idnits 2.17.1 draft-marques-pep-rating-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 08, 2020) is 1563 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-06) exists of draft-birk-pep-05 == Outdated reference: A later version (-05) exists of draft-birk-pep-trustwords-04 == Outdated reference: A later version (-05) exists of draft-marques-pep-handshake-03 Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group H. Marques 3 Internet-Draft B. Hoeneisen 4 Intended status: Informational pEp Foundation 5 Expires: July 11, 2020 January 08, 2020 7 pretty Easy privacy (pEp): Mapping of Privacy Rating 8 draft-marques-pep-rating-03 10 Abstract 12 In many Opportunistic Security scenarios end-to-end encryption is 13 automatized for Internet users. In addition, it is often required to 14 provide the users with easy means to carry out authentication. 16 Depending on several factors, each communication channel to different 17 peers may have a different Privacy Status, e.g., unencrypted, 18 encrypted and encrypted as well as authenticated. Even each message 19 from/to a single peer may have a different Privacy Status. 21 To display the actual Privacy Status to the user, this document 22 defines a Privacy Rating scheme and its mapping to a traffic-light 23 semantics. A Privacy Status is defined on a per-message basis as 24 well as on a per-identity basis. The traffic-light semantics (as 25 color rating) allows for a clear and easily understandable 26 presentation to the user in order to optimize the User Experience 27 (UX). 29 This rating system is most beneficial to Opportunistic Security 30 scenarios and is already implemented in several applications of 31 pretty Easy privacy (pEp). 33 Status of This Memo 35 This Internet-Draft is submitted in full conformance with the 36 provisions of BCP 78 and BCP 79. 38 Internet-Drafts are working documents of the Internet Engineering 39 Task Force (IETF). Note that other groups may also distribute 40 working documents as Internet-Drafts. The list of current Internet- 41 Drafts is at https://datatracker.ietf.org/drafts/current/. 43 Internet-Drafts are draft documents valid for a maximum of six months 44 and may be updated, replaced, or obsoleted by other documents at any 45 time. It is inappropriate to use Internet-Drafts as reference 46 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on July 11, 2020. 50 Copyright Notice 52 Copyright (c) 2020 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents 57 (https://trustee.ietf.org/license-info) in effect on the date of 58 publication of this document. Please review these documents 59 carefully, as they describe your rights and restrictions with respect 60 to this document. Code Components extracted from this document must 61 include Simplified BSD License text as described in Section 4.e of 62 the Trust Legal Provisions and are provided without warranty as 63 described in the Simplified BSD License. 65 Table of Contents 67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 68 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 69 1.2. Terms . . . . . . . . . . . . . . . . . . . . . . . . . . 4 70 2. Per-Message Privacy Rating . . . . . . . . . . . . . . . . . 5 71 2.1. Rating Codes . . . . . . . . . . . . . . . . . . . . . . 5 72 2.2. Color Codes . . . . . . . . . . . . . . . . . . . . . . . 5 73 2.3. Surjective Mapping of Rating Codes into Color Codes . . . 6 74 2.4. Semantics of Color and Rating Codes . . . . . . . . . . . 6 75 2.4.1. Red . . . . . . . . . . . . . . . . . . . . . . . . . 6 76 2.4.2. No Color . . . . . . . . . . . . . . . . . . . . . . 7 77 2.4.3. Yellow . . . . . . . . . . . . . . . . . . . . . . . 7 78 2.4.4. Green . . . . . . . . . . . . . . . . . . . . . . . . 7 79 3. Per-Identity Privacy Rating . . . . . . . . . . . . . . . . . 8 80 4. Security Considerations . . . . . . . . . . . . . . . . . . . 8 81 5. Privacy Considerations . . . . . . . . . . . . . . . . . . . 8 82 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 83 7. Implementation Status . . . . . . . . . . . . . . . . . . . . 8 84 7.1. Introduction . . . . . . . . . . . . . . . . . . . . . . 9 85 7.2. Current software implementing pEp . . . . . . . . . . . . 9 86 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 87 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 88 9.1. Normative References . . . . . . . . . . . . . . . . . . 10 89 9.2. Informative References . . . . . . . . . . . . . . . . . 10 90 Appendix A. Excerpts from the pEp Reference Implementation . . . 11 91 A.1. pEp rating . . . . . . . . . . . . . . . . . . . . . . . 11 92 Appendix B. Document Changelog . . . . . . . . . . . . . . . . . 12 93 Appendix C. Open Issues . . . . . . . . . . . . . . . . . . . . 12 94 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 96 1. Introduction 98 In many Opportunistic Security [RFC7435] scenarios end-to-end 99 encryption is automatized for Internet users. In addition, it is 100 often required to provide the users with easy means to carry out 101 authentication. 