| Internet-Draft | Guidance on End-to-End E-mail Security | February 2021 |
| Gillmor | Expires 26 August 2021 | [Page] |
End-to-end cryptographic protections for e-mail messages can provide useful security. However, the standards for providing cryptographic protection are extremely flexible. That flexibility can trap users and cause surprising failures. This document offers guidance for mail user agent implementers that need to compose or interpret e-mail messages with end-to-end cryptographic protection. It provides a useful set of vocabulary as well as suggestions to avoid common failures.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 26 August 2021.¶
Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
E-mail end-to-end security using S/MIME ([RFC8551]) and PGP/MIME ([RFC3156]) cryptographic standards can provide integrity, authentication and confidentiality to MIME ([RFC4289]) e-mail messages.¶
However, there are many ways that a receiving mail user agent can misinterpret or accidentally break these security guarantees (e.g., [EFAIL]).¶
A mail user agent that interprets a message with end-to-end cryptographic protections needs to do so defensively, staying alert to different ways that these protections can be bypassed by mangling (either malicious or accidental) or a failed user experience.¶
A mail user agent that generates a message with end-to-end cryptographic protections should be aware of these defensive interpretation strategies, and should compose any new outbound message conservatively if they want the protections to remain intact.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 ([RFC2119] and [RFC8174]) when, and only when, they appear in all capitals, as shown here.¶
For the purposes of this document, we define the following concepts:¶
A message header whose name begins with Content- is referred to in this document as a "structural" header.¶
These headers indicate something about the specific MIME part they are attached to, and cannot be transferred or copied to other parts without endangering the readability of the message.¶
This includes (but is not limited to):¶
FIXME: are there any non-Content-* headers we should consider as structural?¶
Any MUA that enables its user to transition from unprotected messages to messages with end-to-end cryptographic protection needs to consider how the user understands this transition. That said, the primary goal of the user of an MUA is communication -- so interface elements that get in the way of communication should be avoided where possible.¶
Furthermore, it is likely is that the user will continue to encounter unprotected messages, and may need to send unprotected messages (for example, if a given recipient cannot handle cryptographic protections). This means that the MUA needs to provide the user with some guidance, so that they understand what protections any given message or conversation has. But the user should not be overwhelmed with choices or presented with unactionable information.¶
The end user (the operator of the MUA) is unlikely to understand complex end-to-end cryptographic protections on any e-mail message, so keep it simple.¶
For clarity to the user, any cryptographic protections should apply to the message as a whole, not just to some subparts.¶
This is true for message composition: the standard message composition user interface of an MUA should offer minimal controls which indicate which types of protection to apply to the new message as a whole.¶
This is also true for message interpretation: the standard message rendering user interface of an MUA should offer a minimal, clear indicator about the end-to-end cryptographic status of the message as a whole.¶
A person communicating over the Internet today often has many options for reaching their desired correspondent, including web-based bulletin boards, contact forms, and instant messaging services.¶
E-mail offers a few distinctions from these other systems, most notably features like:¶
Other systems (like some popular instant messaging applications, such as WhatsApp and Signal Private Messenger) offer built-in end-to-end cryptographic protections by default, which are simpler for the user to understand. ("All the messages I see on Signal are confidential and integrity-protected" is a clean user story)¶
A user of e-mail is likely using e-mail instead of other systems because of the distinctions outlined above. When adding end-to-end cryptographic protection to an e-mail endpoint, care should be taken not to negate any of the distinct features of e-mail as a whole. If these features are violated to provide end-to-end crypto, the user may just as well choose one of the other systems that don't have the drawbacks that e-mail has. Implmenters should try to provide end-to-end protections that retain the familiar experience of e-mail itself.¶
