<linkhref="#rfc.section.5.2"rel="Chapter"title="5.2 Additional Requirements for Backward-Compatibility With Legacy Clients Unaware of Header Protection">
<linkhref="#rfc.section.5.3"rel="Chapter"title="5.3 Additional Requirements for Backward-Compatibility with Legacy Header Protection Systems (if supported)">
<linkhref="#rfc.section.4.2"rel="Chapter"title="4.2 Additional Requirements for Backward-Compatibility With Legacy Clients Unaware of Header Protection">
<linkhref="#rfc.section.4.3"rel="Chapter"title="4.3 Additional Requirements for Backward-Compatibility with Legacy Header Protection Systems (if supported)">
<metaname="dct.abstract"content="Issues with email header protection in S​/​MIME have been recently raised in the IETF LAMPS Working Group. The need for amendments to the existing specification regarding header protection was expressed."/>
<metaname="description"content="Issues with email header protection in S​/​MIME have been recently raised in the IETF LAMPS Working Group. The need for amendments to the existing specification regarding header protection was expressed."/>
@ -447,7 +447,7 @@
<tdclass="right">B. Hoeneisen</td>
</tr>
<tr>
<tdclass="left">Expires: December 25, 2019</td>
<tdclass="left">Expires: December 26, 2019</td>
<tdclass="right">Ucom.ch</td>
</tr>
<tr>
@ -460,7 +460,7 @@
</tr>
<tr>
<tdclass="left"></td>
<tdclass="right">June 23, 2019</td>
<tdclass="right">June 24, 2019</td>
</tr>
@ -478,7 +478,7 @@
<p>This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.</p>
<p>Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.</p>
<p>Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."</p>
<p>This Internet-Draft will expire on December 25, 2019.</p>
<p>This Internet-Draft will expire on December 26, 2019.</p>
<p>Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
<p>This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.</p>
@ -490,81 +490,81 @@
<li>1. <ahref="#rfc.section.1">Introduction</a>
</li>
<li>2. <ahref="#rfc.section.2">Conventions Used in This Document</a>
</ul><li>Appendix A. <ahref="#rfc.appendix.A">Document Changelog</a>
</li>
@ -587,16 +587,16 @@
<ulclass="empty"><li>In order to protect outer, non-content-related message header fields (for instance, the “Subject”, “To”, “From”, and “Cc” fields), the sending client MAY wrap a full MIME message in a message/rfc822 wrapper in order to apply S​/​MIME security services to these header fields.</li></ul>
<pid="rfc.section.1.p.5">No mechanism for header protection has been standardized for PGP (Pretty Good Privacy) yet.</p>
<pid="rfc.section.1.p.6">End-to-end protection for the email headers section is currently not widely implemented – neither for messages protected by means of S​/​MIME nor PGP. At least two variants of header protection are known to be implemented.</p>
<pid="rfc.section.1.p.7">This document describes the problem statement, generic use cases (<ahref="#use-cases"class="xref">Section 4</a>) and requirements for header protection (<ahref="#requirements"class="xref">Section 5</a>) Additionally it drafts possible solutions to address the challenge. However, the final solution will be determined by the IETF LAMPS WG. Finally, some best practices are collected.</p>
<pid="rfc.section.1.p.7">This document describes the problem statement, generic use cases (<ahref="#use-cases"class="xref">Section 3</a>) and requirements for header protection (<ahref="#requirements"class="xref">Section 4</a>) Additionally it drafts possible solutions to address the challenge. However, the final solution will be determined by the IETF LAMPS WG. Finally, some best practices are collected.</p>
<pid="rfc.section.1.p.8">[…]</p>
<h1id="rfc.section.2">
<ahref="#rfc.section.2">2.</a><ahref="#conventions-used-in-this-document"id="conventions-used-in-this-document">Conventions Used in This Document</a>
<pid="rfc.section.2.p.1">The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in <ahref="#RFC2119"class="xref">[RFC2119]</a>.</p>
<pid="rfc.section.1.1.p.1">The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in <ahref="#RFC2119"class="xref">[RFC2119]</a>.</p>
<pid="rfc.section.3.p.1">The LAMPS charter contains the folllowing Work Item:</p>
<pid="rfc.section.2.p.1">The LAMPS charter contains the folllowing Work Item:</p>
<p></p>
<ulclass="empty"><li>Update the specification for the cryptographic protection of email headers – both for signatures and encryption – to improve the implementation situation with respect to privacy, security, usability and interoperability in cryptographically-protected electronic mail. Most current implementations of cryptographically-protected electronic mail protect only the body of the message, which leaves significant room for attacks against otherwise-protected messages.</li></ul>
