juga
/
internet-drafts
forked from pEp.foundation/internet-drafts
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

new 'Protocol's Core Design Principles'

Browse Source
master
Claudio Luck 4 years ago
parent 1d363b488c
commit d76ea52991
1 changed files with 781 additions and 76 deletions
Show Stats Download Patch File Download Diff File

857
pep/draft-birk-pep.mkd
Unescape View File

@ -156,8 +156,12 @@ Registration of Trustword Lists {{I-D.birk-pep-trustwords}}.
which RFCs we rely. \]\]
<!-- # Terms -->
<!-- # Normative language -->
{::include ../shared/text-blocks/key-words-rfc2119.mkd}
<!-- ## Terms -->
{::include ../shared/text-blocks/terms-intro.mkd}
@ -243,10 +247,20 @@ override pEp's defaults.
\[\[ **TODO**: tcpdump dissector anyone? \]\]
## End-to-End
## End-to-End {#end-to-end}
\[\[ **TODO**: Peer-to-Peer means that all nodes have symmetric
capabilities; it does not exclude hierarchies or even central
infrastructure. Some P2P networks have "super nodes", some have
central lists to boostrap the network. While End-to-End means that a
network can not be partitioned in any way to learn from the
communication flowing over the intercepted vertices. They are
complementary but independent concepts. \]\]
## Peer-to-Peer {#peer-to-peer}
Messaging and verification processes in pEp are designed to work
in a peer-to-peer (P2P) manner, without the involvement of intermediaries.
Messaging and verification processes in pEp are designed to work in a
peer-to-peer (P2P) manner, without the involvement of intermediaries.
This means there MUST NOT be any pEp-specific central services
whatsoever needed for pEp implementations, both in the case of
@ -266,53 +280,333 @@ interoperating with peers using S/MIME) by default.
Implementers of pEp MUST take special care not to confuse users with
technical terms, especially those of cryptography (e.g., "keys",
"certificates" or "fingerprints"), unless users explicitly ask for
such terms; i.e., advanced settings MAY be available, and in some cases
further options may even be required. However, those SHALL NOT be
unnecessarily exposed to users of pEp implementations at first
such terms; i.e., advanced settings MAY be available, and in some
cases further options may even be required. However, those SHALL NOT
unnecessarily be exposed to users of pEp implementations at first
glance.
The authors believe widespread adoption of end-to-end cryptography is
much less of a problem if the users are not confronted with the need to
understand cryptography; that is to say, a central goal of pEp
of the pEp protocol is that users can just rely on the principles of
much less of a problem if the users are not confronted with the need
to understand cryptography; that is to say, a central goal of pEp of
the pEp protocol is that users can just rely on the principles of
Privacy by Default.
As a consequence, this means that users must not wait for cryptographic
tasks (e.g., key generation or public key retrieval) to finish before
being able to have their respective message clients ready to
communicate. The end result of this is that pEp implementers MUST ensure that
the ability to draft, send and receive messages is always preserved --
even if that means a message is sent out unencrypted, thus being in
accordance with the Opportunistic Security approach outlined in
{{RFC7435}}.
As a consequence, this means that users must not wait for
cryptographic tasks (e.g., key generation or public key retrieval) to
finish before being able to have their respective message clients
ready to communicate. The end result of this is that pEp implementers
MUST ensure that the ability to draft, send and receive messages is
always preserved -- even if that means a message is sent out
unencrypted, thus being in accordance with the Opportunistic Security
approach outlined in {{RFC7435}}.
In turn, pEp implementers MUST ensure that a discernible privacy
status is clearly visible to the user -- on a per-contact as well as
per-message level -- so that users easily understand which level of
privacy messages are about to be sent with or were received with,
respectively.
\[\[ **NOTE**: We are aware of the fact that usually UX requirements are
not part of RFCs. However, in order to encourage massive adoption of
secure end-to-end encryption while at the same time avoiding putting
users at risk, we believe certain straightforward signaling
requirements for users to be a good idea, just as is currently done
for already-popular instant messaging services. \]\]
# Protocol Overview
\[\[ **TODO**: Intro \]\]
## Baseline Protection
Baseline protection provides for cryptographic keys to be exchanged
end-to-end, such that messages can be eventually verified and
encrypted.
