. Expires December 25, 2019 [Page 8] +Melnikov, et al. Expires December 26, 2019 [Page 8] Internet-Draft Header Protection requirements June 2019 [[ TODO: [DKG] add more information on memory hole]] -6.2. Option 2: Wrapping with message/rfc822 or message/global +5.2. Option 2: Wrapping with message/rfc822 or message/global Wrapping with message/rfc822 (or message/global) works by copying the normal message header fields into the MIME header section of the top @@ -468,7 +468,7 @@ Internet-Draft Header Protection requirements June 2019 protection mechanisms (signing and/or encryption) it shares the protections of the message body. -6.2.1. Content-Type property "forwarded" +5.2.1. Content-Type property "forwarded" This section outlines how the new "forwarded" Content-Type header field parameter could be defined (probabely in a separate document) @@ -501,7 +501,7 @@ Internet-Draft Header Protection requirements June 2019 -Melnikov, et al. Expires December 25, 2019 [Page 9] +Melnikov, et al. Expires December 26, 2019 [Page 9] Internet-Draft Header Protection requirements June 2019 @@ -512,7 +512,7 @@ Internet-Draft Header Protection requirements June 2019 top-level message, taking into account header section merging issues as previously discussed. -6.2.2. Handling of S/MIME protected header +5.2.2. Handling of S/MIME protected header [[This section needs more work. Don't treat anything in it as unchangeable.]] @@ -557,7 +557,7 @@ Internet-Draft Header Protection requirements June 2019 -Melnikov, et al. Expires December 25, 2019 [Page 10] +Melnikov, et al. Expires December 26, 2019 [Page 10] Internet-Draft Header Protection requirements June 2019 @@ -588,7 +588,7 @@ Internet-Draft Header Protection requirements June 2019 some other way, for example with a DKIM signature that validates and is trusted. -6.2.3. Mail User Agent Algorithm for deciding which version of a header +5.2.3. Mail User Agent Algorithm for deciding which version of a header field to display @@ -596,12 +596,12 @@ Internet-Draft Header Protection requirements June 2019 body part, extract header fields from it and propogate them to the top level. This should also work for triple-wrapped messages.]] -6.3. Option 3: Progressive Header Disclosure +5.3. Option 3: Progressive Header Disclosure - This option is similar to Option 2 (cf. Section 6.2). It also makes - use the Content-Type property "forwarded" (cf. Section 6.2.1). + This option is similar to Option 2 (cf. Section 5.2). It also makes + use the Content-Type property "forwarded" (cf. Section 5.2.1). -6.4. Design principles +5.4. Design principles pretty Easy privacy (pEp) [I-D.birk-pep] is working on bringing state-of-the-art automatic cryptography known from areas like TLS to @@ -613,7 +613,7 @@ Internet-Draft Header Protection requirements June 2019 -Melnikov, et al. Expires December 25, 2019 [Page 11] +Melnikov, et al. Expires December 26, 2019 [Page 11] Internet-Draft Header Protection requirements June 2019 @@ -669,7 +669,7 @@ Internet-Draft Header Protection requirements June 2019 -Melnikov, et al. Expires December 25, 2019 [Page 12] +Melnikov, et al. Expires December 26, 2019 [Page 12] Internet-Draft Header Protection requirements June 2019 @@ -679,18 +679,18 @@ Internet-Draft Header Protection requirements June 2019 relevant header fields just as-needed to the next mail transport agents along the transmission path. - pEp has also implemented the above (in Section 6.2.1) described + pEp has also implemented the above (in Section 5.2.1) described Content-Type property "forwarded" to distinguish between encapsulated and forwarded emails. -6.5. Candidate Header Fields for Header Protection +5.5. Candidate Header Fields for Header Protection By default, all headers of the original message SHOULD be wrapped with the original message, with one exception: o the header field "Bcc" MUST NOT be added to the protected headers. -6.6. Stub Outside Headers +5.6. Stub Outside Headers The outer message requires a minimal set of headers to be in place for being eligible for transport. This includes the "From", "To", @@ -725,18 +725,18 @@ Internet-Draft Header Protection requirements June 2019 -Melnikov, et al. Expires December 25, 2019 [Page 13] +Melnikov, et al. Expires December 26, 2019 [Page 