idnits 2.17.00 (12 Aug 2021) /tmp/idnits44820/draft-ietf-lamps-header-protection-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document date (November 02, 2020) is 565 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'DKG' is mentioned on line 1159, but not defined == Missing Reference: 'HB' is mentioned on line 1177, but not defined == Outdated reference: A later version (-01) exists of draft-dkg-lamps-e2e-mail-guidance-00 ** Downref: Normative reference to an Informational draft: draft-dkg-lamps-e2e-mail-guidance (ref. 'I-D.dkg-lamps-e2e-mail-guidance') ** Downref: Normative reference to an Informational draft: draft-ietf-lamps-header-protection-requirements (ref. 'I-D.ietf-lamps-header-protection-requirements') == Outdated reference: A later version (-01) exists of draft-pep-email-00 Summary: 2 errors (**), 0 flaws (~~), 6 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 LAMPS Working Group B. Hoeneisen 3 Internet-Draft pEp Foundation 4 Intended status: Standards Track D. Gillmor 5 Expires: May 6, 2021 American Civil Liberties Union 6 A. Melnikov 7 Isode Ltd 8 November 02, 2020 10 Header Protection for S/MIME 11 draft-ietf-lamps-header-protection-01 13 Abstract 15 S/MIME version 3.1 has introduced a feasible standardized option to 16 accomplish Header Protection. However, implementations of Header 17 Protection can cause rendering issues on the receiving side. Clearer 18 specifications regarding message processing, particularly with 19 respect to header sections, are needed in order to resolve these 20 rendering issues. 22 In order to help implementers to correctly compose and render email 23 messages with Header Protection, this document updates S/MIME Header 24 Protection specifications with additional guidance on MIME format, 25 sender and receiver processing. 27 Status of This Memo 29 This Internet-Draft is submitted in full conformance with the 30 provisions of BCP 78 and BCP 79. 32 Internet-Drafts are working documents of the Internet Engineering 33 Task Force (IETF). Note that other groups may also distribute 34 working documents as Internet-Drafts. The list of current Internet- 35 Drafts is at https://datatracker.ietf.org/drafts/current/. 37 Internet-Drafts are draft documents valid for a maximum of six months 38 and may be updated, replaced, or obsoleted by other documents at any 39 time. It is inappropriate to use Internet-Drafts as reference 40 material or to cite them other than as "work in progress." 42 This Internet-Draft will expire on May 6, 2021. 44 Copyright Notice 46 Copyright (c) 2020 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents 51 (https://trustee.ietf.org/license-info) in effect on the date of 52 publication of this document. Please review these documents 53 carefully, as they describe your rights and restrictions with respect 54 to this document. Code Components extracted from this document must 55 include Simplified BSD License text as described in Section 4.e of 56 the Trust Legal Provisions and are provided without warranty as 57 described in the Simplified BSD License. 59 Table of Contents 61 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 62 1.1. Other Protocols to Protect Email Headers . . . . . . . . 4 63 1.2. Requirements Language . . . . . . . . . . . . . . . . . . 4 64 1.3. Terms . . . . . . . . . . . . . . . . . . . . . . . . . . 5 65 2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 7 66 2.1. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 7 67 2.2. Security . . . . . . . . . . . . . . . . . . . . . . . . 8 68 2.3. Usability . . . . . . . . . . . . . . . . . . . . . . . . 8 69 2.4. Interoperability . . . . . . . . . . . . . . . . . . . . 8 70 3. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 8 71 3.1. Interactions . . . . . . . . . . . . . . . . . . . . . . 8 72 3.1.1. Main Use Case . . . . . . . . . . . . . . . . . . . . 8 73 3.1.2. Backward Compatibility Use Cases . . . . . . . . . . 8 74 3.2. Protection Levels . . . . . . . . . . . . . . . . . . . . 10 75 3.2.1. In-Scope . . . . . . . . . . . . . . . . . . . . . . 10 76 3.2.2. Out-of-Scope . . . . . . . . . . . . . . . . . . . . 10 77 4. Specification . . . . . . . . . . . . . . . . . . . . . . . . 10 78 4.1. Main Use Case . . . . . . . . . . . . . . . . . . . . . . 11 79 4.1.1. MIME Format . . . . . . . . . . . . . . . . . . . . . 11 80 4.1.2. Sending Side . . . . . . . . . . . . . . . . . . . . 14 81 4.1.3. Receiving Side . . . . . . . . . . . . . . . . . . . 18 82 4.2. Backward Compatibility Use Cases . . . . . . . . . . . . 18 83 4.2.1. Receiving Side MIME-Conformant . . . . . . . . . . . 18 84 4.2.2. Receiving Side Not MIME-Conformant . . . . . . . . . 19 85 5. Security Considerations . . . . . . . . . . . . . . . . . . . 19 86 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 19 87 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 88 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19 89 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 90 9.1. Normative References . . . . . . . . . . . . . . . . . . 20 91 9.2. Informative References . . . . . . . . . . . . . . . . . 21 92 Appendix A. Additional information . . . . . . . . . . . . . . . 22 93 A.1. Stored Variants of Messages with Bcc . . . . . . . . . . 22 94 Appendix B. Text Moved from Above . . . . . . . . . . . . . . . 22 95 B.1. MIME Format . . . . . . . . . . . . . . . . . . . . . . . 23 96 B.1.1. S/MIME Specification . . . . . . . . . . . . . . . . 23 98 Appendix C. Document Changelog . . . . . . . . . . . . . . . . . 25 99 Appendix D. Open Issues . . . . . . . . . . . . . . . . . . . . 26 100 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27 102 1. Introduction 104 Privacy and security issues regarding email Header Protection in 105 S/MIME have been identified for some time. Most current 106 implementations of cryptographically-protected electronic mail 107 protect only the body of the message, which leaves significant room 108 for attacks against otherwise-protected messages. For example, lack 109 of header protection allows an attacker to substitute the message 110 subject and/or author. 