<pid="rfc.section.4.p.1">In the following, we show the generic use cases that need to be addressed independently of whether S​/​MIME, PGP/MIME or any other technology is used for which Header Protection (HP) is to be applied to.</p>
<pid="rfc.section.3.p.1">In the following, we show the generic use cases that need to be addressed independently of whether S​/​MIME, PGP/MIME or any other technology is used for which Header Protection (HP) is to be applied to.</p>
<pid="rfc.section.4.1.p.1">The main interaction case for Header Protection (HP) is:</p>
<pid="rfc.section.3.1.p.1">The main interaction case for Header Protection (HP) is:</p>
<pre>
1) Both peers (sending and receiving side) fully support HP
</pre>
<pid="rfc.section.4.1.p.2">For backward compatibility of legacy clients – unaware of any HP – the following intermediate interactions need to be considered as well:</p>
<pid="rfc.section.3.1.p.2">For backward compatibility of legacy clients – unaware of any HP – the following intermediate interactions need to be considered as well:</p>
<pre>
2) The sending side fully supports HP, while the receiving side does
not support any HP
@ -642,7 +642,7 @@
(trivial case)
</pre>
<pid="rfc.section.4.1.p.3">The following intermediate use cases may need to be considered as well for backward compatibility with legacy HP systems, such as S​/​MIME since version 3.1 (cf. <ahref="#RFC8551"class="xref">[RFC8551]</a>), in the following designated as legacy HP:</p>
<pid="rfc.section.3.1.p.3">The following intermediate use cases may need to be considered as well for backward compatibility with legacy HP systems, such as S​/​MIME since version 3.1 (cf. <ahref="#RFC8551"class="xref">[RFC8551]</a>), in the following designated as legacy HP:</p>
<pre>
5) The sending side fully supports HP, while the receiving side
supports legacy HP only
@ -659,22 +659,22 @@
supports legacy HP only (trivial case)
</pre>
<pid="rfc.section.4.1.p.4">Note: It is to be decided whether to ensure legacy HP systems do not conflict with any new solution for HP at all or whether (and to which degree) backward compatibility to legacy HP systems shall be maintained.</p>
<pid="rfc.section.3.1.p.4">Note: It is to be decided whether to ensure legacy HP systems do not conflict with any new solution for HP at all or whether (and to which degree) backward compatibility to legacy HP systems shall be maintained.</p>
<pid="rfc.section.5.p.1">In the following a list of requirements that need to be addressed independently of whether S​/​MIME, PGP/MIME or any other technology is used to apply HP to.</p>
<pid="rfc.section.4.p.1">In the following a list of requirements that need to be addressed independently of whether S​/​MIME, PGP/MIME or any other technology is used to apply HP to.</p>
<pid="rfc.section.5.1.p.1">This subsection is listing the requirements to address use case 1) (cf. <ahref="#interactions"class="xref">Section 4.1</a>).</p>
<pid="rfc.section.4.1.p.1">This subsection is listing the requirements to address use case 1) (cf. <ahref="#interactions"class="xref">Section 3.1</a>).</p>
<pre>
G1: Define the format for HP for all protection levels. This includes
MIME structure, Content-Type (including charset and name),
@ -695,8 +695,8 @@ G4: Ensure that man-in-the-middle attack (MITM) cf. {{RFC4949}}, in
GR1: Determine how HF should be displayed to the user in case of
@ -727,18 +727,18 @@ GR2: Ensure that man-in-the-middle attack (MITM) cf. {{RFC4949}}, in
particular downgrade attacks, can be detected.
</pre>
<h1id="rfc.section.5.2">
<ahref="#rfc.section.5.2">5.2.</a><ahref="#additional-requirements-for-backward-compatibility-with-legacy-clients-unaware-of-header-protection"id="additional-requirements-for-backward-compatibility-with-legacy-clients-unaware-of-header-protection">Additional Requirements for Backward-Compatibility With Legacy Clients Unaware of Header Protection</a>
<h1id="rfc.section.4.2">
<ahref="#rfc.section.4.2">4.2.</a><ahref="#additional-requirements-for-backward-compatibility-with-legacy-clients-unaware-of-header-protection"id="additional-requirements-for-backward-compatibility-with-legacy-clients-unaware-of-header-protection">Additional Requirements for Backward-Compatibility With Legacy Clients Unaware of Header Protection</a>
</h1>
<pid="rfc.section.5.2.p.1">This sub-section addresses the use cases 2) - 4) (cf. <ahref="#interactions"class="xref">Section 4.1</a>)</p>
<pid="rfc.section.4.2.p.1">This sub-section addresses the use cases 2) - 4) (cf. <ahref="#interactions"class="xref">Section 3.1</a>)</p>
<pre>
B1: Depending on the solution, define a means to distinguish between
forwarded messages and encapsulated messages using new HP
BR1: Define how full HP support can be detected in incoming messages.
