| < draft-wouters-dane-openpgp-00.txt | draft-wouters-dane-openpgp-01.txt > | |||
|---|---|---|---|---|
| Network Working Group P. Wouters | Network Working Group P. Wouters | |||
| Internet-Draft Red Hat | Internet-Draft Red Hat | |||
| Intended status: Standards Track July 15, 2013 | Intended status: Standards Track October 21, 2013 | |||
| Expires: January 16, 2014 | Expires: April 24, 2014 | |||
| Using DANE to Associate OpenPGP public keys with email addresses | Using DANE to Associate OpenPGP public keys with email addresses | |||
| draft-wouters-dane-openpgp-00 | draft-wouters-dane-openpgp-01 | |||
| Abstract | Abstract | |||
| OpenPGP is a message format for email (and file) encryption, that | OpenPGP is a message format for email (and file) encryption, that | |||
| lacks a standarized secure lookup mechanism to obtain OpenPGP public | lacks a standarized lookup mechanism to obtain OpenPGP public keys. | |||
| keys. This document specifies a standarized method for securely | This document specifies a standarized method for securely publishing | |||
| publishing and locating OpenPGP public keys in DNS using a new | and locating OpenPGP public keys in DNS using a new OPENPGPKEY DNS | |||
| OPENPGPKEY DNS Resource Record. | Resource Record. | |||
| Status of this Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 16, 2014. | This Internet-Draft will expire on April 24, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2013 IETF Trust and the persons identified as the | Copyright (c) 2013 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. The OPENPGPKEY Resource Record . . . . . . . . . . . . . . . . 4 | 2. The OPENPGPKEY record presence . . . . . . . . . . . . . . . 3 | |||
| 2.1. Location of the OpenPGPKEY record . . . . . . . . . . . . 4 | 3. The OPENPGPKEY Resource Record . . . . . . . . . . . . . . . 4 | |||
| 2.2. The OPENPGPKEY RDATA Format . . . . . . . . . . . . . . . 5 | 3.1. Location of the OpenPGPKEY record . . . . . . . . . . . . 4 | |||
| 3. OpenPGP public key considerations . . . . . . . . . . . . . . 5 | 3.2. The OPENPGPKEY RDATA Format . . . . . . . . . . . . . . . 5 | |||
| 3.1. Public Key UIDs and email addresses . . . . . . . . . . . 5 | 4. OpenPGP public key considerations . . . . . . . . . . . . . . 5 | |||
| 3.2. Public Key UIDs and IDNA . . . . . . . . . . . . . . . . . 5 | 4.1. Public Key UIDs and email addresses . . . . . . . . . . . 5 | |||
| 3.3. Public Key UIDs and synthesized DNS records . . . . . . . 5 | 4.2. Public Key UIDs and IDNA . . . . . . . . . . . . . . . . 5 | |||
| 3.4. Public Key size and DNS record size . . . . . . . . . . . 6 | 4.3. Public Key UIDs and synthesized DNS records . . . . . . . 5 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | 4.4. Public Key size and DNS record size . . . . . . . . . . . 6 | |||
| 4.1. Email address information leak . . . . . . . . . . . . . . 7 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | |||
| 4.2. OpenPGP security and DNSSEC . . . . . . . . . . . . . . . 7 | 5.1. Email address information leak . . . . . . . . . . . . . 7 | |||
| 4.3. MTA behaviour . . . . . . . . . . . . . . . . . . . . . . 7 | 5.2. OpenPGP security and DNSSEC . . . . . . . . . . . . . . . 7 | |||
| 4.4. MUA behaviour . . . . . . . . . . . . . . . . . . . . . . 8 | 5.3. MTA behaviour . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.5. Email client behaviour . . . . . . . . . . . . . . . . . . 8 | 5.4. MUA behaviour . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 4.6. Subject: line encryption . . . . . . . . . . . . . . . . . 9 | 5.5. Email client behaviour . . . . . . . . . . . . . . . . . 8 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 5.1. OPENPGPKEY RRtype . . . . . . . . . . . . . . . . . . . . 9 | 6.1. OPENPGPKEY RRtype . . . . . . . . . . . . . . . . . . . . 9 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9 | 7. Generating OPENPGPKEY RRdata . . . . . . . . . . . . . . . . 9 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . . 9 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . . 10 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 9 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 9.2. Informative References . . . . . . . . . . . . . . . . . 10 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10 | ||||
| 1. Introduction | 1. Introduction | |||
| To encrypt a message to a target recipient using OpenPGP [RFC4880], | To encrypt a message to a target recipient using OpenPGP [RFC4880], | |||
| possession of the recipient's OpenPGP public key is required. To | possession of the recipient's OpenPGP public key is required. To | |||
| obtain that public key, two problems need to be solved by the | obtain that public key, two problems need to be solved by the | |||