13] Internet-Draft Header Protection requirements June 2019 -6.7. More information +5.7. More information More information on progressive header disclosure can be found in [I-D.marques-pep-email] and [I-D.luck-lamps-pep-header-protection]. The latter is a predecessor of this document. -7. Examples +6. Examples Examples in subsequent sections assume that an email client is trying to protect (sign) the following initial message: @@ -781,7 +781,7 @@ Internet-Draft Header Protection requirements June 2019 -Melnikov, et al. Expires December 25, 2019 [Page 14] +Melnikov, et al. Expires December 26, 2019 [Page 14] Internet-Draft Header Protection requirements June 2019 @@ -827,7 +827,7 @@ O: boundary=.cbe16d2a-e1a3-4220-b821-38348fc97237 -7.1. Option 1: Memory Hole +6.1. Option 1: Memory Hole The following example demonstrates how header section and payload of a protect body part might look like. For example, this will be the @@ -837,7 +837,7 @@ O: boundary=.cbe16d2a-e1a3-4220-b821-38348fc97237 -Melnikov, et al. Expires December 25, 2019 [Page 15] +Melnikov, et al. Expires December 26, 2019 [Page 15] Internet-Draft Header Protection requirements June 2019 @@ -877,7 +877,7 @@ I: Content-Type: text/plain; charset=us-ascii --.cbe16d2a-e1a3-4220-b821-38348fc97237-- -7.2. Option 2: Wrapping with message/rfc822 or message/global +6.2. Option 2: Wrapping with message/rfc822 or message/global The following example demonstrates how header section and payload of a protect body part might look like. For example, this will be the @@ -893,7 +893,7 @@ I: Content-Type: text/plain; charset=us-ascii -Melnikov, et al. Expires December 25, 2019 [Page 16] +Melnikov, et al. Expires December 26, 2019 [Page 16] Internet-Draft Header Protection requirements June 2019 @@ -932,12 +932,12 @@ I: Content-Type: text/plain; charset=us-ascii --.cbe16d2a-e1a3-4220-b821-38348fc97237-- -7.3. Option 3 Progressive Header Disclosure +6.3. Option 3 Progressive Header Disclosure This looks similar as in option 2. Specific examples can be found in [I-D.luck-lamps-pep-header-protection]. -8. Security Considerations +7. Security Considerations This document talks about UI considerations, including security considerations, when processing messages protecting header fields. @@ -949,7 +949,7 @@ I: Content-Type: text/plain; charset=us-ascii -Melnikov, et al. Expires December 25, 2019 [Page 17] +Melnikov, et al. Expires December 26, 2019 [Page 17] Internet-Draft Header Protection requirements June 2019 @@ -958,17 +958,17 @@ Internet-Draft Header Protection requirements June 2019 new security concerns not already covered by S/MIME [RFC8551], MIME [RFC2045] and Email [RFC5322] in general. -9. Privacy Considerations +8. Privacy Considerations [[ TODO ]] -10. IANA Considerations +9. IANA Considerations This document requests no action from IANA. [[ RFC Editor: This section may be removed before publication. ]] -11. Acknowledgements +10. Acknowledgements Special thanks go to Krista Bennett and Volker Birk for valuable input to this draft and Hernani Marques for reviewing. @@ -985,9 +985,9 @@ Internet-Draft Header Protection requirements June 2019 header field parameter to distinguish forwarded messages from inner header field protection constructs. -12. References +11. References -12.1. Normative References +11.1. Normative References [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message @@ -1005,7 +1005,7 @@ Internet-Draft Header Protection requirements June 2019 -Melnikov, et al. Expires December 25, 2019 [Page 18] +Melnikov, et al. Expires December 26, 2019 [Page 18] Internet-Draft Header Protection requirements June 2019 @@ -1015,7 +1015,7 @@ Internet-Draft Header Protection requirements June 2019 Message Specification", RFC 8551, DOI 10.17487/RFC8551, April 2019,
| Network Working Group | +C. Luck | +
| Internet-Draft | +pEp Foundation | +
| Intended status: Informational | +B. Hoeneisen | +
| Expires: November 2, 2019 | +Ucom.ch | +
| + | May 01, 2019 | +
pretty Easy privacy (pEp): Header Protection
+ draft-luck-lamps-pep-header-protection-02
Issues with email header protection in S/MIME have been recently raised in the IETF LAMPS Working Group. The need for amendments to the existing specification regarding header protection was expressed.