### Handshake Initialization Protocol
The basic protocol of pEp is a simple two-step handshake which is
continuously running.
* In every message delivered, the public key of the sender, and any
pending revocation certificate concerning the sender, MUST be
additionally delivered (guarding some exceptional use-cases
described later).
<!-- this is to keep XML2RFC happy for a picture followin a list element -->
The sequence diagram of the basic protocol is rather trivial.
+-------+ +-------+
| Alice | | Bob |
+-------+ +-------+
| |
~~~~~~~~~~~~~~~~~ Initialization ~~~~~~~~~~~~~~~~
| Plaintext Msg 1..N |
| + RevocCerts_A[] |
| + PubKey_A |
| ----------------------------------> | -------+ Learn
| | | PubKey_A
:~~~~~~~~~~~~~~~~~~~~~ Loop ~~~~~~~~~~~~~~~~~~~~~~: | of Identity
: | | : | Alice
: | Protected Msg N+1 | : |
: | + RevocCerts_B[] | : |
: | + PubKey_B | : |
: +-- | <---------------------------------- | <------+ Use it
: | | | | : to protect
: | | Protected Msg N+2 | | : Msg N+1
: | | + revocCerts_A[] | | :
: | | + PubKey_A | | :
: +-> | ----------------------------------> | --+ : Loop
: | | :
:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~:
| |
|\___________________________________/|
Encrypted but NOT authenticated
{: #pEp_F_1 title="Basic pEp protocol interchange" artwork-align="center" }
With no auxiliary support like pre-shared secrets, or exercising
trust in external third-parties, this is the fastest way to
automatically assist Bob in starting an encrypted conversation with
Alice.
The protocol has two advantages: it requires no external input to
start functioning, and it works fully asynchronous and in-band. The
protocol has two drawbacks though, which pEp explicitely accepts;
first, Alice may totally renounce privacy in her first messages, i.e.
until she receives a reply from Bob; and second, both won't
immediately authenticate their channel once they start the encrypted
communication.
But still, it is a huge advancement over sticking with plaintext
communication forever; at this point, a passive eavesdropper is
already locked out. And an active attacker only has a short
window-of-opportunity to attack.
The exact format is transport specific, in particular, the
cryptographic material may be sent in three different ways.
1. On a transport for structured messages (e.g. {{MIME}} based Email), it may be bundled with the original message, resulting in a replacement framing message
0. The cryptographic service may embed it into the cryptographic envelope in a transport specific way (e.g. {{SMIME}})
0. Additional technical messages may be sent precursing the actual message. \[\[TODO: Such messages MUST be cryptographically interlinked such that partial reception remains totally useless to the recipient.\]\]
Different variants of the above may be used during initialization and
in the loop state.
Lets say Alice sets up a second device, and configures it with her
same identity. pEp MUST first create a new key. Alice now ends up
with two separate keys on two devices. Alice immediately sends a
second message to Bob from her new device (Message 3 in {{pEp_F_2}}).
Her new device has not yet learned the public key of Bob, so Message
3 is send unencrypted again.
+-------+ +-------+
| Alice | | Bob |
+-------+ +-------+
| |
| Plaintext Msg 3 |
| + PubKey_A2 |
| ----------------------------------> |
| |
|\___________________________________/|
NOT encrypted
{: #pEp_F_2 title="Second device in use" artwork-align="center" }
Neither Alice nor Bob really care about the details, and if it was
not for the pEp protocol, they would continue to send and receive
messages in clear text. pEp wants to improve this, and wants to
provide encryption whenever possible. But pEp never stops anyone from
sending a message, if by no means it can't start encrypting
automatically.
* pEp, in it's default configuration, MUST NOT, ever, prevent the
user from sending a message or interrupt this process with questions
* It MUST clearly signal the predicted privacy rating for the
outgoing message though.
\[\[ **TODO**: we just introduced rating *prediction* without prior
explanation \]\]
Alice, which is sending her first message to Bob on her additional
device, will clearly see that pEp predicts a low privacy for her
outgoing message.