112 A way to provide end-to-end protection for the Header Section of an 113 email message has been standardized for S/MIME version 3.1 and later 114 (cf. [RFC8551]): 116 In order to protect outer, non-content-related message header 117 fields (for instance, the "Subject", "To", "From", and "Cc" 118 fields), the sending client MAY wrap a full MIME message in a 119 message/RFC822 wrapper in order to apply S/MIME security services 120 to these header fields. 122 Unfortunately, implementations of Header Protection can cause 123 rendering issues on the receiving side. In some cases, the user sees 124 an attachment suggesting a forwarded email message, which - in fact - 125 contains the protected email message that should be rendered 126 directly. For these cases, the user can click on the attachment to 127 view the protected message. However, there have also been reports of 128 email clients displaying garbled text, or sometimes nothing at all. 129 In those cases the email clients on the receiving side are (most 130 likely) not fully MIME-capable. 132 The following shortcomings have been identified to cause these 133 issues: 135 o Broken or incomplete implementations 137 o Lack of a simple means to distinguish "forwarded message" and 138 "wrapped message" (for the sake of Header Protection) 140 o Not enough guidance with respect to handling of Header Fields on 141 both the sending and the receiving side 143 Furthermore, the need (technical) Data Minimization, which includes 144 data sparseness and hiding all technically concealable information, 145 has grown in importance over the past several years. In addition, 146 backwards compatibility must be considered when it is possible to do 147 so without compromising privacy and security. 149 No mechanism for Header Protection has been standardized for PGP/MIME 150 (Pretty Good Privacy) [RFC3156] yet. PGP/MIME developers have 151 implemented ad-hoc header-protection, and would like to see a 152 specification that is applicable to both S/MIME and PGP/MIME. 154 This document describes the problem statement (Section 2), generic 155 use cases (Section 3) and the specification for Header Protection 156 (Section 4) with guidance on MIME format, sender and receiver 157 processing . 159 [I-D.ietf-lamps-header-protection-requirements] defines the 160 requirements that this specification is based on. 162 This document is in an early draft state and contains a proposal on 163 which to base future discussions of this topic. In any case, the 164 final mechanism is to be determined by the IETF LAMPS WG. 166 1.1. Other Protocols to Protect Email Headers 168 A range of protocols for the protection of electronic mail (email) 169 exists, which allows one to assess the authenticity and integrity of 170 the email headers section or selected Header Fields from the domain- 171 level perspective, specifically DomainKeys Identified Mail (DKIM) 172 [RFC6376], as used by Domain-based Message Authentication, Reporting, 173 and Conformance (DMARC) [RFC7489]. These protocols provide a domain- 174 based reputation mechanism that can be used to mitigate some forms of 175 unsolicited email (spam). At the same time, these protocols can 176 provide a level of cryptographic integrity and authenticity for some 177 headers, depending on how they are used. 178 However, integrity protection and proof of authenticity are both tied 179 to the domain name of the sending e-mail address, not the sending 180 address itself, so these protocols do not provide end-to-end 181 protection, and are incapable of providing any form of 182 confidentiality. 184 1.2. Requirements Language 186 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 187 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 188 document are to be interpreted as described in [RFC2119]. 190 1.3. Terms 192 The following terms are defined for the scope of this document: 194 o Man-in-the-middle (MITM) attack: cf. [RFC4949], which states: "A 195 form of active wiretapping attack in which the attacker intercepts 196 and selectively modifies communicated data to masquerade as one or 197 more of the entities involved in a communication association." 199 Note: Historically, MITM has stood for '_Man_-in-the-middle'. 200 However, to indicate that the entity in the middle is not always a 201 human attacker, MITM can also stand for 'Machine-in-the-middle' or 202 'Meddler-in-the-middle'. 204 o S/MIME: Secure/Multipurpose Internet Mail Extensions (cf. 205 [RFC8551]) 207 o PGP/MIME: MIME Security with OpenPGP (cf. [RFC3156]) 209 o Message: An Email Message consisting of Header Fields 210 (collectively called "the Header Section of the message") 211 followed, optionally, by a Body; cf. [RFC5322]. 213 Note: To avoid ambiguity, this document does not use the terms 214 "Header" or "Headers" in isolation, but instead always uses 215 "Header Field" to refer to the individual field and "Header 216 Section" to refer to the entire collection; cf. [RFC5322]. 218 o Header Field (HF): cf. [RFC5322] Header Fields are lines beginning 219 with a field name, followed by a colon (":"), followed by a field 220 body (value), and terminated by CRLF. 222 o Header Section (HS): The Header Section is a sequence of lines of 223 characters with special syntax as defined in [RFC5322]. It is the 224 (top) section of a Message containing the Header Fields. 226 o Body: The Body is simply a sequence of bytes that follows the 227 Header Section and is separated from the Header Section by an 228 empty line (i.e., a line with nothing preceding the CRLF); cf 229 [RFC5322]. It is the (bottom) section of Message containing the 230 payload of a Message. Typically, the Body consists of a (possibly 231 multipart) MIME [RFC2045] construct. 233 o MIME Header Fields: Header Fields describing content of a MIME 234 entity [RFC2045], in particular the MIME structure. Each MIME 235 Header Field name starts with "Content-" prefix. 237 o MIME Header Section (part): The collection of MIME Header Fields. 238 "MIME Header Section" refers to a Header Sections that contains 239 only MIME Header Fields, whereas "MIME Header Section part" refers 240 to the MIME Header Fields of a Header Section that - in addition 241 to MIME Header Fields - also contains non-MIME Header Fields. 