Furthermore, an e-mail user is likely to regularly interact with other e-mail correspondents who cannot handle or produce end-to-end cryptographic protections. Care should be taken that enabling cryptography in a MUA does not inadvertently limit the ability of the user to interact with legacy correspondents.¶
Moving the web from http to https offers useful historical similarities to adding end-to-end encryption to e-mail.¶
In particular, the indicators of what is "secure" vs. "insecure" for web browsers have changed over time. For example, years ago the default experience was http, and https sites were flagged with "secure" indicators like a lock icon. In 2018, some browsers reversed that process by downplaying https, and instead visibly marking http as "not secure" (see [chrome-indicators]).¶
By analogy, when the user of a MUA first enables end-to-end cryptographic protection, it's likely that they will want to see which messages have protection. But a user whose e-mail communications are entirely end-to-end protected might instead want to know which messages do not have the expected protections.¶
Note also that some messages are expected to be confidential, but other messages are expected to be public -- the types of protection (see Section 3) that apply to each particular message will be different. And the types of protection that are expected to be present in any context might differ (for example, by sender, by thread, or by date).¶
It is out of scope for this document to define expectations about protections for any given message, but an implementer who cares about usable experience should be deliberate and judicious about the expectations their interface assumes that the user has in a given context.¶
A given message might be:¶
Given that many e-mail messages offer no cryptographic protections, the user needs to be able to detect which protections are present for any given message.¶
Implementations use the structure of an e-mail message to protect the headers. This section establishes some conventions about how to think about message structure.¶
"Cryptographic Layer" refers to a MIME substructure that supplies some cryptographic protections to an internal MIME subtree. The internal subtree is known as the "protected part" though of course it may itself be a multipart object.¶
In the diagrams below, "↧" (DOWNWARDS ARROW FROM BAR, U+21A7) indicates "decrypts to", and "⇩" (DOWNWARDS WHITE ARROW, U+21E9) indicates "unwraps to".¶
For S/MIME [RFC8551], there are four forms of Cryptographic Layers: multipart/signed, PKCS#7 signed-data, PKCS7 enveloped-data, PKCS7 authEnveloped-data.¶
└┬╴multipart/signed; protocol="application/pkcs7-signature" ├─╴[protected part] └─╴application/pkcs7-signature¶
This MIME layer offers authentication and integrity.¶
└─╴application/pkcs7-mime; smime-type="signed-data" ⇩ (unwraps to) └─╴[protected part]¶
This MIME layer offers authentication and integrity.¶
└─╴application/pkcs7-mime; smime-type="enveloped-data" ↧ (decrypts to) └─╴[protected part]¶
This MIME layer offers confidentiality.¶
└─╴application/pkcs7-mime; smime-type="authEnveloped-data" ↧ (decrypts to) └─╴[protected part]¶
This MIME layer offers confidentiality and integrity.¶
Note that enveloped-data (Section 4.1.1.3) and authEnveloped-data (Section 4.1.1.4) have identical message structure and semantics.
The only difference between the two is ciphertext malleability.¶
The examples in this document only include enveloped-data, but the implications for that layer apply to authEnveloped-data as well.¶
The Cryptographic Message Syntax (CMS) provides a MIME compression layer (smime-type="compressed-data"), as defined in [RFC3274].
While the compression layer is technically a part of CMS, it is not considered a Cryptographic Layer for the purposes of this document.¶
For PGP/MIME [RFC3156] there are two forms of Cryptographic Layers, signing and encryption.¶
└┬╴multipart/signed; protocol="application/pgp-signature" ├─╴[protected part] └─╴application/pgp-signature¶
This MIME layer offers authenticity and integrity.¶
└┬╴multipart/encrypted ├─╴application/pgp-encrypted └─╴application/octet-stream ↧ (decrypts to) └─╴[protected part]¶
This MIME layer can offer any of:¶
The Cryptographic Envelope is the largest contiguous set of Cryptographic Layers of an e-mail message starting with the outermost MIME type (that is, with the Content-Type of the message itself).¶
If the Content-Type of the message itself is not a Cryptographic Layer, then the message has no cryptographic envelope.¶
"Contiguous" in the definition above indicates that if a Cryptographic Layer is the protected part of another Cryptographic Layer, the layers together comprise a single Cryptographic Envelope.¶