+-------+ +-------+
| Alice | | Bob |
+-------+ +-------+
| |
| Plaintext Msg 3 |
| + PubKey_A2 |
| ----------------------------------> | --+ Learn
| | | PubKey_A2
| Protected Msg 4 | | of Identity
| + PubKey_B | | Alice
| <---------------------------------- | <-+
| |
| |
|\___________________________________/|
Encrypted but NOT authenticated
{: #pEp_F_3 title="Receiving message from unlinked additional device" artwork-align="center" }
Now Bob sees a message and a new PubKey_A2 from Alice, while he
previously learned PubKey_A from her. Bobs pEp is giving this a low
rating. As Bob and Alice have not yet expressed trust in their
connection yet, pEp now accepts the second key for Alice. Still, the
first learned key is preferred, which is Alices first key, which
resides on her first computer.
* For any identity, pEp MUST use the first learned key for
encryption, otherwise a man-in-the-middle could succesfully install
an additional key by forging a message. - The recipient MUST
maintain the validity records of learned keys independently, but the
validity MUST NOT exceed those encoded in the received keys.
\[\[ **TODO**: add note if pEp requires valid network time, I think
it could be designed such that it's not required\]\]
\[\[ **TODO**: why not encrypt to all still valid keys on a given
transport?\]\]
Note that the case above depicts the worst case scenario. When Alice
started using her new computer, she may have re-read Message 2 of Bob
on the new device, and pEp would have immediately learned Bob's
public key, so that outgoing Message 3 would've already been
encrypted. This is covered in the transports model with the incoming
and outgoing messages property, described later. TODO
### Private Device Pairing
To read Bob's message on her second device, she needs to pair them,
which engages the keysync protocol. Ideally, Alices oldest key would
automatically find its way onto all of her devices. Unfortunately,
pEp Synchronization cannot start fully automatically. Alice first
needs to be guided through another function of pEp, which is mutual
authentication. For this, Alice operates both of her devices, and
once she selected the common account or entered an address of the
other device, she has to compare the public key fingerprints of both
devices (simplified through the use of Trustwords). If she confirms
on both devices, each of them will mark the other's public key as
trusted, and register it under the same "own" user.
+----------+ +----------------+ +----------+
| Device 1 | | Sync Transport | | Device 2 |
+----------+ +----------------+ +----------+
| | |
~~~~~~~~~~~ Alice starts pairing on device 1 ~~~~~~~~~~
| | |
| | |
| Sync beacon 1 | |
| -------------------> +-+ |
| ||| |
~~~~~~~~~~~ Alice starts pairing on device 2 ~~~~~~~~~~
| ||| |
| ||| |
| ||| Sync beacon 1 |
| +-+ -------------------> |
| | |
| | Sync beacon 2 |
| <-------------------- | <-------------------- |
| --+ | +-- |
| | Show | Show | |
| <-+ trustwords | trustwords +-> |
| | |
| | |
| Close transaction | |
| --------------------> | --------------------> |
| | Close transaction |
| <-------------------- | <-------------------- |
| | |
| | |
|\______________________|______________________/|
Encrypted and authenticated/trusted
{: #pEp_F_4 title="Device pairing" artwork-align="center" }
Note that the trasnport for synchronization messages and the
trasnport for the users messages MAY be separate transports.
### Key Synchronization
At this point in time both devices disclose all of their private keys
(one each) to each other, and Alice can now read Bob's both messages
on both her devices.
### Key Reset
Now, Bob was unlucky and got his computer infected, so that he is
setting it up anew. On the fresh system, while his previous key is
recovered from the backup, the key itself was compromised, such that
it needs to be replaced.
* When a key is recovered from backup, it SHOULD be replaced.
Bob chooses to simply "reset" pEp. This means that pEp is resetting
his "own" identity, revoking all keys and creating a new one. From
now on, every message of Bob will contain the new public key, and the
revocation of the old ones.
* When pEp receives a revocation certificate through a pEp specific
transport format, it MUST mark all the learned keys as revoked,
while,
* when pEp receives a revocation certificate through a non-pEp specific transport format, it MUST mark only the specified key as revoked.