243 o Essential Header Fields (EHF): The minimum set of Header Fields an 244 Outer Message Header Section SHOULD contain; cf. Section 4.1.2.4. 246 o Header Protection (HP): cryptographic protection of email Header 247 Sections (or parts of it) for signatures and/or encryption 249 o Protection Levels (PL): The level of protection applied to a 250 Message, e.g. 'signature and encryption' or 'signature only' (cf. 251 Section 3.2). 253 o Protected: Portions of a message that have had any Protection 254 Levels applied. 256 o Protected Message: A Message that has had any Protection Levels 257 applied. 259 o Unprotected: Portions of a Message that has had no Protection 260 Levels applied. 262 o Unprotected Message: A Message that has had no Protection Levels 263 applied. 265 o Submission Entity: The entity which executes further processing of 266 the Message (incl. transport towards the receiver), after 267 protection measures have been applied to the Message. 269 Note: The Submission Entity varies among implementations, mainly 270 depending on the stage where protection measures are applied: E.g. 271 a Message Submission Agent (MSA) [RFC6409] or another 272 (proprietary) solution. The latter is particularly relevant, if 273 protection is implemented as a plugin solution. Some 274 implementations may determine the destination recipients by 275 reading the To, Cc and Bcc Header Fields of the Outer Message. 277 o Original Message (OrigM): The Message to be protected before any 278 protection-related processing has been applied on the sending 279 side. If the source is not a "message/rfc822" Message, OrigM is 280 defined as the "virtual" Message that would be constructed for 281 sending it as unprotected email. 283 o Inner Message (InnerM): The Message to be protected which has had 284 wrapping and protection measures aapplied on the sending side OR 285 the resulting Message once decryption and unwrapping on the 286 receiving side has been performed. Typically, the Inner Message 287 is in clear text. The Inner Message is a subset of (or the same 288 as) the Original Message (cf. Section 4.1.2.1). The Inner 289 Message must be the same on the sending and the receiving side. 291 o Outer Message (OuterM): The Message as provided to the Submission 292 Entity or received from the last hop respectively. The Outer 293 Message normally differs on the sending and the receiving side 294 (e.g. new Header Fields are added by intermediary nodes). 296 o Receiving User Facing Message (RUFM): The Message used for 297 rendering at the receiving side. Typically this is the same as 298 the Inner Message. 300 o Data Minimization: Data sparseness and hiding of all technically 301 concealable information whenever possible. 303 o Cryptographic Layer, Cryptographic Payload, and Cryptographic 304 Envelope are all used as defined in 305 [I-D.dkg-lamps-e2e-mail-guidance] 307 2. Problem Statement 309 The LAMPS charter contains the following Work Item: 311 Update the specification for the cryptographic protection of email 312 headers - both for signatures and encryption - to improve the 313 implementation situation with respect to privacy, security, 314 usability and interoperability in cryptographically-protected 315 electronic mail. Most current implementations of 316 cryptographically-protected electronic mail protect only the body 317 of the message, which leaves significant room for attacks against 318 otherwise-protected messages. 320 In the following a set of challenges to be addressed: 322 [[ TODO: Enhance this section, add more items to the following. ]] 324 2.1. Privacy 326 o (Technical) Data Minimization, which includes data sparseness and 327 hiding all technically concealable information whenever possible 329 2.2. Security 331 o Prevent MITM attacks (cf. [RFC4949]) 333 2.3. Usability 335 o Improved User interaction / User experience, in particular at the 336 receiving side 338 2.4. Interoperability 340 o Interoperability with [RFC8551] implementations 342 3. Use Cases 344 In the following, the reader can find a list of the generic use cases 345 that need to be addressed for Messages with Header Protection (HP). 346 These use cases apply regardless of technology (S/MIME, PGP/MIME, 347 etc.) used to achieve HP. 349 3.1. Interactions 351 The following use cases assume that at least the sending side 352 supports Header Protection as specified in this document. Receiving 353 sides that support this specification are expected to be able to 354 distinguish between Messages that use Header Protection as specified 355 in this document, and (legacy) Mail User Agents (MUAs) which do not 356 implement this specification. 358 [[ TODO: Verify once solution is stable and update last sentence. ]] 360 3.1.1. Main Use Case 362 Both the sending and receiving side (fully) support Header Protection 363 as specified in this document. 365 The main use case is specified in Section 4.1. 367 3.1.2. Backward Compatibility Use Cases 369 Regarding backward compatibility, the main distinction is based on 370 whether or not the receiving side conforms to MIME according to 371 [RFC2046], ff., which in particular also includes Section 2 of 372 [RFC2049] on "MIME Conformance". The following excerpt is 373 contextually relevant: 375 A mail user agent that is MIME-conformant MUST: 377 [...] 379 -- Recognize and display at least the RFC822 message 380 encapsulation (message/rfc822) in such a way as to 381 preserve any recursive structure, that is, displaying 382 or offering to display the encapsulated data in 383 accordance with its media type. 385 -- Treat any unrecognized subtypes as if they were 386 "application/octet-stream". 388 [...] 390 An MUA that meets the above conditions is said to be MIME- 391 conformant. A MIME-conformant MUA is assumed to be "safe" to send 392 virtually any kind of properly-marked data to users of such mail 393 systems, because these systems are, at a minimum, capable of treating 394 the data as undifferentiated binary, and will not simply 395 splash it onto the screen of unsuspecting users. 