| sender's email client, MUA or MTA. Where does one find the | sender's email client, MUA or MTA. Where does one find the | |||
| recipient's public key and how does one trust that the found key | recipient's public key and how does one trust that the found key | |||
| actually belongs to the intended recipient. | actually belongs to the intended recipient. | |||
| Obtaining a public key is not a straightforward process as there are | Obtaining a public key is not a straightforward process as there are | |||
| no standarized locations for publishing OpenPGP public keys indexed | no trusted standarized locations for publishing OpenPGP public keys | |||
| by email address. Instead, OpenPGP clients rely on "well known key | indexed by email address. Instead, OpenPGP clients rely on "well- | |||
| servers" that are accessed using the web based HKP protocol or | known key servers" that are accessed using the web based HKP protocol | |||
| manually by users using a variety of different front-end web pages. | or manually by users using a variety of differently formatted front- | |||
| end web pages. | ||||
| Currently deployed key servers have no method of validating any | Currently deployed key servers have no method of validating any | |||
| uploaded OpenPGP public key. The key servers simply store and | uploaded OpenPGP public key. The key servers simply store and | |||
| publish. Anyone can add public keys with any name or email address | publish. Anyone can add public keys with any identities and anyone | |||
| and anyone can add signatures to any other public key using forged | can add signatures to any other public key using forged malicious | |||
| malicious identities. For example, bogus keys of prominent | identities. Furthermore, once uploaded, public keys cannot be | |||
| dissidents have been uploaded to these well-known key servers in | deleted. People who did not pre-sign a key revocation can never | |||
| attempts to capture encrypted email. Furthermore, once uploaded, | ||||
| public keys cannot be deleted. People who did not pre-sign a key | ||||
| revocation and who have lost access to their private key can never | ||||
| remove their public key from these key servers. | remove their public key from these key servers. | |||
| The lack of association of email address and public key lookup is | The lack of association of email address and public key lookup is | |||
| also preventing email clients, MTAs and MUAs from encrypting a | also preventing email clients, MTAs and MUAs from encrypting a | |||
| received message to the target receipient forcing the software to | received message to the target receipient forcing the software to | |||
| send the message unencryped. Currently deployed MTA's only support | send the message unencryped. Currently deployed MTA's only support | |||
| encrypting the transport of the email, not the email contents itself. | encrypting the transport of the email, not the email contents itself. | |||
| This document describes a mechanism to associate a user's OpenPGP | This document describes a mechanism to associate a user's OpenPGP | |||
| public key with their email address, using a new DNS RRtype. This is | public key with their email address, using a new DNS RRtype. This is | |||
| skipping to change at page 4, line 10 ¶ | skipping to change at page 3, line 36 ¶ | |||
| 1.1. Terminology | 1.1. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| This document also makes use of standard DNSSEC and DANE terminology. | This document also makes use of standard DNSSEC and DANE terminology. | |||
| See DNSSEC [RFC4033], [RFC4034], [RFC4035], and DANE [RFC6698] for | See DNSSEC [RFC4033], [RFC4034], [RFC4035], and DANE [RFC6698] for | |||
| these terms. | these terms. | |||
| 2. The OPENPGPKEY Resource Record | 2. The OPENPGPKEY record presence | |||
| A user who publishes an OPENPGPKEY record in DNS explicitly favours | ||||
| receiving encrypted email instead of unencrypted email. | ||||
| A user who publishes an OPENPGPKEY record in DNS still expects | ||||
| senders to perform their due diligence by additional verification of | ||||
| their public key via other out-of-band methods before sending any | ||||
| confidential or sensitive information | ||||
| In other words, the OPENPGPKEY record in DNS, without any additional | ||||
| verification, should be used only as an alternative to sending | ||||
| plaintext email. It SHOULD NOT be used to change one's opinion on | ||||
| whether it is safe or appropriate to sent the content via email in | ||||
| the first place. | ||||
| 3. The OPENPGPKEY Resource Record | ||||