* Revocation certificates MUST be accepted from any source, given that they pass cryptographic scrutiny (i.e. that they are valid).
* The message delivering the revocation certificate MAY be signed by the key the revoked certificate concerns.
* A revocation certificate for an "own" key MAY be received; in such a case an "own" identity reset must be triggered.
* It is a considered a good course of action to submit revocation certificates or private keys to the issuer, shall third-party private keys be found in leaked datasets. Submission MAY be anonymous.
* Receiving an "own" private key from a non-"own" identity MUST trigger an "own" identity reset.
Bob has now replaced his key. Alice wouldn't know anything of Bob's
new key until receiving a message from Bob. This is why Bobs pEp
sends a technical message to all recent correspondents. If Alice is
not a recent correspondent, and she suddenly starts writing to Bob
again, she will see a lowered rating because of the timeframe<!--
MUST! -->, and she'll be using the deprecated key of Bob which she
still considers valid. Bob can then still decrypt the received
message, but will also see a lowered rating, because of the revoked
key being used. For a baseline, it is still better to use a
deprecated key, than sending messages plaintext.
This key rollover was almost transparent for Bob and Alice. The
previous time Bob went through this, he hadn't a backup, and things
didn't go as smooth. He had lost his previous key, and pEp could not
deliver the revocation certificate automatically. Bob then needed
\[\[ **TODO**: Bob does not really know this need \]\] to write Alice
a short enquiry, to please reset the trust on his identity. Alice
heard about Bobs issue before, and followed up, and Alices pEp then
blacklisted all the previously acquired keys. The key just attached
was then the new oldest valid key learned, ready to be used.
In turn, pEp implementers MUST ensure that a discernible privacy status is clearly
visible to the user -- on a per-contact as well as per-message level -- so
that users easily understand which level of privacy messages are
about to be sent with or were received with, respectively.
\[\[Note: We are aware of the fact that usually UX requirements are
not part of RFCs. However, in order to encourage massive adoption of
secure end-to-end encryption while at the same time avoiding putting
users at risk, we believe certain straightforward
signaling requirements for users to be a good idea, just as
is currently done for already-popular instant messaging
services.\]\]
## Multiple Identities
# Specific Elements in pEp
In pEp, users MUST have the ability to have multiple identities.
## pEp identity system
pEp users MUST have the option to choose the identity they want to
appear with. This allows an user to decide how to reveal hto the
world. It is an important element to maintain privacy.
In pEp, users MUST have the ability to have multiple different identities.
To provide for this separation, pEp will create dedicated keys for
every identity defined.
pEp users MUST have the option to choose different identities. This
allows an Internet user to decide how to reveal himself/herself to the world
and is an important element in order to achieve privacy.
* By default, all identities MUST NOT be externally correlatable.
The user MAY override this through advanced usage, e.g. by importing
external keys.
These different identities MUST NOT be externally correlatable with each other by
default. On the other hand, combining different identities when such information is known MUST be
supported (alias support).
pEp assists the user in learning different identities of
correspondents (aliases).
<!--
{:: include ../shared/ascii-arts/pep_id_system.mkd}
@ -328,76 +622,487 @@ supported (alias support).
-->
## Identifiers
## Trivial Anonymization
Routed networks require that a message carries a destination address,
and often also a source address. This is metadata being leaked, and
most often it is cleartext information. {{pEp_F_5}} shows in a
sequence diagram how an eavesdropper (here depicted as a Three-Letter
Agengy), sees a message directed from Alice to Bob beind sent from
Alice to Bob.
+-------+ +-------+ +-----------+ +-----+
| Alice | | TLA | | Bobs Corp | | Bob |
+-------+ +-------+ +-----------+ +-----+
| ^ | |
~~~~~~~~~~ TLA sees message from @ alice to @ bob ~~~~~~~~~
| ^ | |
| ^ | |
| Message 5 ^ | |
| To: @ bob ^ | |
| ----------------###------------> @ |
| ^ @ ----------> |
| ^ | |
{: #pEp_F_5 title="Principle of eavesdropping messages in transit" artwork-align="center" }
A workaround for Alice is to start wrapping the messages and
directing them to a relaying party. In the simplest case she requires
Bobs Corporation Transfer Agent to cooperate, so that she can rely
the message to a generic corporate address. {{pEp_F_6}} depicts how
the eavesdropper now only sees Alice communicating with Bobs
Corporation.