</pre>
<h1id="rfc.section.5.3">
<ahref="#rfc.section.5.3">5.3.</a><ahref="#additional-requirements-for-backward-compatibility-with-legacy-header-protection-systems-if-supported"id="additional-requirements-for-backward-compatibility-with-legacy-header-protection-systems-if-supported">Additional Requirements for Backward-Compatibility with Legacy Header Protection Systems (if supported)</a>
<h1id="rfc.section.4.3">
<ahref="#rfc.section.4.3">4.3.</a><ahref="#additional-requirements-for-backward-compatibility-with-legacy-header-protection-systems-if-supported"id="additional-requirements-for-backward-compatibility-with-legacy-header-protection-systems-if-supported">Additional Requirements for Backward-Compatibility with Legacy Header Protection Systems (if supported)</a>
</h1>
<pid="rfc.section.5.3.p.1">This sub-section addresses the use cases 5) - 9) (cf. <ahref="#interactions"class="xref">Section 4.1</a>).</p>
<pid="rfc.section.4.3.p.1">This sub-section addresses the use cases 5) - 9) (cf. <ahref="#interactions"class="xref">Section 3.1</a>).</p>
<pre>
LS1: Depending on the solution, define a means to distinguish between
forwarded messages, legacy encapsulated messages, and
@ -772,8 +772,8 @@ LS2: The solution should be backward compatible to existing solutions
LSR1: Determine how legacy HP support can be detected in incoming
messages.
</pre>
<h1id="rfc.section.6">
<ahref="#rfc.section.6">6.</a><ahref="#options-to-achieve-header-protection"id="options-to-achieve-header-protection">Options to Achieve Header Protection</a>
<h1id="rfc.section.5">
<ahref="#rfc.section.5">5.</a><ahref="#options-to-achieve-header-protection"id="options-to-achieve-header-protection">Options to Achieve Header Protection</a>
</h1>
<pid="rfc.section.6.p.1">In the following a set of Options to achieve Email Header Protection. It is expected that the IETF LAMPS WG chooses an option to update <ahref="#RFC8551"class="xref">[RFC8551]</a> wrt. Header Protection.</p>
<pid="rfc.section.5.p.1">In the following a set of Options to achieve Email Header Protection. It is expected that the IETF LAMPS WG chooses an option to update <ahref="#RFC8551"class="xref">[RFC8551]</a> wrt. Header Protection.</p>
<pid="rfc.section.6.1.p.1">Memory Hole approach works by copying the normal message header fields into the MIME header section of the top level protected body part. Since the MIME body part header section is itself covered by the protection mechanisms (signing and/or encryption) it shares the protections of the message body.</p>
<pid="rfc.section.6.1.p.2">[[ TODO: [DKG] add more information on memory hole]]</p>
<h1id="rfc.section.6.2">
<ahref="#rfc.section.6.2">6.2.</a><ahref="#rfc822-wrapping"id="rfc822-wrapping">Option 2: Wrapping with message/rfc822 or message/global</a>
<pid="rfc.section.5.1.p.1">Memory Hole approach works by copying the normal message header fields into the MIME header section of the top level protected body part. Since the MIME body part header section is itself covered by the protection mechanisms (signing and/or encryption) it shares the protections of the message body.</p>
<pid="rfc.section.5.1.p.2">[[ TODO: [DKG] add more information on memory hole]]</p>
<h1id="rfc.section.5.2">
<ahref="#rfc.section.5.2">5.2.</a><ahref="#rfc822-wrapping"id="rfc822-wrapping">Option 2: Wrapping with message/rfc822 or message/global</a>
</h1>
<pid="rfc.section.6.2.p.1">Wrapping with message/rfc822 (or message/global) works by copying the normal message header fields into the MIME header section of the top level protect body part</p>
<pid="rfc.section.6.2.p.2">[[ HB: Not sure this is well expressed: In option 2 the whole message is copied into the MIME body part as message/rfc822 element. ]]</p>
<pid="rfc.section.6.2.p.3">and then prepending them with “Content-Type: message/rfc822; forwarded=no\r\n” or “Content-Type: message/global; forwarded=no\r\n”, where \r\n is US-ASCII CR followed by US-ASCII LF. Since the MIME body part header section is itself covered by the protection mechanisms (signing and/or encryption) it shares the protections of the message body.</p>
<pid="rfc.section.5.2.p.1">Wrapping with message/rfc822 (or message/global) works by copying the normal message header fields into the MIME header section of the top level protect body part</p>
<pid="rfc.section.5.2.p.2">[[ HB: Not sure this is well expressed: In option 2 the whole message is copied into the MIME body part as message/rfc822 element. ]]</p>
<pid="rfc.section.5.2.p.3">and then prepending them with “Content-Type: message/rfc822; forwarded=no\r\n” or “Content-Type: message/global; forwarded=no\r\n”, where \r\n is US-ASCII CR followed by US-ASCII LF. Since the MIME body part header section is itself covered by the protection mechanisms (signing and/or encryption) it shares the protections of the message body.</p>
<pid="rfc.section.6.2.1.p.1">This section outlines how the new “forwarded” Content-Type header field parameter could be defined (probabely in a separate document) and how header section wrapping works:</p>