+The pretty Easy privacy (pEp) implementations currently use a mechanism quite similar to the currently standardized message wrapping for S/MIME. The main difference is that pEp is using PGP/MIME instead, and adds space for carrying public keys next to the protected message.
+In LAMPS voices have also been expressed, that whatever mechanism will be chosen, it should not be limited to S/MIME, but also applicable to PGP/MIME.
+This document aims to contribute to this discussion and share pEp implementation experience with email header protection.
+This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
+Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
+Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
+This Internet-Draft will expire on November 2, 2019.
+Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.
+This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
+ + + +A range of protocols for the protection of electronic mail (email) exist, which allow to assess the authenticity and integrity of the email headers section or selected header fields from the domain-level perspective, specifically DomainKeys Identified Mail (DKIM) [RFC6376] and Sender Policy Framework (SPF) [RFC7208] and Domain-based Message Authentication, Reporting, and Conformance (DMARC) [RFC7489]. These protocols, while essential to responding to a range of attacks on email, do not offer full end-to-end protection to the headers section and are not capable of providing privacy for the information contained therein.
+The need for means of Data Minimization, which includes data spareness and hiding of all information, which technically can be hidden, has grown in importance over the past years.
+A standard for end-to-end protection of the email headers section exists for S/MIME since version 3.1. (cf. [RFC8551]):
+ + +No mechanism for header protection has been standardized for PGP (Pretty Good Privacy) yet.
+End-to-end protection for the email headers section is currently not widely implemented – neither for messages protected by means of S/MIME nor PGP. At least two variants of header protection are known to be implemented. A recently submitted Internet-Draft [I-D.melnikov-lamps-header-protection] discusses the two variants and the challenges with header protection for S/MIME. The two variants are referred to as:
+ + +pEp (pretty Easy privacy) [I-D.birk-pep] for email [I-D.marques-pep-email] already implements an option quite similar to Option 2, adapting the S/MIME standards to PGP/MIME (cf. Section 5, ff.). Existing implementations of pEp have also added inbound support for “Memory Hole” referred to above as Option 1, thus being able to study the differences and the implementator’s challenges.
+Interoperability and implementation symmetry between PGP/MIME and S/MIME is planned by pEp, but still in an early stage of development.
+This document lists generic use cases (Section 3) and requirements for header protection (Section 4) and describes progressive header disclosure as implemented in the “pEp message format version 2”. This format inherently offers header protection, and may be implemented independently by mail user agents otherwise not conforming to pEp standards (Section 5, ff.).
+The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in [RFC2119].
+ + +In the examples following in this section, it is a common pattern to have a MIME encoded mail containing (“wrapping”) another signed and eventually encrypted mail. Such enclosed mails are encoded following the OpenPGP standard, which specifies an encoding called “Radix-64”, which is 7-bit transport-encoding compatible by design.
+The Radix-64 consists of a begin and an end Armor Header Line, a stream of base64-encoded data limited to 78 characters per line plus <CR><LF>, and an encoded CRC-24 value.