+-------+ +-------+ +-----------+ +-----+
| Alice | | TLA | | Bobs Corp | | Bob |
+-------+ +-------+ +-----------+ +-----+
| ^ | |
~~~~~~~~~~ TLA sees message from @ alice to @ mta ~~~~~~~~~
| ^ | |
| Message 6 ^ | |
| @ bob ^ | |
| --+ ^ | |
| | Wrap to ^ | |
# <-+ @ mta ^ | |
# ^ | |
# Message 6* ^ | |
# To: @ mta ^ | |
# ----------------###------------> @ --+ |
| ^ | | Unwrap |
| ^ # <-+ 6*>6 |
| ^ # |
| ^ # Submit 6 |
| ^ # To: @ bob |
| ^ # ----------> |
| ^ | |
{: #pEp_F_6 title="Principle of Onion Routing" artwork-align="center" }
Alice can apply the wrapping recursively. An Internet Service
Provider may also offer a relying service. {{pEp_F_7}} shows that by
double wrapping the message, the eavesdropper starts to read less and
less meaningful metadata from the messages, in this case a message
from Alices ISP to Bobs Corporation.
+-------+ +---------+ +-------+ +-----------+ +-----+
| Alice | | A.s ISP | | TLA | | Bobs Corp | | Bob |
+-------+ +---------+ +-------+ +-----------+ +-----+
| | ^ | |
| Message 7 | ^ | |
| @ bob | ^ | |
| --+ ^ | |
| | Wrap to ^ | |
# <-+ @ mta ^ | |
# ^ | |
## --+ ^ | |
## | Wrap to ^ | |
## <-+ @ isp ^ | |
~~~~~~~~~~ TLA sees message from @ isp to @ mta ~~~~~~~~~~~
## | ^ | |
## ^ | |
## Message 7** ^ | |
## To: @ mta ^ | |
## --------> @ --+ ^ | |
| | | Unwrap | |
| # <-+ 7**>7* | |
| # | |
| # ^ | |
| # ----------###----------> @ --+ |
| | ^ | | Unwrap |
| | ^ # <-+ 7*>7 |
| | ^ # |
| | ^ # Submit 7 |
| | ^ # To: @ bob |
| | ^ # ---------> |
| | ^ | |
{: #pEp_F_7 title="Multiple Wrapping Onion Routing" artwork-align="center" }
Nesting of messages is an important concept in pEp.
* On a transport which supports structured messages and an
extensible schema, an encoding for wrapping messages MUST be
defined.
* On a transport which supports message types and new message types
can be allocated, a message type and an coding for a pEp message
MUST be provided.
See {{message-encoding-and-decoding}} for more technical
specification.
\[\[ **TODO**: add a paragraph about wrapping when a final public key
is not known \]\]
## Information Base Synchronization
While the pEp protocol is applied to incoming and outcoing messages,
information is accumulated which will enhance the future
qualification of trust and increase the protection of messages.
Cryptographic details, connected transports and applications, trust
and mistrust input form the user, and the address book is among the
information collected.
For the user experience across the data terminal equipment (e.g.
MUAs) to remain consistent, Synchronization of these properties is
necessary.
### Device Groups
\[\[TODO\]\]
### Private Keys
\[\[TODO\]\]
### Public Keys and Trust Records
\[\[TODO\]\]
## Interface to Cryptographic Services
pEp in itself does not introduce a new cryptographic service. It
requires the transport to have default encryption services and
standards for encoding and decoding such messages. pEp defines an
interface which must be implemented by the transport's cryptographic
service. One transport MAY have multiple cryptographic services.