| The OPENPGPKEY DNS resource record (RR) is used to associate an end | The OPENPGPKEY DNS resource record (RR) is used to associate an end | |||
| entity OpenPGP public key with an email address, thus forming a | entity OpenPGP public key with an email address, thus forming a | |||
| "OpenPGP public key association". | "OpenPGP public key association". | |||
| The type value allocated for the OPENPGPKEY RR type is [TBD]. The | The type value allocated for the OPENPGPKEY RR type is [TBD]. The | |||
| OPENPGPKEY RR is class independent. The OPENPGPKEY RR has no special | OPENPGPKEY RR is class independent. The OPENPGPKEY RR has no special | |||
| TTL requirements. | TTL requirements. If an an OPENPGPKEY RR contains an expired OpenPGP | |||
| public key, it MUST NOT be used for encryption. | ||||
| 2.1. Location of the OpenPGPKEY record | 3.1. Location of the OpenPGPKEY record | |||
| Domain names are prepared for requests in the following manner. | Email addresses are mapped into DNS using the following method: | |||
| 1. The user name (the "left-hand side" of the email address, called | 1. The user name (the "left-hand side" of the email address, called | |||
| the "local-part" in the mail message format definition [RFC2822] | the "local-part" in the mail message format definition [RFC2822] | |||
| and the "local part" in the specification for internationalized | and the "local part" in the specification for internationalized | |||
| email [RFC6530]), is encoded with Base32 [RFC4648], to become the | email [RFC6530]), is encoded with Base32 [RFC4648], to become the | |||
| left-most label in the prepared domain name. This does not | left-most label in the prepared domain name. This does not | |||
| include the "@" character that separates the left and right sides | include the at symbol ("@") that separates the left and right | |||
| of the email address. | sides of the email address but does include any trailing equal | |||
| signs ("=") of base64 padding. | ||||
| 2. The string "_openpgpkey" becomes the second left-most label in | 2. The string "_openpgpkey" becomes the second left-most label in | |||
| the prepared domain name. | the prepared domain name. | |||
| 3. The domain name (the "right-hand side" of the email address, | 3. The domain name (the "right-hand side" of the email address, | |||
| called the "domain" in RFC 2822) is appended to the result of | called the "domain" in RFC 2822) is appended to the result of | |||
| step 2 to complete the prepared domain name. | step 2 to complete the prepared domain name. | |||
| For example, to request an OPENPGPKEY resource record for a user | For example, to request an OPENPGPKEY resource record for a user | |||
| whose address is "hugh@example.com", you would use | whose address is "hugh@example.com", you would use | |||
| "d1qmeq0._openpgpkey.example.com" in the request. The corresponding | "nb2wo2a=._openpgpkey.example.com" in the request. The corresponding | |||
| RR in the example.com zone might look like: | RR in the example.com zone might look like: | |||
| d1qmeq0._openpgpkey.example.com. IN OPENPGPKEY <encoded public key> | nb2wo2a=._openpgpkey.example.com. IN OPENPGPKEY <encoded public key> | |||
| Design note: Encoding the user name with Base32 allows local parts | Design note: Encoding the user name with Base32 allows local parts | |||
| that have characters that would prevent their use in domain names. | that have characters that would prevent their use in domain names. | |||
| For example, a period (".") is a valid character in a local part, but | For example, a period (".") is a valid character in a local part, but | |||
| would wreak havoc in a domain name. Similarly, RFC 6530 allows non- | would wreak havoc in a domain name. Similarly, RFC 6530 allows non- | |||
| ASCII characters in local parts, and encoding a local part with non- | ASCII characters in local parts, and encoding a local part with non- | |||
| ASCII characters with Base32 renders the name usable in the DNS. | ASCII characters with Base32 renders the name usable in the DNS. The | |||
| equal sign ("=") is a valid character for a DNS label, even though it | ||||
| is not a valid character for a DNS hostname. | ||||
| 2.2. The OPENPGPKEY RDATA Format | 3.2. The OPENPGPKEY RDATA Format | |||
| The RDATA (or RHS) of an OPENPGPKEY Resource Record contains a single | The RDATA (or RHS) of an OPENPGPKEY Resource Record contains a single | |||
| value consisting of a [RFC4880] formatted OpenPGP public keyring | value consisting of a [RFC4880] formatted OpenPGP public keyring | |||
| encoded in base32 as specified in [RFC4648]. | encoded in base64 as specified in [RFC4648]. This is not equivalent | |||
| to an "ascii armor export" which adds a header, a footer, and | ||||