+The following is an example, with some similar lines of base64 output replaced with ellipsis:
++ -----BEGIN PGP MESSAGE----- + hQIMAwusnBHN80H+AQ//cJLQLOl+6hOofKEkQJeu0wedmwt+TkzPx/sCUQ80dzLv + ... + j/ES8ndDBftM5mZLzFQ2VatqB9G9cqCgiOVFs6jfTI13nPfLit9IPWRavcVIMdwt + Xd9bdvHx/ReenAk/ + =7WaL + -----END PGP MESSAGE----- ++
To make the examples look more compact and relevant, the above will be replaced symbolically by:
++ [[----- OpenPGP Radix-64 Block -----]] ++
Note that OpenPGP and MIME specifications overlap when a Radix-64 immediately precedes a MIME boundary. The <CR><LF> sequence immediately preceding a MIME boundary delimiter line is considered to be part of the delimiter in [RFC2046], 5.1. And in OpenPGP, line endings are considered a part of the Armor Header Line for the purposes of determining the content they delimit in [RFC4880], 6.2. Keeping an empty line between the end Armor Header Line and the MIME boundary line is suggested.
+In the following, we show the generic use cases that need to be addressed independently of whether S/MIME, PGP/MIME or any other technology is used for which Header Protection (HP) is to be applied to.
+The main interaction case for Header Protection (HP) is:
++1) Both peers (sending and receiving side) fully support HP + ++
For backward compatibility of legacy clients – unaware of any HP – the following intermediate interactions need to be considered as well:
++2) The sending side fully supports HP, while the receiving side does + not support any HP + +3) The sending side does not support any HP, while the receiving + side fully supports HP (trivial case) + +4) Neither the sending side nor the receiving side supports any HP + (trivial case) + ++
The following intermediate use cases may need to be considered as well for backward compatibility with legacy HP systems, such as S/MIME since version 3.1 (cf. [RFC8551]), in the following designated as legacy HP:
++5) The sending side fully supports HP, while the receiving side + supports legacy HP only + +6) The sending side supports legacy HP only, while the receiving side + fully supports HP + +7) Both peers (sending and receiving side) support legacy HP only + +8) The sending side supports legacy HP only, while the receiving side + does not support any HP + +9) The sending side does not support any HP, while the receiving side + supports legacy HP only (trivial case) + ++
Note: It is to be decided whether to ensure legacy HP systems do not conflict with any new solution for HP at all or whether (and to which degree) backward compatibility to legacy HP systems shall be maintained.
+The following protection levels need to be considered:
+a) signature and encryption
+b) signature only
+c) encryption only [[ TODO: verify whether relevant ]]
+In the following a list of requirements that need to be addressed independently of whether S/MIME, PGP/MIME or any other technology is used to apply HP to.
+This subsection is listing the requirements to address use case 1) (cf. Section 3.1).
+
+G1: Define the format for HP for all protection levels. This includes
+ MIME structure, Content-Type (including charset and name),
+ Content-Disposition (including filename), and
+ Content-Transfer-Encoding.
+
+G2: Define how a public key should be included.
+
+G3: To foster wide implementation of the new solution, it shall be
+ easily implementable. Unless needed for maximizing protection and
+ privacy, existing implementations shall not require substantial
+ changes in the existing code base. In particular also MIME
+ libraries widely used shall not need to be changed to comply with
+ the new mechanism for HP.
+
+G4: Ensure that man-in-the-middle attack (MITM) cf. {{RFC4949}}, in
+ particular downgrade attacks, are mitigated as good as possible.
+
+
+
++GS1: Determine which Header Fields (HFs) should or must be protected + at least for signed only email. + +GS2: Determine which HFs should or must be sent in clear of an + encrypted email. + +GS3: Determine which HF should not or must not be included in the + visible header (for transport) of an encrypted email, with the + default being that whatever is not needed from GS2 is not put + into the unencrypted transport headers, thus fulfilling data + minimization requirements (including data spareness and hiding + of all information that technically can be hidden). + +GS4: Determine which HF to not to include to any HP part (e.g. Bcc). + ++
+GR1: Determine how HF should be displayed to the user in case of
+ conflicting information between the protected and unprotected
+ headers.
+
+GR2: Ensure that man-in-the-middle attack (MITM) cf. {{RFC4949}}, in
+ particular downgrade attacks, can be detected.