pEp requires access
* to the public key
* to the fingerprint
* the ciphersuite in use for a message
* the list of private keys
* encryption and decryption function
* signature and verification function
pEp must also be able to
* create a new key pair
* revoke a key pair
* import private keys
<!-- NOTE: a system architecture design comment __
- export private keys
The requirement "export a private key" would be VERY limiting. PKCS
#11 (OASIS Standard) is important here. - People want private keys to
be managed by secure elements, and their main job is to NOT hand out
the private key. Instead, what is often possible is to bring two such
secure elements "in touch", and obtain a "transport cetificate" from
the receiving one, hand it to the sending one, and if the sending one
validates it, it will hand out the private key encrypted to the
transport certificate. - This is not too dissimilar on what we do
with keysync. Making this requirement "functional" instead of
"procedural", gives us more room to integrate with existing crypto
services. -->
* transfer a private key to a remote key store
## Message Encoding and Decoding
If a transport already has a facility to use end-to-end keys (and the
transport is generally considered integral), pEp should convert and
install the "own" key.<!-- CL: reuse of keys is bad practice -->
\[\[ **TODO**: we have a problem here: we don't always hold the
private key in a file. \]\]
The trust rating of a transport depends on the protocol, and an
ongoing analysis of the general community. \[\[ **TODO**: Online
registry ahead? \]\]
Whenever the transport of a message is not sufficiently rated
trustworthy, pEp will engage the handshake protocol, and eventually
protect messages cryptographically by wrapping them.
Three wrapping types exist in pEp, and must be defined by the
transport implementation:
1. wrapping a cleartext message in a frame message, to be
cryptographically protected
0. wrapping a cryptographically protected frame message, to obtain a
transport message
0. wrapping a transport message in a frame message, to be
cryptographically protected
## Trust Reflection
### Key
A key is an OpenPGP-compatible asymmetric key pair. Other formats and
temporary symmetrical keys can be generated by Key Mapping.
A key is an<!-- OpenPGP-compatible --> asymmetric cryptographic key
pair.
Keys in pEp are identified by the full fingerprint (fpr) of the
public key. The fingerprint is to be obtained from the specific
cryptographic service used to handle the keys. The canonical
representation in pEp is upper-case hexadecimal with zero-padding and
no separators or spaces.
In some cryptographic services the key is stored in a certificate,
which encodes additional information collected from third-parties,
like signatures from certificate authorities or attestations from
identity systems. E.g. in OpenPGP, keys are analogous to certificates
and contain (non-local) third-party signatures, if not carefully
stripped.
When keys are to be distributed via the pEp protocols to other
correspondents, all third-party signatures and all metadata which is
not required to prove possession of the private key, MUST be stripped
from the copy which is being transferred. The key basically is to be
reduced to a self-signed key only. Note that the same limitation does
not apply for the purpose of keysync among an established device
group.
\[\[ **TODO**: must probably intro certificate-signing-requests here
\]\]
The same asymmetric keys MAY be reused with different cryptographic
services<!-- cryptotech -->. Converted copies of the original key MAY
be generated, stored and distributed.
\[\[ **TODO**: CL: Whenever possible, this SHOULD++ be avoided.
Instead new keys SHOULD be generated, and a proof of holding both
keys should be sent to the peers which extend the trust according to
their estimate of the hardness of the new crypto. Otherwise the keys
weaken by the sum of bugs in all crypto services used concurrently.
\]\]
Temporary symmetric keys (secrets), for example channel session keys,
may be obtained or generated and mapped to a key (Key Mapping).
#### Keygrip
\[\[ **TODO**: \]\]
Given that we envision to reuse keys across protocols, we should
study the Keygrip further (or do we use it already?)
\[2\] The keygrip is a unique identifier for a key pair, it is
independent of any protocol, so that the same key can be used with
different protocols. PKCS-15 calls this a subjectKeyHash; it can be
calculated using Libgcrypt's gcry_pk_get_keygrip ().
\[\[ **TODO**: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=agent/keyformat.txt;h=42c4b1f06faf1bbe71ffadc2fee0fad6bec91a97;hb=refs/heads/master \]\]
Keys in pEp are identified by the full fingerprint (fpr) of the public key.
### User
<!-- \[\[ TODO: user or person? KB: User. Person is an internal DB term. \]\] -->
\[\[ TODO: user or person? KB: User. Person is an internal DB term.