397 [[ TODO: The compatibility of legacy HP systems with this new 398 solution, and how to handle issues surrounding future maintenance for 399 these legacy systems, will be decided by the LAMPS WG. ]] 401 3.1.2.1. Receiving Side MIME-Conformant 403 The sending side (fully) supports Header Protection as specified in 404 this document, while the receiving side does not support this 405 specification. However, the receiving side is MIME-conformant 406 according to [RFC2045], ff. (cf. Section 3.1.2). 408 This use case is specified in Section 4.2.1. 410 Note: This case should perform as expected if the sending side 411 applies this specification as outlined in Section 4.1. 413 [[ TODO: Verify once solution is stable and update last sentence. ]] 415 3.1.2.2. Receiving Side Not MIME-Conformant 417 The sending side (fully) supports Header Protection as specified in 418 this document, while the receiving side does not support this 419 specification. Furthermore, the receiving side is *not* MIME- 420 conformant according to [RFC2045], ff. (cf. Section 3.1.2). 422 This use case is specified in Section 4.2.2. 424 3.2. Protection Levels 426 3.2.1. In-Scope 428 The following Protection Levels are in scope for this document: 430 a) Signature and encryption 432 Messages containing a cryptographic signature, which are also 433 encrypted. 435 b) Signature only 437 Messages containing a cryptographic signature, but which are not 438 encrypted. 440 3.2.2. Out-of-Scope 442 Legacy implementations, implementations not (fully) compliant with 443 this document or corner-cases may lead to further Protection Levels 444 to appear on the receiving side, such as (list not exhaustive): 446 o Triple wrap 448 o Encryption only 450 o Encryption before signature 452 o Signature and encryption, but: 454 * Signature fails to validate 456 * Signature validates but the signing certificate revoked 458 o Signature only, but: 460 * with multiple valid signatures, layered atop each other 462 These Protection Levels, as well as any further Protection Levels not 463 listed in Section 3.2.1 are beyond the scope of this document. 465 4. Specification 467 This section contains the specification for Header Protection in 468 S/MIME to update and clarify Section 3.1 of [RFC8551] (S/MIME 4.0). 470 Note: It is likely that PGP/MIME [RFC3156] will also incorporate this 471 specification or parts of it. 473 This specification applies to the Protection Levels "signature & 474 encryption" and "signature only" (cf. Section 3.2): 476 Sending and receiving sides MUST implement the "signature and 477 encryption" Protection Level, which SHOULD be used as default on the 478 sending side. 480 Certain implementations may decide to send "signature only" Messages, 481 depending on the circumstances and customer requirements. Sending 482 sides MAY and receiving sides MUST implement "signature only" 483 Protection Level. 485 It generally is NOT RECOMMENDED to send a Message with any other 486 Protection Level. On the other hand, the receiving side must be 487 prepared to receive Messages with other Protection Levels. 489 [[ TODO: Further study is necessary to determine whether - and if yes 490 to what extent - additional guidance for handling messages with other 491 Protection Levels, e.g. "encryption only" at the receiving side 492 should be included in this document. ]] 494 4.1. Main Use Case 496 This section applies to the main use case, where the sending and 497 receiving side (fully) support Header Protection as specified herein 498 (cf. Section 3.1.1). 500 Note: The sending side specification of the main use case is also 501 applicable to the cases where the sending side (fully) supports 502 Header Protection as specified herein, while the receiving side does 503 not, but is MIME-conformant according to [RFC2045], ff. (cf. 504 Section 3.1.2 and Section 3.1.2.1). 506 Further backward compatibility cases are defined in Section 4.2. 508 4.1.1. MIME Format 510 4.1.1.1. Introduction 512 As per S/MIME version 3.1 and later (cf. [RFC8551]), the sending 513 client MAY wrap a full MIME message in a message/RFC822 wrapper in 514 order to apply S/MIME security services to these header fields. 516 To help the receiving side to distinguish between a forwarded and a 517 wrapped message, the Content-Type header field parameter "forwarded" 518 is added as defined in [I-D.melnikov-iana-reg-forwarded]. 520 The simplified (cryptographic overhead not shown) MIME structure of 521 such an Email Message looks as follows: 523 525 527 529 531 533 The following example demonstrates how an Original Message might be 534 protected, i.e., the Original Message is contained as Inner Message 535 in the Protected Body of an Outer Message. It illustrates the first 536 Body part (of the Outer Message) as a "multipart/signed" 537 (application/pkcs7-signature) media type: 539 Lines are prepended as follows: 541 o "O: " Outer Message Header Section 543 o "I: " Message Header Section 545 o "W: " Wrapper (MIME Header Section) 546 O: Date: Mon, 25 Sep 2017 17:31:42 +0100 (GMT Daylight Time) 547 O: Message-ID: 548 O: Subject: Meeting at my place 549 O: From: "Alexey Melnikov" 550 O: To: somebody@example.net 551 O: MIME-Version: 1.0 552 O: Content-Type: multipart/signed; charset=us-ascii; micalg=sha1; 553 O: protocol="application/pkcs7-signature"; 554 O: boundary=boundary-AM 556 This is a multipart message in MIME format. 557 --boundary-AM 558 W: Content-Type: message/RFC822; forwarded=no 559 W: 560 I: Date: Mon, 25 Sep 2017 17:31:42 +0100 (GMT Daylight Time) 561 I: From: "Alexey Melnikov" 562 I: Message-ID: 563 I: MIME-Version: 1.0 564 I: MMHS-Primary-Precedence: 3 565 I: Subject: Meeting at my place 566 I: To: somebody@example.net 567 I: X-Mailer: Isode Harrier Web Server 568 I: Content-Type: text/plain; charset=us-ascii 570 This is an important message that I don't want to be modified. 572 --boundary-AM 573 Content-Transfer-Encoding: base64 574 Content-Type: application/pkcs7-signature 576 [[base-64 encoded signature]] 578 --boundary-AM-- 580 The Outer Message Header Section is unprotected, while the remainder 581 (Outer Message Body) is protected. The Outer Message Body consists 582 of the wrapper (MIME Header Section) and the Inner Message (Header 583 Section and Body). 