<pid="rfc.section.6.2.1.p.2">This document defines a new Content-Type header field parameter <ahref="#RFC2045"class="xref">[RFC2045]</a> with name “forwarded”. The parameter value is case- insensitive and can be either “yes” or “no”. (The default value being “yes”). The parameter is only meaningful with media type “message/rfc822” and “message/global”<ahref="#RFC6532"class="xref">[RFC6532]</a> when used within S​/​MIME signed or encrypted body parts. The value “yes” means that the message nested inside “message/rfc822” (“message/global”) is a forwarded message and not a construct created solely to protect the inner header section.</p>
<pid="rfc.section.6.2.1.p.3">Instructions in <ahref="#RFC8551"class="xref">[RFC8551]</a> describing how to protect the Email message header section <ahref="#RFC5322"class="xref">[RFC5322]</a>, by wrapping the message inside a message/ rfc822 container <ahref="#RFC2045"class="xref">[RFC2045]</a> are thus updated to read:</p>
<pid="rfc.section.5.2.1.p.1">This section outlines how the new “forwarded” Content-Type header field parameter could be defined (probabely in a separate document) and how header section wrapping works:</p>
<pid="rfc.section.5.2.1.p.2">This document defines a new Content-Type header field parameter <ahref="#RFC2045"class="xref">[RFC2045]</a> with name “forwarded”. The parameter value is case- insensitive and can be either “yes” or “no”. (The default value being “yes”). The parameter is only meaningful with media type “message/rfc822” and “message/global”<ahref="#RFC6532"class="xref">[RFC6532]</a> when used within S​/​MIME signed or encrypted body parts. The value “yes” means that the message nested inside “message/rfc822” (“message/global”) is a forwarded message and not a construct created solely to protect the inner header section.</p>
<pid="rfc.section.5.2.1.p.3">Instructions in <ahref="#RFC8551"class="xref">[RFC8551]</a> describing how to protect the Email message header section <ahref="#RFC5322"class="xref">[RFC5322]</a>, by wrapping the message inside a message/ rfc822 container <ahref="#RFC2045"class="xref">[RFC2045]</a> are thus updated to read:</p>
<p></p>
<ulclass="empty"><li>In order to protect outer, non-content-related message header fields (for instance, the “Subject”, “To”, “From”, and “Cc” fields), the sending client MAY wrap a full MIME message in a message/rfc822 wrapper in order to apply S​/​MIME security services to these header fields. It is up to the receiving client to decide how to present this “inner” header section along with the unprotected “outer” header section.</li></ul>
<p></p>
<ulclass="empty"><li>When an S​/​MIME message is received, if the top-level protected MIME entity has a Content-Type of message/rfc822 or message/global without the “forwarded” parameter or with the “forwarded” parameter set to “no”, it can be assumed that the intent was to provide header protection. This entity SHOULD be presented as the top-level message, taking into account header section merging issues as previously discussed.</li></ul>
<h1id="rfc.section.6.2.2">
<ahref="#rfc.section.6.2.2">6.2.2.</a><ahref="#handling-of-smime-protected-header"id="handling-of-smime-protected-header">Handling of S/MIME protected header</a>
<h1id="rfc.section.5.2.2">
<ahref="#rfc.section.5.2.2">5.2.2.</a><ahref="#handling-of-smime-protected-header"id="handling-of-smime-protected-header">Handling of S/MIME protected header</a>
</h1>
<pid="rfc.section.6.2.2.p.1">[[This section needs more work. Don’t treat anything in it as unchangeable.]]</p>
<pid="rfc.section.6.2.2.p.2">For a signed-only message, it is RECOMMENDED that all “outer” header fields are copied into the “inner” protected body part. This would mean that all header fields are signed. In this case, the “outer” header fields simply match the protected header fields. And in the case that the “outer” header fields differ, they can simply be replaced with their protected versions when displayed to the user.</p>
<pid="rfc.section.6.2.2.p.3">When generating encrypted or encrypted+signed S​/​MIME messages which protect header fields:</p>
<pid="rfc.section.5.2.2.p.1">[[This section needs more work. Don’t treat anything in it as unchangeable.]]</p>
<pid="rfc.section.5.2.2.p.2">For a signed-only message, it is RECOMMENDED that all “outer” header fields are copied into the “inner” protected body part. This would mean that all header fields are signed. In this case, the “outer” header fields simply match the protected header fields. And in the case that the “outer” header fields differ, they can simply be replaced with their protected versions when displayed to the user.</p>
<pid="rfc.section.5.2.2.p.3">When generating encrypted or encrypted+signed S​/​MIME messages which protect header fields:</p>
<p></p>
<ol>
@ -831,46 +831,46 @@ LSR1: Determine how legacy HP support can be detected in incoming