| sometimes additional items, to the exported data. | ||||
| 3. OpenPGP public key considerations | 4. OpenPGP public key considerations | |||
| Once an OPENPGPKEY resource record has been found and the OpenPGP | Once an OPENPGPKEY resource record has been found and the OpenPGP | |||
| public keyring has been base32 decoded, the right public key must be | public keyring has been decoded, the right public key must be located | |||
| located inside the keyring. For a public key in the keyring to be | inside the keyring. For a public key in the keyring to be usable, | |||
| usable, the public key has to have a key uid as specified in | the public key has to have a key uid as specified in [RFC4648] that | |||
| [RFC4648] that matches the email address for which the OPENPGPKEY RR | matches the email address for which the OPENPGPKEY RR lookup was | |||
| lookup was performed. | performed. | |||
| 3.1. Public Key UIDs and email addresses | 4.1. Public Key UIDs and email addresses | |||
| An OpenPGP public key can be associated with multiple email addresses | An OpenPGP public key can be associated with multiple email addresses | |||
| by specifying multiple key uids. The OpenPGP public key obtained | by specifying multiple key uids. The OpenPGP public key obtained | |||
| from a OPENPGPKEY RR can be used as long as the target recipient's | from a OPENPGPKEY RR can be used as long as the target recipient's | |||
| email address appears as one of the OpenPGP public key uids. The | email address appears as one of the OpenPGP public key uids. The | |||
| name part (left of the @) should appear in the native format, not its | name part (left of the @) should appear in the native format, not its | |||
| base32 encoding that was used to lookup the OPENPGPKEY RR. | base32 encoding that was used to lookup the OPENPGPKEY RR. | |||
| 3.2. Public Key UIDs and IDNA | 4.2. Public Key UIDs and IDNA | |||
| Internationalized domains that use non-ascii characters (U-label) are | Internationalized domains that use non-ascii characters (U-label) are | |||
| encoded in DNS using IDNA [RFC5891] - also referred to as punycode or | encoded in DNS using IDNA [RFC5891] - also referred to as punycode or | |||
| A-label. When matching OpenPGP public key uids, both the email | A-label. When matching OpenPGP public key uids, both the email | |||
| address specified using U-label and A-label should be considered as | address specified using U-label and A-label should be considered as | |||
| valid public key uids. | valid public key uids. | |||
| 3.3. Public Key UIDs and synthesized DNS records | 4.3. Public Key UIDs and synthesized DNS records | |||
| CNAME's (see [RFC2181]) and DNAME's (see [RFC6672]) can be followed | CNAME's (see [RFC2181]) and DNAME's (see [RFC6672]) can be followed | |||
| to obtain an OPENPGPKEY RR, as long as the original recipient's email | to obtain an OPENPGPKEY RR, as long as the original recipient's email | |||
| address appears as one of the OpenPGP public key uids. For example, | address appears as one of the OpenPGP public key uids. For example, | |||
| if the OPENPGPKEY RR query for hugh@example.com | if the OPENPGPKEY RR query for hugh@example.com | |||
| (d1qmeq0._openpgpkey.example.com) yields a CNAME to | (b2wo2a=._openpgpkey.example.com) yields a CNAME to | |||
| d1qmeq0._openpgpkey.example.net, and an OPENPGPKEY RR for | b2wo2a=._openpgpkey.example.net, and an OPENPGPKEY RR for | |||
| d1qmeq0._openpgpkey.example.net exists, then this OpenPGP public key | b2wo2a=._openpgpkey.example.net exists, then this OpenPGP public key | |||
| can be used, provided one of the key uids contains | can be used, provided one of the key uids contains | |||
| "hugh@example.com". This public key cannot be used if it would only | "hugh@example.com". This public key cannot be used if it would only | |||
| contain the key uid "hugh@example.net". | contain the key uid "hugh@example.net". | |||
| If one of the OpenPGP key uids contains only a single wildcard as the | If one of the OpenPGP key uids contains only a single wildcard as the | |||
| LHS of the email address, such as "*@example.com", the OpenPGP public | LHS of the email address, such as "*@example.com", the OpenPGP public | |||
| key may be used for any email address within that domain. Wildcards | key may be used for any email address within that domain. Wildcards | |||
| at other locations (eg hugh@*.com) or regular expressions in key uids | at other locations (eg hugh@*.com) or regular expressions in key uids | |||
| are not allowed, and any OPENPGPKEY RR containing these should be | are not allowed, and any OPENPGPKEY RR containing these should be | |||
| ignored. | ignored. | |||
| 3.4. Public Key size and DNS record size | 4.4. Public Key size and DNS record size | |||