+
+
+This sub-section addresses the use cases 2) - 4) (cf. Section 3.1)
++B1: Depending on the solution, define a means to distinguish between + forwarded messages and encapsulated messages using new HP + mechanism. + ++
+BS1: Define how full HP support can be indicated to outgoing + messages. + +BS2: Define how full HP support of the receiver can be detected or + guessed. + +BS3: Ensure a HP unaware receiving side easily can display the + "Subject" HF to the user. + ++
+BR1: Define how full HP support can be detected in incoming messages. + ++
This sub-section addresses the use cases 5) - 9) (cf. Section 3.1).
++LS1: Depending on the solution, define a means to distinguish between + forwarded messages, legacy encapsulated messages, and + encapsulated messages using new HP mechanism. + +LS2: The solution should be backward compatible to existing solutions + and aim to minimize the implementation effort to include support + for existing solutions. + ++
+LSS1: Determine how legacy HP support can be indicated to outgoing + messages. + +LSS2: Determine how legacy HP support of the receiver can be detected + or guessed. + ++
+LSR1: Determine how legacy HP support can be detected in incoming + messages. + ++
pretty Easy privacy (pEp) is working on bringing state-of-the-art automatic cryptography known from areas like TLS to electronic mail (email) communication. pEp is determined to evolve the existing standards as fundamentally and comprehensively as needed to gain easy implementation and integration, and for easy use for regular Internet users. pEp for email wants to attaining to good security practice while still retaining backward compatibility for implementations widespread.
+To provide the required stability as a foundation for good security practice, pEp for email defines a fixed MIME structure for its innermost message structure, so to remove most attack vectors which have permitted the numerous EFAIL vulnerabilities. (TBD: ref)
+Security comes just next after privacy in pEp, for which reason the application of signatures without encryption to messages in transit is not considered purposeful. pEp for email herein referenced, and further described in [I-D.marques-pep-email], either expects to transfer messages in cleartext without signature or encryption, or transfer them encrypted and with enclosed signature and necessary public keys so that replies can be immediately upgraded to encrypted messages.
+The pEp message format is equivalent to the S/MIME standard in ensuring header protection, in that the whole message is protected instead, by wrapping it and providing cryptographic services to the whole original message. The pEp message format is different compared to the S/MIME standard in that the pEp protocols propose opportunistic end-to-end security and signature, by allowing the transport of the necessary public key material along with the original messages.
+For the purpose of allowing the insertion of such public keys, the root entity of the protected message is thus nested once more into an additional multipart/mixed MIME entity. The current pEp proposal is for PGP/MIME, while an extension to S/MIME is next.
+pEp’s proposal is strict in that it requires that the cryptographic services applied to the protected message MUST include encryption. It also mandates a fixed MIME structure for the protected message, which always MUST include a plaintext and optionally an HTML representation (if HTML is used) of the same message, and requires that all other optional elements to be eventually presented as attachments. Alternatively the whole protected message could represent in turn a wrapped pEp wrapper, which makes the message structure fully recursive on purpose (e.g., for the purpose of anonymization through onion routing).
+For the purpose of implementing mixnet routing for email, it is foreseen to nest pEp messages recursively. A protected message can in turn contain a protected message due for forwarding. This is for the purpose to increase privacy and counter the necessary leakage of plaintext addressing in the envelope of the email.
+The recursive nature of the pEp message format allows for the implementation of progressive disclosure of the necessary transport relevant header fields just as-needed to the next mail transport agents along the transmission path.
+The pEp message format version 2 is designed such that a receiving Mail User Agent (MUA), which is OpenPGP-compliant but not pEp-compliant, still has built-in capability to properly verify the integrity of the mail, decode it and display all information of the original mail to the user. The recovered protected message is selfsufficiently described, including all protected header fields.
+The pEp message format version 2 (as used by all the various pEp implementations, cf. Section 10) is similar to what is standardized for S/MIME in [RFC8551]:
+ + +The pEp message format requires the innermost protected message to follow a fixed MIME structure and to consist of exactly one human-readable message which is represented in plain or HTML format. Both plain and html entities MUST represent the same message to the user. Any attachment to the message must be laid out in a flat list. No additional multipart entities are allowed in the pEp message.
+These restrictions permit to build mail user agents which are immune to the EFAIL attacks.