<li>The outer header section SHOULD be minimal in order to avoid disclosure of confidential information. It is recommended that the outer header section only contains “Date” (set to the same value as in the inner header field, or, if the Date value is also sensitive, to Monday 9am of the same week), possibly “Subject” and “To”/”Bcc” header fields. In particular, Keywords, In-Reply- To and References header fields SHOULD NOT be included in the outer header; “To” and “Cc” header fields should be omitted and replaced with “Bcc: undisclosed-recipients;”. <br><br> But note that having key header fields duplicated in the outer header is convenient for many message stores (e.g. IMAP) and clients that can’t decode S​/​MIME encrypted messages. In particular, Subject/To/Cc/Bcc/Date header field values are returned in IMAP ENVELOPE FETCH data item <ahref="#RFC3501"class="xref">[RFC3501]</a>, which is frequently used by IMAP clients in order to avoid parsing message header.</li>
<li>The “Subject” header field value of the outer header section SHOULD either be identical to the inner “Subject” header field value, or contain a clear indication that the outer value is not to be used for display (the inner header field value would contain the true value).</li>
</ol>
<pid="rfc.section.6.2.2.p.5">Note that recommendations listed above typically only apply to non MIME header fields (header fields with names not starting with “Content-“ prefix), but there are exception, e.g. Content-Language.</p>
<pid="rfc.section.6.2.2.p.6">Note that the above recommendations can also negatively affect antispam processing.</p>
<pid="rfc.section.6.2.2.p.7">When displaying S​/​MIME messages which protect header fields (whether they are signed-only, encrypted or encrypted+signed):</p>
<pid="rfc.section.5.2.2.p.5">Note that recommendations listed above typically only apply to non MIME header fields (header fields with names not starting with “Content-“ prefix), but there are exception, e.g. Content-Language.</p>
<pid="rfc.section.5.2.2.p.6">Note that the above recommendations can also negatively affect antispam processing.</p>
<pid="rfc.section.5.2.2.p.7">When displaying S​/​MIME messages which protect header fields (whether they are signed-only, encrypted or encrypted+signed):</p>
<p></p>
<ol><li>The outer headers might be tampered with, so a receiving client SHOULD ignore them, unless they are protected in some other way(<em>). If a header field is present in the inner header, only the inner header field value MUST be displayed (and the corresponding outer value must be ignored). If a particular header field is only present in the outer header, it MAY be ignored (not displayed) or it MAY be displayed with a clear indicator that it is not trustworthy(</em>). <br><br> (*) - this only applies if the header field is not protected is some other way, for example with a DKIM signature that validates and is trusted.</li></ol>
<h1id="rfc.section.6.2.3">
<ahref="#rfc.section.6.2.3">6.2.3.</a><ahref="#mail-user-agent-algorithm-for-deciding-which-version-of-a-header"id="mail-user-agent-algorithm-for-deciding-which-version-of-a-header">Mail User Agent Algorithm for deciding which version of a header</a>
<h1id="rfc.section.5.2.3">
<ahref="#rfc.section.5.2.3">5.2.3.</a><ahref="#mail-user-agent-algorithm-for-deciding-which-version-of-a-header"id="mail-user-agent-algorithm-for-deciding-which-version-of-a-header">Mail User Agent Algorithm for deciding which version of a header</a>
</h1>
<pid="rfc.section.6.2.3.p.1">field to display</p>
<pid="rfc.section.6.2.3.p.2">[[TBD: describe how to recurse to find the innermost protected root body part, extract header fields from it and propogate them to the top level. This should also work for triple-wrapped messages.]]</p>
<pid="rfc.section.5.2.3.p.2">[[TBD: describe how to recurse to find the innermost protected root body part, extract header fields from it and propogate them to the top level. This should also work for triple-wrapped messages.]]</p>
<pid="rfc.section.6.3.p.1">This option is similar to Option 2 (cf. <ahref="#rfc822-wrapping"class="xref">Section 6.2</a>). It also makes use the Content-Type property “forwarded” (cf. <ahref="#content-type-property-forwarded"class="xref">Section 6.2.1</a>).</p>
<pid="rfc.section.5.3.p.1">This option is similar to Option 2 (cf. <ahref="#rfc822-wrapping"class="xref">Section 5.2</a>). It also makes use the Content-Type property “forwarded” (cf. <ahref="#content-type-property-forwarded"class="xref">Section 5.2.1</a>).</p>
<pid="rfc.section.6.4.p.1">pretty Easy privacy (pEp) <ahref="#I-D.birk-pep"class="xref">[I-D.birk-pep]</a> is working on bringing state-of-the-art automatic cryptography known from areas like TLS to electronic mail (email) communication. pEp is determined to evolve the existing standards as fundamentally and comprehensively as needed to gain easy implementation and integration, and for easy use for regular Internet users. pEp for email wants to attaining to good security practice while still retaining backward compatibility for implementations widespread.</p>
<pid="rfc.section.6.4.p.2">To provide the required stability as a foundation for good security practice, pEp for email defines a fixed MIME structure for its innermost message structure, so to remove most attack vectors which have permitted the numerous EFAIL vulnerabilities. (TBD: ref)</p>