| Although the reliability of the transport of large DNS Resoruce | Although the reliability of the transport of large DNS Resoruce | |||
| Records has improved in the last few years, it is still recommended | Records has improved in the last few years, it is still recommended | |||
| to keep the DNS records as small as possible without sacrificing the | to keep the DNS records as small as possible without sacrificing the | |||
| security properties of the public key. The algorithm type and key | security properties of the public key. The algorithm type and key | |||
| size of the OpenPGP keypair should not be modified to accomodate this | size of the OpenPGP keypair should not be modified to accomodate this | |||
| section. | section. | |||
| [Should a statement be made on the number of signatures left on the | [Should a statement be made on the number of signatures left on the | |||
| key? Should there be _any_ signatures other than the self-signed | key? Should there be _any_ signatures other than the self-signed | |||
| one?] | one?] | |||
| OpenPGP supports various attributes that do not contribute to the | OpenPGP supports various attributes that do not contribute to the | |||
| security of a key, such as an embedded image file. It is recommended | security of a key, such as an embedded image file. It is recommended | |||
| that these properties are not exported to OpenPGP public keyrings | that these properties are not exported to OpenPGP public keyrings | |||
| that are used to create OPENPGPKEY Resource Records. | that are used to create OPENPGPKEY Resource Records. | |||
| 4. Security Considerations | 5. Security Considerations | |||
| The main goal of the OPENPGPKEY resource record is to stop passive | The main goal of the OPENPGPKEY resource record is to stop passive | |||
| attacks against plaintext emails. While it can also twart some | attacks against plaintext emails. While it can also twart some | |||
| active attacks (such as people uploading rogue keys to keyservers in | active attacks (such as people uploading rogue keys to keyservers in | |||
| the hopes that others will encrypt to these rogue keys), this | the hopes that others will encrypt to these rogue keys), this | |||
| resource record is not a replacement for verifying OpenPGP public | resource record is not a replacement for verifying OpenPGP public | |||
| keys via the web of trust signatures, or manually via a fingerprint | keys via the web of trust signatures, or manually via a fingerprint | |||
| verification. | verification. | |||
| Various components could be responsible for encrypting an email | Various components could be responsible for encrypting an email | |||
| message to a target recipient. It could be done by the sender's | message to a target recipient. It could be done by the sender's | |||
| email client or software plugin, the sender's Mail User Agent (MUA) | email client or software plugin, the sender's Mail User Agent (MUA) | |||
| or the sender's Mail Transfer Agent (MTA). Each of these have their | or the sender's Mail Transfer Agent (MTA). Each of these have their | |||
| own characteristics. An email client can interact with the user to | own characteristics. An email client can direct the human to make a | |||
| make a decision before continuing. The MUA can only accept or refuse | decision before continuing. The MUA can either accept or refuse a | |||
| a message. The MTA must deliver the message, either as-is, or | message. The MTA must deliver the message as-is, or encrypt the | |||
| encrypted. Each of these programs should ensure that an unencrypted | message before delivering. Each of these programs should ensure that | |||
| received email message will be encrypted whenever possible. | the security of an email message is never downgraded, and that an | |||
| unencrypted received message will be encrypted whenever possible. | ||||
| 4.1. Email address information leak | Organisations that require to be able to read everyone's encrypted | |||
| email should publish the escrow key as the OPENPGPKEY record. Upon | ||||
| receipt, such mail servers can optionally re-encrypt the message to | ||||
| the individual's OpenPGP key. | ||||
| 5.1. Email address information leak | ||||
| DNS zones that are signed with DNSSEC using NSEC for denial of | DNS zones that are signed with DNSSEC using NSEC for denial of | |||
| existence are susceptible to zone-walking, a mechanism that allow | existence are susceptible to zone-walking, a mechanism that allow | |||
| someone to enumerate all the names in the zone. Someone who wanted | someone to enumerate all the names in the zone. Someone who wanted | |||