\]\]
An user is a supposed distinct physical person or a supposed uniform
group of people eventually participating in a conversation, i.e.
sending and receiving messages. The attribution depends on the
knowledge and pint-of-view of the participant, and may differ among
participants of the same conversaion.
A user is a real world human being or a group of human beings. If it is a
single human being, it can be called person.
A user is locally represented by just a user ID (user_id), which MUST
NOT be disclosed to other participants. The user_id MUST be an unique
string, it MAY be an arbitrary unique string, e.g. a pointer or
foreign primary key into a contacts management application. In lack
of a better source, it SHOULD be a UUID.
A user is identified by a user ID (user_id). The user_id SHOULD be a UUID, it
MAY be an arbitrary unique string.
No constrain on the user_id exists for the local pEp user itself. In
lack of a better user_id for the local user, instead of an UUID, the
user_id SHOULD be "pEp_own_userId" (without the quotes).
The own user can have a user_id like all other users. If it doesn't, then it
has PEP_OWN_USERID "pEp_own_userId" as user_id.
A user can have a default key. (cf. {{key}})
#### User's Default Key
Any user can be optionally assigned a default key (cf. {{key}}).
<!-- Multiple default keys per crypto type -->
TODO: A different default key can be assigned to each cryptographic
system supported, e.g. a default key for ECDSA, one for ED25519, and
one for RSA.
A default key which is considered weak MUST be ignored.
A default key MUST otherwiese override any automatically elected key.
Keys wich are generated automatically by pEp to bootstrap the
protocol MUST NOT be set as default key automatically.
### Identity
An identity is a (possibly pseudonymous) representation of a user
encapsulating how this user appears in the network.
While the User's user_id is an element for matching the messages to
correspondents only in the local context and is not to be disclosed,
Identities are those elements signalled between correspondents and
potentially encoded with the message (connection oriented transports
may not do this, but routing oriented transports require this
information).
An identity is a label (possibly a pseudonymous) notified by a
sender. Multiple correspondents may use the same label, such that
there is generally no one-to-one mapping from an identity to an user.
Matching of users is possible in the context of a message. There are
three properties considered:
* is the address known
* are the users related to the address trusted
* \[\[ **TODO** \]\]
An identity is defined as a mapping of a user_id to an address (cf.
{{address}}). If no user_id is known at the time of processing an
address, the Identity has to be appropriately guessed. Guessing
depends on context, and may involve querying a local contact list
manager.
An identity is defined by the mapping of user_id to address.
If no user_id is known, it is guessed by mapping of username and
address.
\[\[ **TODO**: add an exhaustive intro/teaser why we need contact
list integration to perform well. \]\]
An identity can have a temporary user_id as a placeholder until a
An Identity can have a temporary user_id as a placeholder until a
real user_id is known.
An identity can have a default key. (cf. {{key}})
\[\[ **TODO**: should such a temporary user_id be exclusive to this
Identity, should it be "garbage collected", should it be available to
match with other Identities... lots of questions about the
referencial DB / OO model here. \]\]
An Identity can have a default key (cf. {{key}}). When both an
Identity and the related User have a default key set, the Identity's
default key MUST override the User's default key.
\[\[ Note: This is the reason why in current pEp implementations for
each (email) account a different key pair is created, which allows a
user to retain different identities. \]\]
\[\[ **TODO**: see User's Default Key for copy+pasta MUST/SHOULD here\]\]
In {{pep-identity}} you can find how a pEp identity is defined in
the reference implementation of the pEp Engine.
\[\[ **NOTE**: This is the reason why in current pEp implementations
for each (email) account a different key pair is created, which
allows a user to retain different identities. \]\]
In {{pep-identity}} you can find how a pEp identity is defined in the
reference implementation of the pEp Engine.