<pid="rfc.section.6.4.p.3">Security comes just next after privacy in pEp, for which reason the application of signatures without encryption to messages in transit is not considered purposeful. pEp for email herein referenced, and further described in <ahref="#I-D.marques-pep-email"class="xref">[I-D.marques-pep-email]</a>, either expects to transfer messages in cleartext without signature or encryption, or transfer them encrypted and with enclosed signature and necessary public keys so that replies can be immediately upgraded to encrypted messages.</p>
<pid="rfc.section.6.4.p.4">The pEp message format is equivalent to the S​/​MIME standard in ensuring header protection, in that the whole message is protected instead, by wrapping it and providing cryptographic services to the whole original message. The pEp message format is different compared to the S​/​MIME standard in that the pEp protocols propose opportunistic end-to-end security and signature, by allowing the transport of the necessary public key material along with the original messages.</p>
<pid="rfc.section.6.4.p.5">For the purpose of allowing the insertion of such public keys, the root entity of the protected message is thus nested once more into an additional multipart/mixed MIME entity. The current pEp proposal is for PGP/MIME, while an extension to S​/​MIME is next.</p>
<pid="rfc.section.6.4.p.6">pEp’s proposal is strict in that it requires that the cryptographic services applied to the protected message MUST include encryption. It also mandates a fixed MIME structure for the protected message, which always MUST include a plaintext and optionally an HTML representation (if HTML is used) of the same message, and requires that all other optional elements to be eventually presented as attachments. Alternatively the whole protected message could represent in turn a wrapped pEp wrapper, which makes the message structure fully recursive on purpose (e.g., for the purpose of anonymization through onion routing).</p>
<pid="rfc.section.6.4.p.7">For the purpose of implementing mixnet routing for email, it is foreseen to nest pEp messages recursively. A protected message can in turn contain a protected message due for forwarding. This is for the purpose to increase privacy and counter the necessary leakage of plaintext addressing in the envelope of the email.</p>
<pid="rfc.section.6.4.p.8">The recursive nature of the pEp message format allows for the implementation of progressive disclosure of the necessary transport relevant header fields just as-needed to the next mail transport agents along the transmission path.</p>
<pid="rfc.section.6.4.p.9">pEp has also implemented the above (in <ahref="#content-type-property-forwarded"class="xref">Section 6.2.1</a>) described Content-Type property “forwarded” to distinguish between encapsulated and forwarded emails.</p>
<h1id="rfc.section.6.5">
<ahref="#rfc.section.6.5">6.5.</a><ahref="#candidate-header-fields-for-header-protection"id="candidate-header-fields-for-header-protection">Candidate Header Fields for Header Protection</a>
<pid="rfc.section.5.4.p.1">pretty Easy privacy (pEp) <ahref="#I-D.birk-pep"class="xref">[I-D.birk-pep]</a> is working on bringing state-of-the-art automatic cryptography known from areas like TLS to electronic mail (email) communication. pEp is determined to evolve the existing standards as fundamentally and comprehensively as needed to gain easy implementation and integration, and for easy use for regular Internet users. pEp for email wants to attaining to good security practice while still retaining backward compatibility for implementations widespread.</p>
<pid="rfc.section.5.4.p.2">To provide the required stability as a foundation for good security practice, pEp for email defines a fixed MIME structure for its innermost message structure, so to remove most attack vectors which have permitted the numerous EFAIL vulnerabilities. (TBD: ref)</p>
<pid="rfc.section.5.4.p.3">Security comes just next after privacy in pEp, for which reason the application of signatures without encryption to messages in transit is not considered purposeful. pEp for email herein referenced, and further described in <ahref="#I-D.marques-pep-email"class="xref">[I-D.marques-pep-email]</a>, either expects to transfer messages in cleartext without signature or encryption, or transfer them encrypted and with enclosed signature and necessary public keys so that replies can be immediately upgraded to encrypted messages.</p>
<pid="rfc.section.5.4.p.4">The pEp message format is equivalent to the S​/​MIME standard in ensuring header protection, in that the whole message is protected instead, by wrapping it and providing cryptographic services to the whole original message. The pEp message format is different compared to the S​/​MIME standard in that the pEp protocols propose opportunistic end-to-end security and signature, by allowing the transport of the necessary public key material along with the original messages.</p>