| to collect email addresses from a zone that uses OPENPGPKEY might use | to collect email addresses from a zone that uses OPENPGPKEY might use | |||
| such a mechanism. DNSSEC-signed zones using NSEC3 for denial of | such a mechanism. DNSSEC-signed zones using NSEC3 for denial of | |||
| existence are significantly less susceptible to zone-walking. | existence are significantly less susceptible to zone-walking. | |||
| Someone could still attempt a dictionary attack on the zone to find | Someone could still attempt a dictionary attack on the zone to find | |||
| OPENPGPKEY records, just as they can use dictionary attacks on an | OPENPGPKEY records, just as they can use dictionary attacks on an | |||
| SMTP server or grab the entire contents of existing PGP key servers | SMTP server or grab the entire contents of existing PGP key servers | |||
| to see which addresses are valid. | to see which addresses are valid. | |||
| 4.2. OpenPGP security and DNSSEC | 5.2. OpenPGP security and DNSSEC | |||
| DNSSEC key sizes are chosen based on the fact that these keys can be | DNSSEC key sizes are chosen based on the fact that these keys can be | |||
| rolled with next to no requirement for security in the future. If | rolled with next to no requirement for security in the future. If | |||
| one doubts the strength or security of the DNSSEC key for whatever | one doubts the strength or security of the DNSSEC key for whatever | |||
| reason, one simply rolls to a new DNSSEC key with a stronger | reason, one simply rolls to a new DNSSEC key with a stronger | |||
| algorithm or larger key size. | algorithm or larger key size. | |||
| The same does not apply to OpenPGP encrypted messages. Users have an | ||||
| expectation that their OpenPGP encrypted messages cannot be decrypted | ||||
| for years or decades into the future. Changing to a new OpenPGP | ||||
| keypair is also a costly and manual process that people tend to avoid | ||||
| when possible. | ||||
| This effectively means that anyone who can obtain a DNSSEC private | This effectively means that anyone who can obtain a DNSSEC private | |||
| key of a domain name via coercion, theft or brute force calculations, | key of a domain name via coercion, theft or brute force calculations, | |||
| can replace any OPENPGPKEY record in that zone and all of the | can replace any OPENPGPKEY record in that zone and all of the | |||
| delegated child zones, irrespective of the key length strength of the | delegated child zones, irrespective of the key length strength of the | |||
| OpenPGP keypair. | OpenPGP keypair. | |||
| Therefore, DNSSEC is not an alternative for the "web of trust" or for | Therefor, DNSSEC is not an alternative for the "web of trust" or for | |||
| manual fingerprint verification by humans. It is a solution aimed to | manual fingerprint verification by humans. It is a solution aimed to | |||
| ease obtaining someone's public key, and without manual verification | ease obtaining someone's public key, and without manual verification | |||
| should be treated as "better then plaintext" only. While this twarts | should be treated as "better then plaintext" only. While this twarts | |||
| all passive attacks that simply capture and log all plaintext email | all passive attacks that simply capture and log all plaintext email | |||
| content, it is not a security measure against active attacks. | content, it is not a security measure against active attacks. | |||
| 4.3. MTA behaviour | 5.3. MTA behaviour | |||
| An MTA could be operating in a stand-alone mode, without access to | An MTA could be operating in a stand-alone mode, without access to | |||
| the sender's OpenPGP public keyring, or in a way where it can access | the sender's OpenPGP public keyring, or in a way where it can access | |||
| the user's OpenPGP public keyring. Regardless, the MTA SHOULD NOT | the user's OpenPGP public keyring. Regardless, the MTA MUST NOT | |||
| modify the user's OpenPGP keyring. | modify the user's OpenPGP keyring. | |||
| An MTA sending an email SHOULD NOT add the public key obtained from | An MTA sending an email MUST NOT add the public key obtained from an | |||
| an OPENPGPKEY resource record to a permanent public keyring for | OPENPGPKEY resource record to a permanent public keyring for future | |||
| future use beyond the TTL. | use beyond the TTL. | |||
| If the obtained public key is revoked, the MTA MUST NOT use the key | If the obtained public key is revoked, the MTA MUST NOT use the key | |||
| for encryption, even if that would result in sending the message in | for encryption, even if that would result in sending the message in | |||
| plaintext. | plaintext. | |||