Note that if a non-Cryptographic Layer intervenes, all Cryptographic Layers within the non-Cryptographic Layer are not part of the Cryptographic Envelope. They are Errant Cryptographic Layers (see Section 4.5).¶
Note also that the ordering of the Cryptographic Layers implies different cryptographic properties. A signed-then-encrypted message is different than an encrypted-then-signed message. See Section 5.2.¶
The Cryptographic Payload of a message is the first non-Cryptographic Layer -- the "protected part" -- within the Cryptographic Envelope.¶
As described above, if the "protected part" identified in the sction above is not itself a Cryptographic Layer, that part is the Cryptographic Payload.¶
If the application wants to generate a message that is both encrypted and signed, it MAY use the simple MIME structure from Section 4.1.2.2 by ensuring that the [RFC4880] Encrypted Message within the application/octet-stream part contains an [RFC4880] Signed Message (the final option described in Section 4.1.2.2.¶
It is possible to construct a Cryptographic Envelope consisting of multiple layers with either S/MIME or PGP/MIME , for example using the following structure:¶
A └─╴application/pkcs7-mime; smime-type="enveloped-data" B ↧ (decrypts to) C └─╴application/pkcs7-mime; smime-type="signed-data" D ⇩ (unwraps to) E └─╴[protected part]¶
When handling such a message, the properties of the Cryptographic Envelope are derived from the series A, C.¶
As noted in Section 4.4.1, PGP/MIME applications also have a simpler MIME construction available with the same cryptographic properties.¶
Due to confusion, malice, or well-intentioned tampering, a message may contain a Cryptographic Layer that is not part of the Cryptographic Envelope. Such a layer is an Errant Cryptographic Layer.¶
An Errant Cryptographic Layer SHOULD NOT contribute to the message's overall cryptographic state.¶
Guidance for dealing with Errant Cryptographic Layers can be found in Section 6.2.¶
Some mailing list software will re-wrap a well-formed signed message before re-sending to add a footer, resulting in the following structure seen by recipients of the e-mail:¶
H └┬╴multipart/mixed I ├┬╴multipart/signed J │├─╴text/plain K │└─╴application/pgp-signature L └─╴text/plain¶
In this message, L is the footer added by the mailing list. I is now an Errant Cryptographic Layer.¶
Note that this message has no Cryptographic Envelope at all.¶
It is NOT RECOMMENDED to produce e-mail messages with this structure, because the data in part L may appear to the user as though it were part of J, though they have different cryptographic properties.
In particular, if the user believes that the message is signed, but cannot distinguish L from J then the author of L can effectively tamper with content of the signed message, breaking the user's expectation of integrity and authenticity.¶
Consider a message with the following overcomplicated structure:¶
M └┬╴multipart/encrypted N ├─╴application/pgp-encrypted O └─╴application/octet-stream P ↧ (decrypts to) Q └┬╴multipart/signed R ├┬╴multipart/mixed S │├┬╴multipart/signed T ││├─╴text/plain U ││└─╴application/pgp-signature V │└─╴text/plain W └─╴application/pgp-signature¶
The 3 Cryptographic Layers in such a message are rooted in parts M, Q, and S.
But the Cryptographic Envelope of the message consists only of the properties derived from the series M, Q.
The Cryptographic Payload of the message is part R.
Part S is an Errant Cryptographic Layer.¶
Note that this message has both a Cryptographic Envelope and an Errant Cryptographic Layer.¶
It is NOT RECOMMENDED to generate messages with such complicated structures.
Even if a receiving MUA can parse this structure properly, it is nearly impossible to render in a way that the user can reason about the cryptographic properties of part T compared to part V.¶
This section describes the ideal composition of an e-mail message with end-to-end cryptographic protection. A message composed with this form is most likely to achieve its end-to-end security goals.¶
This section roughly describes the steps that a MUA should use to compose a cryptographically-protected message that has a proper cryptographic envelope and payload.¶
The message composition algorithm takes three parameters:¶
origbody: the traditional unprotected message body as a well-formed MIME tree (possibly just a single MIME leaf part).
As a well-formed MIME tree, origbody already has structural headers present (see Section 1.2.1).¶
origheaders: the intended non-structural headers for the message, represented here as a list of (h,v) pairs, where h is a header field name and v is the associated value.¶
crypto: The series of cryptographic protections to apply (for example, "sign with the secret key corresponding to X.509 certificate X, then encrypt to X.509 certificates X and Y").