+This message is herein further referred to as the “pEp inner message”.
+A mail user agent wanting to follow this standard, SHOULD transform any “original message” into a “pEp inner message” for safe representation on the receiving side.
+One caveat of the design is that the user interaction with message/rfc822 entities varies considerably across different mail user agents. No standard is currently available which enables MUAs to reliably determine whenever a nested message/rfc822 entity is meant to blend the containing message, or if it was effectively intended to be forwarded as a file document. pEp currently intends to implement the proposal described by [I-D.melnikov-lamps-header-protection], 3.2, which defines a new Content-Type header field parameter with name “forwarded”, for the MUA to distinguish between a forwarded message and a nested message for the purpose of header protection, i.e., using “forwarded=no”.
+With pEp message format version 2, the pEp standardized message is equally wrapped in a message/rfc822 entity, but this time being in turn wrapped in a multipart/mixed entity. The purpose of the additional nesting is to allow for public keys of the sender to be stored alongside the original message while being protected by the same mechanism.
+For the case of PGP/MIME, the currently only implemented MIME encryption protocol implemented in pEp, the top-level entity called the “outer message” MUST contain:
+ + +Notes on the current pEp client implementations:
+ + +This is an example of the top-level MIME entity, before being encrypted and signed:
++ MIME-Version: 1.0 + Content-Type: multipart/mixed; + boundary="6b8b4567327b23c6643c986966334873" + + + --6b8b4567327b23c6643c986966334873 + Content-Type: message/rfc822; forwarded="no" + + From: John Doe <jdoe@machine.example> + To: Mary Smith <mary@example.net> + Subject: Example + Date: Fri, 30 Jun 2018 09:55:06 +0200 + Message-ID: <05d0526e-41c4-11e9-8828@pretty.Easy.privacy> + X-Pep-Version: 2.0 + MIME-Version: 1.0 + Content-Type: multipart/alternative; + boundary="29fe9d2b2d7f6a703c1bffc47c162a8c" + + --29fe9d2b2d7f6a703c1bffc47c162a8c + Content-Type: text/plain; charset="utf-8" + Content-Transfer-Encoding: quoted-printable + Content-Disposition: inline; filename="msg.txt" + + p=E2=89=A1p for Privacy by Default. + -- =20 + Sent from my p=E2=89=A1p for Android. + + --29fe9d2b2d7f6a703c1bffc47c162a8c + Content-Type: text/html; charset="utf-8" + Content-Transfer-Encoding: quoted-printable + + p=E2=89=A1p for Privacy by Default.<br> + -- <br> + Sent from my p=E2=89=A1p for Android.<br> + + --29fe9d2b2d7f6a703c1bffc47c162a8c-- + --6b8b4567327b23c6643c986966334873 + Content-Type: application/pgp-keys + Content-Disposition: attachment; filename="pEpkey.asc" + + -----BEGIN PGP PUBLIC KEY BLOCK----- + + ... + -----END PGP PUBLIC KEY BLOCK----- + + --6b8b4567327b23c6643c986966334873-- ++
In pEp message format 2 the “outer message” consists of a full RFC822 message with body and a minimal set of header fields, just those necessary to conform to MIME multipart standards.
+The “outer message” should be encrypted and carry a signature according to the MIME encryption standards. The resulting message is the transport message which a root entity of type multipart/encrypted.
+A minimal set of header fields should be set on the “transport message”, as to permit delivery, without disclosing private information.
+The structure of the transport message may be altered in-transit, e.g. through mailing list agents, or inspection gateways.
+Signing and encrypting a message with MIME Security with OpenPGP [RFC3156], yields a message with the following complete MIME structure, seen across the encryption layer:
+
+ = multipart/encrypted; protocol="application/pgp-encrypted";
+ + application/pgp-encrypted [ Version: 1 ]
+ + application/octet-stream; name="msg.asc"
+ {
+ Content-Disposition: inline; filename="msg.asc";
+ }
+ |
+ [ opaque encrypted structure ]
+ |
+ { minimal headers }
+ + multipart/mixed
+ + message/rfc822; forwarded="no";
+ |
+ { protected message headers }
+ + multipart/mixed
+ + multipart/alternate
+ + text/plain
+ + text/html
+ + application/octet-stream [ attachmet_1 ]
+ + application/octet-stream [ attachmet_2 ]
+ + application/pgp-keys
+
+
+The header fields of the sub-part of type application/octet-stream SHOULD be modified to ensure that:
+ + +Interoperability and implementation symmetry between PGP/MIME and S/MIME is on the roadmap of pEp.