| [What is the correct behaviour of an MTA when it receives an | If a message is already encrypted, the MTA SHOULD NOT re-encrypt the | |||
| encrypted message from a MUA that is encrypted to a different key | message, even if different encryption schemes or different encryption | |||
| then the one listed in the recipient's OPENPGPKEY record? Encrypt | keys were used. | |||
| the encrypted message? Refuse to send out the message? Don't even | ||||
| look up the OPENPGPKEY record and pass unmodified?] | ||||
| If an OPENPGPKEY resource record is received without DNSSEC | If an OPENPGPKEY resource record is received without DNSSEC | |||
| protection, it MUST NOT be used. If the DNS request returned an | protection, it MAY still be used for encryption. | |||
| "indeterminate" or "bogus" answer, the MTA should queue the plaintext | ||||
| message and try encryption and delivery again at a later time. | If the DNS request for an OPENPGPKEY returned an "indeterminate" or | |||
| "bogus" answer, the MTA MUST NOT sent the message and queue the | ||||
| plaintext message for delivery at a later time. If the problem | ||||
| persists, the email should be returned via the regular bounce | ||||
| methods. | ||||
| If multiple non-revoked OPENPGPKEY resource records are found, the | If multiple non-revoked OPENPGPKEY resource records are found, the | |||
| MTA should pick the most secure RR based on its local policy. | MTA SHOULD pick the most secure RR based on its local policy. [or | |||
| should it encrypt to both?] | ||||
| 4.4. MUA behaviour | 5.4. MUA behaviour | |||
| If the public key for a recipient obtained from the locally stored | If the public key for a recipient obtained from the locally stored | |||
| public keyring differs from the recipient's OPENPGPKEY resource | sender's public keyring differs from the recipient's OPENPGPKEY RR, | |||
| record, the MUA SHOULD NOT accept the message for delivery. | the MUA MUST NOT accept the message for delivery. | |||
| If a MUA detects that a locally stored public key is present in an | If the public key for a recipient obtained from the locally stored | |||
| OPENPGPKEY resource record, and the OPENPGPKEY RR version of the | sender's public keyring contains contradicting properties for the | |||
| public key is revoked, the MUA SHOULD reject the message for | same key obtained from an OPENPGPKEY RR, the MUA SHOULD NOT accept | |||
| delivery. | the message for delivery. | |||
| If multiple non-revoked OPENPGPKEY resource records are found, the | If multiple non-revoked OPENPGPKEY resource records are found, the | |||
| MUA should pick the most secure RR based on its local policy. | MUA SHOULD pick the most secure OpenPGP public key based on its local | |||
| policy. | ||||
| 4.5. Email client behaviour | ||||
| An email client MAY interact with a user to add the contents from an | 5.5. Email client behaviour | |||
| OPENPGPKEY resource record into the user's permanent public keyring. | ||||
| If the public key for a recipient obtained from the locally stored | Email clients should adhere to the above listed MUA behaviour. | |||
| public keyring differs from the recipient's OPENPGPKEY resource | Additionally, an email client MAY interact with the user to resolve | |||
| record, the email client SHOULD ask the user which key to use for | any conflicts between locally stored keyrings and OPENPGPKEY RRdata. | |||
| encryption. The email cilent SHOULD allow encrypting to both public | ||||
| keys. | ||||
| An email client that is encrypting a message SHOULD clearly indicate | An email client that is encrypting a message SHOULD clearly indicate | |||
| to the user the difference between encrypting to a locally stored and | to the user the difference between encrypting to a locally stored and | |||
| manually verified public key and encrypting to an automatically | humanly verified public key and encrypting to an unverified (by the | |||
| obtained public key via an OPENPGPKEY resource record that has not | human sender) public key obtained via an OPENPGPKEY resource record. | |||
| been manually verified. | ||||
| If a MUA detects that a locally stored and manually verified public | 6. IANA Considerations | |||
| key is present in an OPENPGPKEY resource record, and the OPENPGPKEY | ||||
| RR version of the public key is revoked, the MUA SHOULD warn the user | ||||
| and give them the chance to not sent the message at all. | ||||
| If multiple non-revoked OPENPGPKEY resource records are found, the | 6.1. OPENPGPKEY RRtype | |||
| MUA should pick the most secure RR based on its local policy. | ||||
| 4.6. Subject: line encryption | This document uses a new DNS RR type, OPENPGPKEY, whose value [TBD] | |||
| has been allocated by IANA from the Resource Record (RR) TYPEs | ||||