<pid="rfc.section.5.4.p.5">For the purpose of allowing the insertion of such public keys, the root entity of the protected message is thus nested once more into an additional multipart/mixed MIME entity. The current pEp proposal is for PGP/MIME, while an extension to S​/​MIME is next.</p>
<pid="rfc.section.5.4.p.6">pEp’s proposal is strict in that it requires that the cryptographic services applied to the protected message MUST include encryption. It also mandates a fixed MIME structure for the protected message, which always MUST include a plaintext and optionally an HTML representation (if HTML is used) of the same message, and requires that all other optional elements to be eventually presented as attachments. Alternatively the whole protected message could represent in turn a wrapped pEp wrapper, which makes the message structure fully recursive on purpose (e.g., for the purpose of anonymization through onion routing).</p>
<pid="rfc.section.5.4.p.7">For the purpose of implementing mixnet routing for email, it is foreseen to nest pEp messages recursively. A protected message can in turn contain a protected message due for forwarding. This is for the purpose to increase privacy and counter the necessary leakage of plaintext addressing in the envelope of the email.</p>
<pid="rfc.section.5.4.p.8">The recursive nature of the pEp message format allows for the implementation of progressive disclosure of the necessary transport relevant header fields just as-needed to the next mail transport agents along the transmission path.</p>
<pid="rfc.section.5.4.p.9">pEp has also implemented the above (in <ahref="#content-type-property-forwarded"class="xref">Section 5.2.1</a>) described Content-Type property “forwarded” to distinguish between encapsulated and forwarded emails.</p>
<h1id="rfc.section.5.5">
<ahref="#rfc.section.5.5">5.5.</a><ahref="#candidate-header-fields-for-header-protection"id="candidate-header-fields-for-header-protection">Candidate Header Fields for Header Protection</a>
</h1>
<pid="rfc.section.6.5.p.1">By default, all headers of the original message SHOULD be wrapped with the original message, with one exception:</p>
<pid="rfc.section.5.5.p.1">By default, all headers of the original message SHOULD be wrapped with the original message, with one exception:</p>
<p></p>
<ul><li>the header field “Bcc” MUST NOT be added to the protected headers.</li></ul>
<pid="rfc.section.6.6.p.1">The outer message requires a minimal set of headers to be in place for being eligible for transport. This includes the “From”, “To”, “Cc”, “Bcc”, “Subject” and “Message-ID” header fields. The protocol hereby defined also depends on the “MIME-Version”, “Content-Type”, “Content-Disposition” and eventually the “Content-Transport-Encoding” header field to be present.</p>
<pid="rfc.section.6.6.p.2">Submission and forwarding based on SMTP carries “from” and “receivers” information out-of-band, so that the “From” and “To” header fields are not strictly necessary. Nevertheless, “From”, “Date”, and at least one destination header field is mandatory as per <ahref="#RFC5322"class="xref">[RFC5322]</a>. They SHOULD be conserved for reliability.</p>
<pid="rfc.section.6.6.p.3">The following header fields should contain a verbatim copy of the header fields of the inner message:</p>
<pid="rfc.section.5.6.p.1">The outer message requires a minimal set of headers to be in place for being eligible for transport. This includes the “From”, “To”, “Cc”, “Bcc”, “Subject” and “Message-ID” header fields. The protocol hereby defined also depends on the “MIME-Version”, “Content-Type”, “Content-Disposition” and eventually the “Content-Transport-Encoding” header field to be present.</p>
<pid="rfc.section.5.6.p.2">Submission and forwarding based on SMTP carries “from” and “receivers” information out-of-band, so that the “From” and “To” header fields are not strictly necessary. Nevertheless, “From”, “Date”, and at least one destination header field is mandatory as per <ahref="#RFC5322"class="xref">[RFC5322]</a>. They SHOULD be conserved for reliability.</p>
<pid="rfc.section.5.6.p.3">The following header fields should contain a verbatim copy of the header fields of the inner message:</p>
<p></p>
<ul>
@ -880,15 +880,15 @@ LSR1: Determine how legacy HP support can be detected in incoming
<li>Cc (*)</li>
<li>Bcc (*)</li>
</ul>
<pid="rfc.section.6.6.p.5">The entries with an asterisk mark (*) should only be set if also present in the original message.</p>
<pid="rfc.section.6.7.p.1">More information on progressive header disclosure can be found in <ahref="#I-D.marques-pep-email"class="xref">[I-D.marques-pep-email]</a> and <ahref="#I-D.luck-lamps-pep-header-protection"class="xref">[I-D.luck-lamps-pep-header-protection]</a>. The latter is a predecessor of this document.</p>
<pid="rfc.section.5.7.p.1">More information on progressive header disclosure can be found in <ahref="#I-D.marques-pep-email"class="xref">[I-D.marques-pep-email]</a> and <ahref="#I-D.luck-lamps-pep-header-protection"class="xref">[I-D.luck-lamps-pep-header-protection]</a>. The latter is a predecessor of this document.</p>