+By default, all headers of the original message SHOULD be wrapped with the original message, with one exception:
+ + +The outer message requires a minimal set of headers to be in place for being eligible for transport. This includes the “From”, “To”, “Cc”, “Bcc”, “Subject” and “Message-ID” header fields. The protocol hereby defined also depends on the “MIME-Version”, “Content-Type”, “Content-Disposition” and eventually the “Content-Transport-Encoding” header field to be present.
+Submission and forwarding based on SMTP carries “from” and “receivers” information out-of-band, so that the “From” and “To” header fields are not strictly necessary. Nevertheless, “From”, “Date”, and at least one destination header field is mandatory as per [RFC5322]. They SHOULD be conserved for reliability.
+The following header fields should contain a verbatim copy of the header fields of the inner message:
+ + +The entries with an asterisk mark (*) should only be set if also present in the original message.
+Clients which follow pEp standards MUST set the header field value for “Subject” to “=?utf-8?Q?p=E2=89=A1p?=” or “pEp”. Clients which do not adhere to all pEp standards should set the header field value of “Subject” to a descriptive stub value. An example used in practice is
+ + +The following header fields MUST be initialized with proper values according to the MIME standards:
+ + +[[ TODO ]]
+Header field values from the transport message MUST NOT be shown, when displaying the inner message, or the outer message. The inner message MUST carry all relevant header fields necessary for display.
+pEp either engages in a signed-and-encrypted communication or in an unsigned plaintext communication. Inbound signatures attached to plaintext messages are duly verified but cannot enhance the perceived quality of the message in the user interface (while an invalid signature degrades the perception) [I-D.birk-pep].
+The Mail User Agent may implement outgoing filtering of mails, which may veto, alter, redirect or replicate the messages. The functionality may be implemented on the mailbox server and be configurable through a well-known protocol, e.g., by means of The Sieve Mail-Filtering Language [RFC5490], or be implemented client-side, or in a combination of both.
+A mailbox server, which is required to process the full range of possible filters, is requiring plaintext access to the header fields.
+In an end-to-end-encryption context, which pEp enforces by default, upon first reception of the message the mailbox server is limited to see the transport- relevant headers of the outer wrapper message. A pEp client configured to trust the server (“trusted server” setting [I-D.marques-pep-email]) will later download the encrypted message, decrypt it and replace the copy on the server by the decrypted copy.
+Inbound messages are expected to be delivered to the inbox while still being encrypted. At this point in time, server-side filtering can only evaluate the unprotected header fields in the wrapper message.
+In an end-to-end-encryption context, which pEp enforces by default, the mailbox server is limited to see the transport-relevant headers of the outer wrapper message only upon first delivery. A pEp client configured to trust the server (“trusted server” setting [I-D.marques-pep-email]) will eventually download the encrypted message, decrypt it locally and replace the copy on the server by the decrypted copy. Server-side message filters SHOULD be able to detect such post-processed messages, and apply the pending filters. The client SHOULD easily reflect the post-filtered messages in the user interface.
+The Mail User Agent may implement outgoing filtering of emails, which may veto, alter or replicate the email. They may also hint the MUA to store a copy in an alternate “Sent” folder.
+Filters which veto the sending or do alter the mail or replicate it (e.g., mass-mail generators) SHOULD be completed prior to applying protection, and thus also prior to applying header protection. Redirection to alternate “Sent” folders MUST NOT be decided prior to applying protection, but MUAs MAY abide from this restriction if they implement the “trusted server” option and the option is selected for the specific mailbox server; in this case, MUAs MUST NOT allow to redirect a message to an untrusted server by these rules, to prevent information leakage to the untrusted server.