585 The wrapper is a simple MIME Header Section with media type "message/ 586 rfc822" containing a Content-Type header field parameter 587 "forwarded=no" followed by an empty line. 589 If the source is an Original (message/rfc822) Message, the Inner 590 Message Header Section is typically the same as (or a subset of) the 591 Original Message Header Section (cf. Section 4.1.2.1), and the Inner 592 Message Body is typically the same as the Original Message Body. 594 The Inner Message itself may contain any MIME structure. 596 Note: It is still to be decided by the LAMPS WG whether or not to 597 recommend an alternative MIME format as described in Appendix B.1.1.1 598 (instead of the currently standardized and above defined format). 600 4.1.2. Sending Side 602 To ease explanation, the following describes the case where an 603 Original (message/rfc822) Message to be protected is present. If 604 this is not the case, Original Message means the (virtual) Message 605 that would be constructed for sending it as unprotected email. 607 4.1.2.1. Inner Message Header Fields 609 It is RECOMMENDED that the Inner Message contains all Header Fields 610 of the Original Message with the exception of the following Header 611 Field, which MUST NOT be included within the Inner Message nor within 612 any other protected part of the Message: 614 o Bcc 616 [[ TODO: Bcc handling needs to be further specified (see also 617 Appendix A.1). Certain MUAs cannot properly decrypt Messages with 618 Bcc recipients. ]] 620 4.1.2.2. Wrapper 622 The wrapper is a simple MIME Header Section followed by an empty line 623 preceding the Inner Message (inside the Outer Message Body). The 624 media type of the wrapper MUST be "message/RFC822" and MUST contain 625 the Content-Type header field parameter "forwarded=no" as defined in 626 [I-D.melnikov-iana-reg-forwarded]. The wrapper unambiguously 627 delimits the Inner Message from the rest of the Message. 629 4.1.2.3. Cryptographic Layers / Envelope 631 [[ TODO: Basically refer to S/MIME standards ]] 633 4.1.2.4. Outer Message Header Fields 635 4.1.2.4.1. Encrypted Messages 637 To maximize Privacy, it is strongly RECOMMENDED to follow the 638 principle of Data Minimization (cf. Section 2.1). 640 However, the Outer Message Header Section SHOULD contain the 641 Essential Header Fields and, in addition, MUST contain the Header 642 Fields of the MIME Header Section part to describe Cryptographic 643 Layer of the protected MIME subtree as per [RFC8551]. 645 The following Header Fields are defined as the Essential Header 646 Fields: 648 o From 650 o To (if present in the Original Message) 652 o Cc (if present in the Original Message) 654 o Bcc (if present in the Original Message, see also Section 4.1.2.1 655 and Appendix A.1) 657 o Date 659 o Message-ID 661 o Subject 663 Further processing by the Submission Entity normally depends on part 664 of these Header Fields, e.g. From and Date HFs are required by 665 [RFC5322]. Furthermore, not including certain Header Fields may 666 trigger spam detection to flag the Message, and/or lead to user 667 experience (UX) issues. 669 For further Data Minimization, the value of the Subject Header Field 670 SHOULD be obfuscated as follows: 672 * Subject: [...] 674 and it is RECOMMENDED to replace the Message-ID by a new randomly 675 generated Message-ID. 677 In addition, the value of other Essential Header Fields MAY be 678 obfuscated. 680 Non-Essential Header Fields SHOULD be omitted from the Outer Message 681 Header Section where possible. If Non-essential Header Fields are 682 included in the Outer Message Header Section, those MAY be obfuscated 683 too. 685 Header Fields that are not obfuscated should contain the same values 686 as in the Original Message. 688 If an implementation obfuscates the From, To, and/or Cc Header 689 Fields, it may need to provide access to the clear text content of 690 these Header Fields to the Submission Entity for processing purposes. 691 This is particularly relevant, if proprietary Submission Entities are 692 used. Obfuscation of Header Fields may adversely impact spam 693 filtering. 695 (A use case for obfuscation of all Outer Message Header Fields is 696 routing email through the use of onion routing or mix networks, e.g. 697 [pEp.mixnet].) 699 The MIME Header Section part is the collection of MIME Header Fields 700 describing the following MIME structure as defined in [RFC2045]. A 701 MIME Header Section part typically includes the following Header 702 Fields: 704 o Content-Type 706 o Content-Transfer-Encoding 708 o Content-Disposition 710 The following example shows the MIME Header Section part of an S/MIME 711 signed Message (using application/pkcs7-mime with SignedData): 713 MIME-Version: 1.0 714 Content-Type: application/pkcs7-mime; smime-type=signed-data; 715 name=smime.p7m 716 Content-Transfer-Encoding: base64 717 Content-Disposition: attachment; filename=smime.p7m 719 Depending on the scenario, further Header Fields MAY be exposed in 720 the Outer Message Header Section, which is NOT RECOMMENDED unless 721 justified. Such Header Fields may include e.g.: 723 o References 725 o Reply-To 727 o In-Reply-To 729 4.1.2.4.2. Unencrypted Messages 731 The Outer Message Header Section of unencrypted Messages SHOULD 732 contain at least the Essential Header Fields and, in addition, MUST 733 contain the Header Fields of the MIME Header Section part to describe 734 Cryptographic Layer of the protected MIME subtree as per [RFC8551]. 735 It may contain further Header Fields, in particular those also 736 present in the Inner Message Header Section. 738 4.1.2.5. Sending Side Message Processing 740 For a protected Message the following steps are applied before a 741 Message is handed over to the Submission Entity: 743 4.1.2.5.1. Step 1: Decide on Protection Level and Information 744 Disclosure 746 The implementation which applies protection to a Message must decide: 748 o Which Protection Level (signature and/or encryption) shall be 749 applied to the Message? This depends on user request and/or local 750 policy as well as availability of cryptographic keys. 752 o Which Header Fields of the Original Message shall be part of the 753 Outer Message Header Section? This typically depends on local 754 policy. By default, the Essential Header Fields are part of the 755 Outer Message Header Section; cf. Section 4.1.2.4. 