<pid="rfc.section.7.1.p.1">The following example demonstrates how header section and payload of a protect body part might look like. For example, this will be the first body part of a multipart/signed message or the signed and/or encrypted payload of the application/pkcs7-mime body part. Lines prepended by “O: “ are the outer header section. Lines prepended by “I: “ are the inner header section.</p>
<pid="rfc.section.6.1.p.1">The following example demonstrates how header section and payload of a protect body part might look like. For example, this will be the first body part of a multipart/signed message or the signed and/or encrypted payload of the application/pkcs7-mime body part. Lines prepended by “O: “ are the outer header section. Lines prepended by “I: “ are the inner header section.</p>
<ahref="#rfc.section.7.2">7.2.</a><ahref="#rfc822-wrapping-example"id="rfc822-wrapping-example">Option 2: Wrapping with message/rfc822 or message/global</a>
<h1id="rfc.section.6.2">
<ahref="#rfc.section.6.2">6.2.</a><ahref="#rfc822-wrapping-example"id="rfc822-wrapping-example">Option 2: Wrapping with message/rfc822 or message/global</a>
</h1>
<pid="rfc.section.7.2.p.1">The following example demonstrates how header section and payload of a protect body part might look like. For example, this will be the first body part of a multipart/signed message or the signed and/or encrypted payload of the application/pkcs7-mime body part. Lines prepended by “O: “ are the outer header section. Lines prepended by “I: “ are the inner header section. Lines prepended by “W: “ are the wrapper.</p>
<pid="rfc.section.6.2.p.1">The following example demonstrates how header section and payload of a protect body part might look like. For example, this will be the first body part of a multipart/signed message or the signed and/or encrypted payload of the application/pkcs7-mime body part. Lines prepended by “O: “ are the outer header section. Lines prepended by “I: “ are the inner header section. Lines prepended by “W: “ are the wrapper.</p>
<pid="rfc.section.6.3.p.1">This looks similar as in option 2. Specific examples can be found in <ahref="#I-D.luck-lamps-pep-header-protection"class="xref">[I-D.luck-lamps-pep-header-protection]</a>.</p>
<pid="rfc.section.7.3.p.1">This looks similar as in option 2. Specific examples can be found in <ahref="#I-D.luck-lamps-pep-header-protection"class="xref">[I-D.luck-lamps-pep-header-protection]</a>.</p>
<pid="rfc.section.7.p.1">This document talks about UI considerations, including security considerations, when processing messages protecting header fields. One of the goals of this document is to specify UI for displaying such messages which is less confusing/misleading and thus more secure.</p>
<pid="rfc.section.7.p.2">The document is not defining new protocol, so it doesn’t create any new security concerns not already covered by S​/​MIME <ahref="#RFC8551"class="xref">[RFC8551]</a>, MIME <ahref="#RFC2045"class="xref">[RFC2045]</a> and Email <ahref="#RFC5322"class="xref">[RFC5322]</a> in general.</p>
<pid="rfc.section.8.p.1">This document talks about UI considerations, including security considerations, when processing messages protecting header fields. One of the goals of this document is to specify UI for displaying such messages which is less confusing/misleading and thus more secure.</p>
<pid="rfc.section.8.p.2">The document is not defining new protocol, so it doesn’t create any new security concerns not already covered by S​/​MIME <ahref="#RFC8551"class="xref">[RFC8551]</a>, MIME <ahref="#RFC2045"class="xref">[RFC2045]</a> and Email <ahref="#RFC5322"class="xref">[RFC5322]</a> in general.</p>
<pid="rfc.section.11.p.1">Special thanks go to Krista Bennett and Volker Birk for valuable input to this draft and Hernani Marques for reviewing.</p>
<pid="rfc.section.11.p.2">[[ TODO [AM]: Do we need to mention: Wei Chuang, Steve Kille, David Wilson and Robert Williams (copied from Acknowledgements section of <ahref="#I-D.melnikov-lamps-header-protection"class="xref">[I-D.melnikov-lamps-header-protection]</a> ]]</p>
<pid="rfc.section.11.p.3">Special thanks to Claudio Luck who authored a predecessor of this document. Essential parts of his work have been merged into this one.</p>
<pid="rfc.section.11.p.4">David Wilson came up with the idea of defining a new Content-Type header field parameter to distinguish forwarded messages from inner header field protection constructs.</p>
<pid="rfc.section.10.p.1">Special thanks go to Krista Bennett and Volker Birk for valuable input to this draft and Hernani Marques for reviewing.</p>
<pid="rfc.section.10.p.2">[[ TODO [AM]: Do we need to mention: Wei Chuang, Steve Kille, David Wilson and Robert Williams (copied from Acknowledgements section of <ahref="#I-D.melnikov-lamps-header-protection"class="xref">[I-D.melnikov-lamps-header-protection]</a> ]]</p>
<pid="rfc.section.10.p.3">Special thanks to Claudio Luck who authored a predecessor of this document. Essential parts of his work have been merged into this one.</p>
<pid="rfc.section.10.p.4">David Wilson came up with the idea of defining a new Content-Type header field parameter to distinguish forwarded messages from inner header field protection constructs.</p>