+[[ TODO: Mention implicit filter for minimal color-rating for message replication. ]]
+[[ TODO: How to produce key-export-mails manually this way? That is, what about non-pEp-mode? ]]
+[[ TODO ]]
+This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in [RFC7942]. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist.
+According to [RFC7942], “[…] this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit.”
+The following software implementing the pEp protocols (to varying degrees) already exists:
+ + +pEp for Android, iOS and Outlook are provided by pEp Security, a commercial entity specializing in end-user software implementing pEp while Enigmail/pEp is pursued as community project, supported by the pEp Foundation.
+All software is available as Free Software and published also in source form.
+[[ TODO ]]
+This document has no actions for IANA.
+Special thanks go to Krista Bennett and Volker Birk for valuable input to this draft and Hernani Marques for reviewing.
+| [I-D.birk-pep] | ++Marques, H. and B. Hoeneisen, "pretty Easy privacy (pEp): Privacy by Default", Internet-Draft draft-birk-pep-03, March 2019. | +
| [I-D.marques-pep-email] | ++Marques, H., "pretty Easy privacy (pEp): Email Formats and Protocols", Internet-Draft draft-marques-pep-email-02, October 2018. | +
| [I-D.melnikov-lamps-header-protection] | ++Melnikov, A., "Considerations for protecting Email header with S/MIME", Internet-Draft draft-melnikov-lamps-header-protection-00, October 2018. | +
| [RFC2046] | ++Freed, N. and N. Borenstein, "Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types", RFC 2046, DOI 10.17487/RFC2046, November 1996. | +
| [RFC2119] | ++Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. | +
| [RFC3156] | ++Elkins, M., Del Torto, D., Levien, R. and T. Roessler, "MIME Security with OpenPGP", RFC 3156, DOI 10.17487/RFC3156, August 2001. | +
| [RFC4880] | ++Callas, J., Donnerhacke, L., Finney, H., Shaw, D. and R. Thayer, "OpenPGP Message Format", RFC 4880, DOI 10.17487/RFC4880, November 2007. | +
| [RFC4949] | ++Shirey, R., "Internet Security Glossary, Version 2", FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007. | +
| [RFC5322] | ++Resnick, P., "Internet Message Format", RFC 5322, DOI 10.17487/RFC5322, October 2008. | +
| [RFC5490] | ++Melnikov, A., "The Sieve Mail-Filtering Language -- Extensions for Checking Mailbox Status and Accessing Mailbox Metadata", RFC 5490, DOI 10.17487/RFC5490, March 2009. | +
| [RFC6376] | ++Crocker, D., Hansen, T. and M. Kucherawy, "DomainKeys Identified Mail (DKIM) Signatures", STD 76, RFC 6376, DOI 10.17487/RFC6376, September 2011. | +
| [RFC7208] | ++Kitterman, S., "Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1", RFC 7208, DOI 10.17487/RFC7208, April 2014. | +
| [RFC7489] | ++Kucherawy, M. and E. Zwicky, "Domain-based Message Authentication, Reporting, and Conformance (DMARC)", RFC 7489, DOI 10.17487/RFC7489, March 2015. | +
| [RFC8551] | ++Schaad, J., Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification", RFC 8551, DOI 10.17487/RFC8551, April 2019. | +
| [RFC7942] | ++Sheffer, Y. and A. Farrel, "Improving Awareness of Running Code: The Implementation Status Section", BCP 205, RFC 7942, DOI 10.17487/RFC7942, July 2016. | +
| [SRC.enigmailpep] | +"Source code for Enigmail/pEp", March 2019. | +
| [SRC.pepforandroid] | +"Source code for pEp for Android", March 2019. | +
| [SRC.pepforios] | +"Source code for pEp for iOS", March 2019. | +
| [SRC.pepforoutlook] | +"Source code for pEp for Outlook", March 2019. | +
[[ RFC Editor: This section is to be removed before publication ]]
+ + +[[ RFC Editor: This section should be empty and is to be removed before publication. ]]
+ + +