757 o Which of these Header Fields are to be obfuscated? This depends 758 on local policy and/or specific Privacy requirements of the user. 759 By default only the Subject Header Field is obfuscated; cf. 760 Section 4.1.2.4. 762 4.1.2.5.2. Step 2: Compose the Outer Message Header Section 764 Depending on the decision in Section 4.1.2.5.1, the implementation 765 shall compose the Outer Message Header Section. (Note that this also 766 includes the necessary MIME Header Section part for the following 767 protection layer.) 769 Outer Header Fields that are not obfuscated should contain the same 770 values as in the Original Message (except for MIME Header 771 Section part, which depends on the Protection Level selected in 772 Section 4.1.2.5.1). 774 4.1.2.5.3. Step 3: Apply Protection to the Original Message 776 Depending on the Protection Level selected in Section 4.1.2.5.1, the 777 implementation applies signature and/or encryption to the Original 778 Message, including the wrapper (as per [RFC8551]), and sets the 779 resulting package as the Outer Message Body. 781 The resulting (Outer) Message is then typically handed over to the 782 Submission Entity. 784 [[ TODO: Example ]] 786 4.1.3. Receiving Side 788 4.1.3.1. Receiving User Facing Message Header Fields 790 The Receiving User Facing Message SHOULD be a verbatim copy of the 791 Inner Message. 793 4.1.3.2. Receiving Side Message Processing 795 When a protected Message is received, the following steps are 796 applied: 798 4.1.3.2.1. Step 1: Decrypt Message and/or check signature 800 Depending on the Protection Level, the received Message is decrypted 801 and/or its signature is checked as per [RFC8551]. 803 4.1.3.2.2. Step 2: Construct the Receiving User Facing Message 805 The Receiving User Facing Message is constructed according to 806 Section 4.1.3.1. 808 The resulting Message is handed over for further processing, which 809 typically involves rendering it for the user. 811 4.1.3.3. Step 3: Prepare Information Cyptographic Verification 813 [[ TODO: Signature valid, etc. ]] 815 4.2. Backward Compatibility Use Cases 817 4.2.1. Receiving Side MIME-Conformant 819 This section applies to the case where the sending side (fully) 820 supports Header Protection as specified in this document, while the 821 receiving side does not support this specification, but is MIME- 822 conformant according to [RFC2045], ff. (cf. Section 3.1.2 and 823 Section 3.1.2.1) 825 The sending side specification of the main use case (cf. 826 Section 4.1) MUST ensure that receiving sides can still recognize and 827 display or offer to display the encapsulated data in accordance with 828 its media type (cf. [RFC2049], Section 2). In particular, receiving 829 sides that do not support this specification, but are MIME-conformant 830 according to [RFC2045], ff. can still recognize and display the 831 Message intended for the user. 833 [[ TODO: Verify once solution is stable and update last sentence. ]] 835 4.2.2. Receiving Side Not MIME-Conformant 837 This section applies to cases where the sending side (fully) supports 838 Header Protection as specified in this document, while the receiving 839 side neither supports this specification *nor* is MIME-conformant 840 according to [RFC2045], ff. (cf. Section 3.1.2 and Section 3.1.2.2). 842 [I-D.autocrypt-lamps-protected-headers] describes a possible way to 843 achieve backward compatibility with existing S/MIME (and PGP/MIME) 844 implementations that predate this specification and are not MIME- 845 conformant (Legacy Display) either. It mainly focuses on email 846 clients that do not render emails which utilize header protection in 847 a user friendly manner, which may confuse the user. While this has 848 been observed occasionally in PGP/MIME (cf. [RFC3156]), the extent 849 of this problem with S/MIME implementations is still unclear. (Note: 850 At this time, none of the samples in 851 [I-D.autocrypt-lamps-protected-headers] apply header protection as 852 specified in Section 3.1 of [RFC8551], which is wrapping as Media 853 Type "message/RFC822".) 855 Should serious backward compatibility issues with rendering at the 856 receiving side be discovered, the Legacy Display format described in 857 [I-D.autocrypt-lamps-protected-headers] may serve as a basis to 858 mitigate those issues (cf. Section 4.2). 860 Another variant of backward compatibility has been implemented by pEp 861 [I-D.pep-email], i.e. pEp Email Format 1.0. At this time pEp has 862 implemented this for PGP/MIME, but not yet S/MIME. 864 5. Security Considerations 866 [[ TODO ]] 868 6. Privacy Considerations 870 [[ TODO ]] 872 7. IANA Considerations 874 This document requests no action from IANA. 876 [[ RFC Editor: This section may be removed before publication. ]] 878 8. Acknowledgments 880 The authors would like to thank the following people who have 881 provided helpful comments and suggestions for this document: Berna 882 Alp, Claudio Luck, David Wilson, Hernani Marques, juga, Krista 883 Bennett, Kelly Bristol, Lars Rohwedder, Robert Williams, Russ 884 Housley, Sofia Balicka, Steve Kille, Volker Birk, and Wei Chuang. 886 9. References 888 9.1. Normative References 890 [I-D.dkg-lamps-e2e-mail-guidance] 891 Gillmor, D., "Guidance on End-to-End E-mail Security", 892 draft-dkg-lamps-e2e-mail-guidance-00 (work in progress), 893 October 2020. 895 [I-D.ietf-lamps-header-protection-requirements] 896 Melnikov, A. and B. Hoeneisen, "Problem Statement and 897 Requirements for Header Protection", draft-ietf-lamps- 898 header-protection-requirements-01 (work in progress), 899 October 2019. 901 [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 902 Extensions (MIME) Part One: Format of Internet Message 903 Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996, 904 . 