| subregistry of the Domain Name System (DNS) Parameters registry. | ||||
| Often, encrypting an email does not cause its Subject: line to be | 7. Generating OPENPGPKEY RRdata | |||
| encrypted. If the email client, MUA or MTA automatically encrypt an | ||||
| email based on the existence of an OPENPGPKEY record, it should clear | ||||
| or replace the Subject: header with a notification that does not | ||||
| expose the original subject line. It should prepend the original | ||||
| Subject: line to the first line of the body of the email message | ||||
| before encryption. This allows a receiving email client to decrypt | ||||
| the message and replace the Subject: line to its original decrypted | ||||
| form when presenting the user with the decrypted email message. | ||||
| 5. IANA Considerations | The commonly available GnuPG software can be used to generate the | |||
| RRdata portion of an OPENPGPKEY record: | ||||
| 5.1. OPENPGPKEY RRtype | gpg --export --export-options export-minimal \ | |||
| your@email.com | base64 | ||||
| This document uses a new DNS RR type, OPENPGPKEY, whose value [TBD] | The --armor or -a option should NOT be used. While it also provides | |||
| has been allocated by IANA from the Resource Record (RR) TYPEs | a base64 encoded copy of the binary openpgk key data, it adds a | |||
| subregistry of the Domain Name System (DNS) Parameters registry. | header and footer to the output. | |||
| 6. Acknowledgements | 8. Acknowledgements | |||
| This document is based on RFC-4255 and draft-ietf-dane-smime whose | This document is based on RFC-4255 and draft-ietf-dane-smime whose | |||
| authors are Paul Hoffman, Jacob Schlyter and W. Griffin. | authors are Paul Hoffman, Jacob Schlyter and W. Griffin. | |||
| 7. References | 9. References | |||
| 7.1. Normative References | 9.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. | [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| Rose, "DNS Security Introduction and Requirements", RFC | ||||
| Rose, "DNS Security Introduction and Requirements", | 4033, March 2005. | |||
| RFC 4033, March 2005. | ||||
| [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. | [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| Rose, "Resource Records for the DNS Security Extensions", | Rose, "Resource Records for the DNS Security Extensions", | |||
| RFC 4034, March 2005. | RFC 4034, March 2005. | |||
| [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. | [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| Rose, "Protocol Modifications for the DNS Security | Rose, "Protocol Modifications for the DNS Security | |||
| Extensions", RFC 4035, March 2005. | Extensions", RFC 4035, March 2005. | |||
| [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data | [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data | |||
| Encodings", RFC 4648, October 2006. | Encodings", RFC 4648, October 2006. | |||
| [RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. | [RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. | |||
| Thayer, "OpenPGP Message Format", RFC 4880, November 2007. | Thayer, "OpenPGP Message Format", RFC 4880, November 2007. | |||
| [RFC5891] Klensin, J., "Internationalized Domain Names in | [RFC5891] Klensin, J., "Internationalized Domain Names in | |||
| Applications (IDNA): Protocol", RFC 5891, August 2010. | Applications (IDNA): Protocol", RFC 5891, August 2010. | |||
| 7.2. Informative References | 9.2. Informative References | |||
| [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS | [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS | |||
| Specification", RFC 2181, July 1997. | Specification", RFC 2181, July 1997. | |||
| [RFC2822] Resnick, P., "Internet Message Format", RFC 2822, | [RFC2822] Resnick, P., "Internet Message Format", RFC 2822, April | |||
| April 2001. | 2001. | |||
| [RFC4255] Schlyter, J. and W. Griffin, "Using DNS to Securely | [RFC4255] Schlyter, J. and W. Griffin, "Using DNS to Securely | |||
| Publish Secure Shell (SSH) Key Fingerprints", RFC 4255, | Publish Secure Shell (SSH) Key Fingerprints", RFC 4255, | |||
| January 2006. | January 2006. | |||
| [RFC6530] Klensin, J. and Y. Ko, "Overview and Framework for | [RFC6530] Klensin, J. and Y. Ko, "Overview and Framework for | |||
| Internationalized Email", RFC 6530, February 2012. | Internationalized Email", RFC 6530, February 2012. | |||
| [RFC6672] Rose, S. and W. Wijngaards, "DNAME Redirection in the | [RFC6672] Rose, S. and W. Wijngaards, "DNAME Redirection in the | |||
| DNS", RFC 6672, June 2012. | DNS", RFC 6672, June 2012. | |||
| End of changes. 57 change blocks. | ||||
| 147 lines changed or deleted | 157 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||