This is a routine that accepts a MIME tree as input (the Cryptographic Payload), wraps the input in the appropriate Cryptographic Envelope, and returns the resultant MIME tree as output.¶
The algorithm returns a MIME object that is ready to be injected into the mail system:¶
Users expect any message that is both signed and encrypted to be signed inside the encryption, and not the other way around.¶
Putting the signature inside the encryption has two advantages:¶
A MUA SHOULD NOT generate an encrypted and signed message where the only signature is outside the encryption.¶
When generating an e-mail, the user has options about what forms of end-to-end cryptographic protections to apply to it.¶
In some cases, offering any end-to-end cryptographic protection is harmful: it may confuse the recipient and offer no benefit.¶
In other cases, signing a message is useful (authenticity and integrity are desirable) but encryption is either impossible (for example, if the sender does not know how to encrypt to all recipients) or meaningless (for example, an e-mail message to a mailing list that is intended to be be published to a public archive).¶
In other cases, full end-to-end confidentiality, authenticity, and integrity are desirable.¶
It is unclear what the use case is for an e-mail message with end-to-end confidentiality but without authenticity or integrity.¶
A reasonable MUA will keep its message composition interface simple, so when presenting the user with a choice of cryptographic protection, it SHOULD offer no more than three choices:¶
When replying to a message, most MUAs compose an initial draft of the reply that contains quoted text from the original message. A responsible MUA will take precautions to avoid leaking the cleartext of an encrypted message in such a reply.¶
If the original message was end-to-end encrypted, the replying MUA MUST either:¶
In general, MUAs SHOULD prefer the first option: to compose an encrypted reply. This is what users expect.¶
However, in some circumstances, the replying MUA cannot compose an encrypted reply. For example, the MUA might not have a valid, unexpired, encryption-capable certificate for all recipients. This can also happen during composition when a user adds a new recipient into the reply, or manually toggles the cryptographic protections to remove encryption.¶
In this circumstance, the composing MUA SHOULD strip the quoted text from the original message.¶
Note additional nuance about replies to malformed messages that contain encryption in Section 6.2.2.1.¶
Despite the best efforts of well-intentioned senders to create e-mail messages with well-formed end-to-end cryptographic protection, receiving MUAs will inevitably encounter some messages with malformed end-to-end cryptographic protection.¶
This section offers guidance on dealing with both well-formed and malformed messages containing Cryptographic Layers.¶
A message is well-formed when it has a Cryptographic Envelope, a Cryptographic Payload, and no Errant Cryptographic Layers. Rendering a well-formed message is straightforward.¶
The receiving MUA should evaluate and summarize the cryptographic properties of the Cryptographic Envelope, and display that status to the user in a secure, strictly-controlled part of the UI. In particular, the part of the UI used to render the cryptographic summary of the message MUST NOT be spoofable, modifiable, or otherwise controllable by the received message itself.¶
Aside from this cryptographic summary, the message itself should be rendered as though the Cryptographic Payload is the body of the message. The Cryptographic Layers themselves SHOULD not be rendered otherwise.¶
If an incoming message has any Errant Cryptographic Layers, the interpreting MUA SHOULD ignore those layers when rendering the cryptographic summary of the message to the user.¶
When rendering a message with an Errant Cryptographic Layer that provides authenticity and integrity (via signatures), the message should be rendered by replacing the Cryptographic layer with the part it encloses.¶
For example, a message with this structure:¶
A └┬╴multipart/mixed B ├╴text/plain C ├┬╴multipart/signed D │├─╴image/jpeg E │└─╴application/pgp-signature F └─╴text/plain¶
Should be rendered identically to this:¶
A └┬╴multipart/mixed B ├─╴text/plain D ├─╴image/jpeg F └─╴text/plain¶
In such a situation, an MUA SHOULD NOT indicate in the cryptographic summary that the message is signed.¶
An MUA may encounter a message with an Errant Cryptographic Layer that offers confidentiality (encryption), and the MUA is capable of decrypting it.¶
The user wants to be able to see the contents of any message that they receive, so an MUA in this situation SHOULD decrypt the part.¶
In this case, though, the MUA MUST NOT indicate in the message's cryptographic summary that the message itself was encrypted. Such an indication could be taken to mean that other (non-encrypted) parts of the message arrived with cryptographic confidentiality.¶
An incoming e-mail message may include an attached forwarded message, typically as a MIME subpart with Content-Type: message/rfc822 ([RFC5322]) or Content-Type: message/global ([RFC5355]).¶
Regardless of the cryptographic protections and structure of the incoming message, the internal forwarded message may have its own Cryptographic Envelope.¶