906 [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 907 Extensions (MIME) Part Two: Media Types", RFC 2046, 908 DOI 10.17487/RFC2046, November 1996, 909 . 911 [RFC2049] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 912 Extensions (MIME) Part Five: Conformance Criteria and 913 Examples", RFC 2049, DOI 10.17487/RFC2049, November 1996, 914 . 916 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 917 Requirement Levels", BCP 14, RFC 2119, 918 DOI 10.17487/RFC2119, March 1997, 919 . 921 [RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322, 922 DOI 10.17487/RFC5322, October 2008, 923 . 925 [RFC8551] Schaad, J., Ramsdell, B., and S. Turner, "Secure/ 926 Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 927 Message Specification", RFC 8551, DOI 10.17487/RFC8551, 928 April 2019, . 930 9.2. Informative References 932 [I-D.autocrypt-lamps-protected-headers] 933 Einarsson, B., juga, j., and D. Gillmor, "Protected 934 Headers for Cryptographic E-mail", draft-autocrypt-lamps- 935 protected-headers-02 (work in progress), December 2019. 937 [I-D.melnikov-iana-reg-forwarded] 938 Melnikov, A. and B. Hoeneisen, "IANA Registration of 939 Content-Type Header Field Parameter 'forwarded'", draft- 940 melnikov-iana-reg-forwarded-00 (work in progress), 941 November 2019. 943 [I-D.pep-email] 944 Marques, H., "pretty Easy privacy (pEp): Email Formats and 945 Protocols", draft-pep-email-00 (work in progress), July 946 2020. 948 [pEp.mixnet] 949 pEp Foundation, "Mixnet", June 2020, 950 . 952 [RFC3156] Elkins, M., Del Torto, D., Levien, R., and T. Roessler, 953 "MIME Security with OpenPGP", RFC 3156, 954 DOI 10.17487/RFC3156, August 2001, 955 . 957 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", 958 FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, 959 . 961 [RFC6376] Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed., 962 "DomainKeys Identified Mail (DKIM) Signatures", STD 76, 963 RFC 6376, DOI 10.17487/RFC6376, September 2011, 964 . 966 [RFC6409] Gellens, R. and J. Klensin, "Message Submission for Mail", 967 STD 72, RFC 6409, DOI 10.17487/RFC6409, November 2011, 968 . 970 [RFC7489] Kucherawy, M., Ed. and E. Zwicky, Ed., "Domain-based 971 Message Authentication, Reporting, and Conformance 972 (DMARC)", RFC 7489, DOI 10.17487/RFC7489, March 2015, 973 . 975 Appendix A. Additional information 977 A.1. Stored Variants of Messages with Bcc 979 Messages containing at least one recipient address in the Bcc header 980 field may appear in up to three different variants: 982 1. The Message for the recipient addresses listed in To or Cc header 983 fields, which must not include the Bcc header field neither for 984 signature calculation nor for encryption. 986 2. The Message(s) sent to the recipient addresses in the Bcc header 987 field, which depends on the implementation: 989 a) One Message for each recipient in the Bcc header field 990 separately, with a Bcc header field containing only the address 991 of the recipient it is sent to. 993 b) The same Message for each recipient in the Bcc header field 994 with a Bcc header field containing an indication such as 995 "Undisclosed recipients", but no addresses. 997 c) The same Message for each recipient in the Bcc header field 998 which does not include a Bcc header field (this Message is 999 identical to 1. / cf. above). 1001 3. The Message stored in the 'Sent'-Folder of the sender, which 1002 usually contains the Bcc unchanged from the original Message, 1003 i.e., with all recipient addresses. 1005 The most privacy preserving method of the alternatives (2a, 2b, and 1006 2c) is to standardize 2a, as in the other cases (2b and 2c), 1007 information about hidden recipients is revealed via keys. In any 1008 case, the Message has to be cloned and adjusted depending on the 1009 recipient. 1011 Appendix B. Text Moved from Above 1013 Note: Per an explicit request by the chair of the LAMPS WG to only 1014 present one option for the specification, the following text has been 1015 stripped from the main body of the draft. It is preserved in an 1016 Appendix for the time being and may be moved back to the main body or 1017 deleted, depending on the decision of the LAMPS WG. 1019 B.1. MIME Format 1021 Currently there are two options in discussion: 1023 1. The option according to the current S/MIME specification (cf. 1024 [RFC8551]) 1026 2. An alternative option that is based on the former "memory hole" 1027 approach (cf. [I-D.autocrypt-lamps-protected-headers]) 1029 B.1.1. S/MIME Specification 1031 Note: This is currently described in the main part of this document. 1033 B.1.1.1. Alternative Option Autocrypt "Protected Headers" (Ex-"Memory 1034 Hole") 1036 An alternative option (based on the former autocrypt "Memory Hole" 1037 approach) to be considered, is described in 1038 [I-D.autocrypt-lamps-protected-headers]. 1040 Unlike the option described in Appendix B.1.1, this option does not 1041 use a "message/RFC822" wrapper to unambiguously delimit the Inner 1042 Message. 1044 Before choosing this option, the following two issues must be 1045 assessed to ensure no interoperability issues result from it: 1047 1. How current MIME parser implementations treat non-MIME Header 1048 Fields, which are not part of the outermost MIME entity and not 1049 part of a Message wrapped into a MIME entity of media type 1050 "message/rfc822", and how such Messages are rendered to the user. 1052 [I-D.autocrypt-lamps-protected-headers] provides some examples 1053 for testing this. 1055 2. MIME-conformance, i.e. whether or not this option is (fully) 1056 MIME-conformant [RFC2045] ff., in particular also Section 5.1. of 1057 [RFC2046] on "Multipart Media Type). In the following an excerpt 1058 of paragraphs that may be relevant in this context: 1060 The only header fields that have defined meaning for body parts 1061 are those the names of which begin with "Content-". All other 1062 header fields may be ignored in body parts. Although they 1063 should generally be retained if at all possible, they may be 1064 discarded by gateways if necessary. Such other fields are 1065 permitted to appear in body parts but must not be depended on. 1066 "X-" fields may be created for experimental or private 1067 purposes, with the recognition that the information they 1068 contain may be lost at some gateways. 