### Alias
\[\[TODO\]\]
### Address
<!--
Original:
An address is a network address, e.g., an SMTP address or another URI.
\[\[ Note: It might be necessary to introduce further addressing schemes
through IETF contributions or IANA registrations, e.g., implementing pEp
to bridge to popular messaging services with no URIs defined. \]\]
The problem with this definition is that: - it is not "functional",
so it assumes there is a solid static address out there in every type
of network/channel. - it leads to assume that an incoming message may
usually be labeled with a source address, which is a strong
requirement. -->
An address is a resource identifier which can be associated to a
network interface, and which the network interface can use to send a
message to a correspondent. It is either an SMTP address or an URI.
\[\[ **TODO**: what about channels which don't tell us where a
message comes from? \]\]
\[\[ **TODO**: question will arise: why not use mailto:// for SMTP
address ? \]\]
\[\[ **NOTE**: It might be necessary to introduce further addressing
schemes through IETF contributions or IANA registrations, e.g.,
implementing pEp to bridge to popular messaging services with no URIs
defined. \]\]
## Transports and Transport Selection
Applications implementing the pEp protocol SHOULD subsidiarily offer
their transport service for use by other applications. pEp will
automatically prefer Transports with higher privacy or security
properties.
Messages are addressed to identities; and identities are supposed at
a number of network addresses. Upon sending, network addresses are
translated to a transport selection and the establishment of a
channel; the message is then encoded specifically for the transport,
and eventually tagged as a pEp message.
A transport MAY be realized over an object store to which the
participants have shared access.
In particular, for exchanging sync messages between the users own
devices, one or more object store per identity, and one ore more
identities per object store may be used to relay the messages. A
common example of such an object store is an IMAP Mailbox.
<!-- the sync protocol MUST run independent instances for each identity, for not leaking information over a disjoint subset of shared mailboxes -->
Other than a shared object store or, more generally, a shared
database, the following integration patterns may be encountered:
* message queues, eventually supporting point-to-point (unicast),
multipoint (multicast), one-to-all (broadcast) delivery, with
address-sharing (load-balancing at receiver or sender side) and
depending on the topology and address as a context (anycast).
* file passing (e.g. key import)
* remote procedure calling (RPC)
Note that integration patters are a functional model; and for any
transport natively designed to best suit one of them, there exist
concepts to adapt software written for another one. Some functional
guarantees are usually not maintained through such a layer of
virtualization. pEp tries to predict the conservation of privacy
across such layers of virtualization.
## Qualified Electronic Signatures
pEp uses cryptographic services to establish end-to-end transport
security. The original message is transported unmodified, provided
that message wrapping is used, so that additional features applied on
the original message remain undamaged. The encryption and signature
applied by pEp are discarded upon reception of the protected message.
pEp signatures thus have no utility as a "qualified electronic
signature" to later prove the authenticity of a message. This
function must be provided by other means.
* pEp User Agents MUST discard the signature and encryption of a
protected message upon receipt, and eventually replace it with an
"own" signature and encryption for the purpose of storing the
message.
* A symmetric key (session key) previously used to protect the
message in transit MAY be reused, to avoid re-encrypting large
quantities of data.<!-- double-check that -->
* Qualified electronic signatures MUST be applied prior to
protecting messages with pEp
* The application of qualified electronic signatures MUST preceed
the message processing through pEp, and the verification MUST be
following the processing through pEp.
## Message Archiving and Journaling
\[\[ **TODO**: say more on archival/journal. \]\]
## Example: Difference between pEp and OpenPGP
|pEp | OpenPGP | Comments |
|:------------------|:-------------|:--------------------------------------|
|user_id | (no concept) | ID for a person, i.e. a contact |
|username + address | uid | comparable only for email |
|fpr | fingerprint | used as key ID in pEp |
|(no concept) | Key ID | does not exist in pEp |
<!--
## Formats
## Other specifics...
-->
# Key Management
@ -430,7 +1135,7 @@ stored in centralized remote locations. This applies even for key
storages where the private keys are protected with sufficiently long
passphrases. It is considered a violation of pEp's P2P design
principle to rely on centralized infrastructures
(cf. {{peer-to-peer-p2p}}). This also applies for pEp implementations
(cf. {{peer-to-peer}}). This also applies for pEp implementations
created for applications not residing on a user's device (e.g.,
web-based MUAs). In such cases, pEp implementations MUST be done in a
way such that the locally-held private key can neither be directly accessed

Write Preview
Loading…
Cancel
Save