The Cryptographic Layers that are part of the Cryptographic Envelope of the forwarded message are not Errant Cryptographic Layers of the surrounding message -- they are simply layers that apply to the forwarded message itself.¶
The rendering MUA MUST NOT conflate the cryptographic protections of the forwarded message with the cryptographic protections of the incoming message.¶
The rendering MUA MAY render a cryptograpic summary of the protections afforded to the forwarded message by its own Cryptographic Envelope, as long as that rendering is unambiguously tied to the forwarded message itself.¶
A cryptographic signature may fail in multiple ways. A receiving MUA that discovers a failed signature should treat the message as though the signature did not exist. This is similar to the standard guidance for about failed DKIM signatures (see section 6.1 of [RFC6376]).¶
A MUA SHOULD NOT render a message with a failed signature as more dangerous or more dubious than a comparable message without any signature at all.¶
A MUA that encounters an encrypted-and-signed message where the signature is invalid SHOULD treat the message the same way that it would treat a message that is encryption-only.¶
Some different ways that a signature may be invalid on a given message:¶
From: or Sender:)¶
A valid signature must pass all these tests, but of course invalid signatures may be invalid in more than one of the ways listed above.¶
A cryptographically-capable MUA typically maintains knowledge about certificates for the user's own account(s), as well as certificates for the peers that it communicates with.¶
Most certificates that a cryptographically-capable MUA will use will be certificates belonging to the parties that the user communicates with through the MUA. This section discusses how to manage the certificates that belong to such a peer.¶
The MUA will need to be able to discover X.509 certificates for each peer, cache them, and select among them when composing an encrypted message.¶
TODO: incoming PKCS#7 messages tend to have a bundle of certificates in them. How should these certs be handled?¶
TODO: point to Autocrypt certificate discovery mechanism¶
TODO: point to OpenPGP embedded certificate subpacket proposal¶
TODO: compare mechanisms, explain where each case is useful.¶
Some MUAs may have the capability to look up peer certificates in a directory.¶
TODO: more information here about X.509 directories -- LDAP?¶
TODO: mention WKD for OpenPGP certificates?¶
When composing an encrypted message, the MUA needs to select a certificate for each recipient that is capable of encryption.¶
To select such a certificate for a given destination e-mail address, the MUA should look through all of its known certificates and verify that all of the conditions below are met:¶
The algorithm OID in the certificate's SPKI is known to the MUA and capable of encryption. Examples include (TODO: need OIDs)¶
TODO: If OID is EC Public Key and keyUsage is absent, what should happen?¶
TODO: what if multiple certificates meet all of these criteria for a given recipient?¶
TODO: discuss how/when to check for peer certificate revocation¶
TODO: privacy concerns: what information leaks to whom when checking peer cert revocations?¶
The MUA also needs to know about one or more certificates associated with the user's e-mail account. It is typically expected to have access to the secret key material associated with the public keys in those certificates.¶
TODO: mention ACME SMIME?¶
TODO: mention automatic self-signed certs e.g. OpenPGP?¶
TODO: SHOULD generate secret key material locally, and MUST NOT accept secret key material from an untrusted third party as the basis for the user's certificate.¶
The MUA should warn the user when/if:¶
TODO: how does the MUA do better than warning in the cases above? What can the MUA actually do here to fix problems before they happen?¶
TODO: discuss how/when to check for own certificate revocation, and what to do if it (or any intermediate certificate authority) is found to be revoked.¶
TODO: What certificates should the MUA include in an outbound message so that peers can discover them?¶
This section highlights a few "pitfalls" and guidelines based on these discussions and lessons learned.¶
FIXME: some possible additional commentary on:¶
MAYBE: provide an indicator in the IANA header registry for which headers are "structural" ? This is probably unnecessary.¶
This entire document addresses security considerations about end-to-end cryptographic protections for e-mail messages.¶
[ RFC Editor: please remove this section before publication ]¶
This document is currently edited as markdown. Minor editorial changes can be suggested via merge requests at https://gitlab.com/dkg/e2e-mail-guidance or by e-mail to the author. Please direct all significant commentary to the public IETF LAMPS mailing list: spasm@ietf.org¶
The set of constructs and recommendations in this document are derived from discussions with many different implementers, including Alexey Melnikov, Bernie Hoeneisen, Bjarni Runar Einarsson, David Bremner, Deb Cooley, Holger Krekel, Jameson Rollins, Jonathan Hammell, juga, Patrick Brunschwig, Santosh Chokhani, and Vincent Breitmoser.¶
FIXME: This document should contain examples of well-formed and malformed messages using cryptographic key material and certificates from [I-D.draft-bre-openpgp-samples-01] and [I-D.draft-dkg-lamps-samples-05].¶
It may also include example renderings of these messages.¶