1070 NOTE: The distinction between an RFC 822 Message and a body 1071 part is subtle, but important. A gateway between Internet and 1072 X.400 mail, for example, must be able to tell the difference 1073 between a body part that contains an image and a body part 1074 that contains an encapsulated Message, the body of which is a 1075 JPEG image. In order to represent the latter, the body part 1076 must have "Content-Type: message/rfc822", and its body (after 1077 the blank line) must be the encapsulated Message, with its own 1078 "Content-Type: image/jpeg" header field. The use of similar 1079 syntax facilitates the conversion of Messages to body parts, 1080 and vice versa, but the distinction between the two must be 1081 understood by implementors. (For the special case in which 1082 parts actually are Messages, a "digest" subtype is also 1083 defined.) 1085 The MIME structure of an Email Message looks as follows: 1087 1089 1091 1093 1095 The following example demonstrates how an Original Message might be 1096 protected, i.e., the Original Message is contained as Inner Message 1097 in the Protected Body of an Outer Message. It illustrates the first 1098 Body part (of the Outer Message) as a "multipart/signed" 1099 (application/pkcs7-signature) media type: 1101 Lines are prepended as follows: 1103 o "O: " Outer Message Header Section 1105 o "I: " Message Header Section 1106 O: Date: Mon, 25 Sep 2017 17:31:42 +0100 (GMT Daylight Time) 1107 O: Message-ID: 1108 O: Subject: Meeting at my place 1109 O: From: "Alexey Melnikov" 1110 O: MIME-Version: 1.0 1111 O: Content-Type: multipart/signed; charset=us-ascii; micalg=sha1; 1112 O: protocol="application/pkcs7-signature"; 1113 O: boundary=boundary-AM 1115 This is a multipart message in MIME format. 1116 --boundary-AM 1117 I: Date: Mon, 25 Sep 2017 17:31:42 +0100 (GMT Daylight Time) 1118 I: From: "Alexey Melnikov" 1119 I: Message-ID: 1120 I: MIME-Version: 1.0 1121 I: MMHS-Primary-Precedence: 3 1122 I: Subject: Meeting at my place 1123 I: To: somebody@example.net 1124 I: X-Mailer: Isode Harrier Web Server 1125 I: Content-Type: text/plain; charset=us-ascii 1127 This is an important message that I don't want to be modified. 1129 --boundary-AM 1130 Content-Transfer-Encoding: base64 1131 Content-Type: application/pkcs7-signature 1133 [[base-64 encoded signature]] 1135 --boundary-AM-- 1137 The Outer Message Header Section is unprotected, while the remainder 1138 (Outer Message Body) is protected. The Outer Message Body consists 1139 of the Inner Message (Header Section and Body). 1141 The Inner Message Header Section is the same as (or a subset of) the 1142 Original Message Header Section (cf. Section 4.1.2.1). 1144 The Inner Message Body is the same as the Original Message Body. 1146 The Original Message itself may contain any MIME structure. 1148 Appendix C. Document Changelog 1150 [[ RFC Editor: This section is to be removed before publication ]] 1152 o draft-ietf-lamps-header-protection-01 1153 * Add DKG as co-author 1155 * Partial Rewrite of Abstract and Introduction [HB/AM/DKG] 1157 * Adding definiations for Cryptographic Layer, Cryptographic 1158 Payload, and Cryptographic Envelope (reference to 1159 [I-D.dkg-lamps-e2e-mail-guidance]) [DKG] 1161 * Enhanced MITM Definition to include Machine- / Meddler-in-the- 1162 middle [HB] 1164 * Relaxed definition of Original message, which may not be of 1165 type "message/rfc822" [HB] 1167 * Move "memory hole" option to the Appendix (on request by Chair 1168 to only maintain one option in the specification) [HB] 1170 * Updated Scope of Protection Levels according to WG discussion 1171 during IETF-108 [HB] 1173 * Obfuscation recommendation only for Subject and Message-Id and 1174 distinguish between Encrypted and Unencrypted Messages [HB] 1176 * Removed (commented out) Header Field Flow Figure (it appeared 1177 to be confusing as is was) [HB] 1179 o draft-ietf-lamps-header-protection-00 1181 * Initial version (text partially taken over from 1182 [I-D.ietf-lamps-header-protection-requirements] 1184 Appendix D. Open Issues 1186 [[ RFC Editor: This section should be empty and is to be removed 1187 before publication. ]] 1189 o Ensure "protected header" (Ex-Memory-Hole) option is (fully) 1190 compliant with the MIME standard, in particular also [RFC2046], 1191 Section 5.1. (Multipart Media Type) Appendix B.1.1.1. 1193 o More examples (e.g. in Section 4.1.2.5) 1195 o Should Outer Message Header Section (as received) be preserved for 1196 the user? (Section 4.1.3.2.2) 1198 o Decide on whether or not merge requirements from 1199 [I-D.ietf-lamps-header-protection-requirements] into this 1200 document. 1202 o Decide what parts of [I-D.autocrypt-lamps-protected-headers] to 1203 merge into this document. 1205 o Enhance Introduction Section 1 and Problem Statement (Section 2). 1207 o Decide on whether or not specification for more legacy HP 1208 requirements should be added to this document (Section 3.1.2). 1210 o Verify simple backward compatibility case (Receiving Side MIME- 1211 Conformant) is working; once solution is stable and update 1212 paragraphs in Section 4.1, Section 3.1.2.1 and Section 4.2.1 1213 accordingly. 1215 o Verify ability to distinguish between Messages with Header 1216 Protection as specified in this document and legacy clients and 1217 update Section 3.1 accordingly. 1219 o Improve definitions of Protection Levels and enhance list of 1220 Protection Levels (Section 3.2, Section 4). 1222 o Privacy Considerations Section 6 1224 o Security Considerations Section 5 1226 Authors' Addresses 1228 Bernie Hoeneisen 1229 pEp Foundation 1230 Oberer Graben 4 1231 CH-8400 Winterthur 1232 Switzerland 1234 Email: bernie.hoeneisen@pep.foundation 1235 URI: https://pep.foundation/ 1237 Daniel Kahn Gillmor 1238 American Civil Liberties Union 1239 125 Broad St. 1240 New York, NY 10004 1241 USA 1243 Email: dkg@fifthhorseman.net 1244 Alexey Melnikov 1245 Isode Ltd 1246 14 Castle Mews 1247 Hampton, Middlesex TW12 2NP 1248 UK 1250 Email: alexey.melnikov@isode.com