103 Depending on several factors, each communication channel to different 104 identities may have a different Privacy Status, e.g. 106 o unreliable 108 o encrypted 110 o encrypted and authenticated 112 o mistrusted 114 Even each message from or to a single peer may have a different 115 Privacy Status. 117 To display the actual Privacy Status to the user, this document 118 defines a Privacy Rating scheme and its mapping to a traffic-light 119 semantics, i.e., a mapping to different color codes as used in a 120 traffic-light: 122 o red 124 o yellow 126 o green 128 o no color (or gray) 130 Note: While "yellow" color is used in the context of traffic-lights 131 (e.g., in North America), in other parts of the world (e.g., the UK) 132 this is generally referred to as "orange" or "amber" lights. For the 133 scope of this document, "yellow", "amber", and "orange" refer to the 134 same semantics. 136 A Privacy Status is defined on a per-message basis as well as on a 137 per-identity basis. The traffic-light semantics (as color rating) 138 allows for a clear and easily understandable presentation to the user 139 in order to optimize the User Experience (UX). To serve also 140 (color-)blind Internet users or those using monochrome displays, the 141 traffic light color semantics may also be presented by simple texts 142 and symbols for signaling the corresponding Privacy Status. 144 The proposed definitions are already implemented and used in 145 applications of pretty Easy privacy (pEp) [I-D.birk-pep]. This 146 document is targeted to applications based on the pEp framework and 147 Opportunistic Security [RFC7435]. However, it may be also used in 148 other applications as suitable. 150 Note: The pEp [I-D.birk-pep] framework proposes to automatize the use 151 of end-to-end encryption for Internet users of email and other 152 messaging applications and introduces methods to easily allow 153 authentication. 155 1.1. Requirements Language 157 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 158 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 159 document are to be interpreted as described in [RFC2119]. 161 1.2. Terms 163 The following terms are defined for the scope of this document: 165 o pEp Handshake: The process of one user contacting another over an 166 independent channel in order to verify Trustwords (or fingerprints 167 as a fallback). This can be done in-person or through established 168 verbal communication channels, like a phone call. 169 [I-D.marques-pep-handshake] 171 o Trustwords: A scalar-to-word representation of 16-bit numbers (0 172 to 65535) to natural language words. When doing a Handshake, 173 peers are shown combined Trustwords of both public keys involved 174 to ease the comparison. [I-D.birk-pep-trustwords] 176 o Trust On First Use (TOFU): cf. [RFC7435], which states: "In a 177 protocol, TOFU calls for accepting and storing a public key or 178 credential associated with an asserted identity, without 179 authenticating that assertion. Subsequent communication that is 180 authenticated using the cached key or credential is secure against 181 an MiTM attack, if such an attack did not succeed during the 182 vulnerable initial communication." 184 o Man-in-the-middle (MITM) attack: cf. [RFC4949], which states: "A 185 form of active wiretapping attack in which the attacker intercepts 186 and selectively modifies communicated data to masquerade as one or 187 more of the entities involved in a communication association." 189 2. Per-Message Privacy Rating 191 2.1. Rating Codes 193 To rate messages (cf. also Appendix A.1), the following 13 Rating 194 codes are defined as scalar values (decimal): 196 +-------------+------------------------+ 197 | Rating code | Rating label | 198 +-------------+------------------------+ 199 | -3 | under attack | 200 | | | 201 | -2 | broken | 202 | | | 203 | -1 | mistrust | 204 | | | 205 | 0 | undefined | 206 | | | 207 | 1 | cannot decrypt | 208 | | | 209 | 2 | have no key | 210 | | | 211 | 3 | unencrypted | 212 | | | 213 | 4 | unencrypted for some | 214 | | | 215 | 5 | unreliable | 216 | | | 217 | 6 | reliable | 218 | | | 219 | 7 | trusted | 220 | | | 221 | 8 | trusted and anonymized | 222 | | | 223 | 9 | fully anonymous | 224 +-------------+------------------------+ 226 2.2. Color Codes 228 For an Internet user to understand what the available Privacy Status 229 is, the following colors (traffic-light semantics) are defined: 231 +------------+-------------+ 232 | Color code | Color label | 233 +------------+-------------+ 234 | -1 | red | 235 | | | 236 | 0 | no color | 237 | | | 238 | 1 | yellow | 239 | | | 240 | 2 | green | 241 +------------+-------------+ 243 2.3. Surjective Mapping of Rating Codes into Color Codes 245 Corresponding User Experience (UX) implementations use a surjective 246 mapping of the Rating Codes into the Color Codes (in traffic light 247 semantics) as follows: 249 +--------------+------------+-------------+ 250 | Rating codes | Color code | Color label | 251 +--------------+------------+-------------+ 252 | -3 to -1 | -1 | red | 253 | | | | 254 | 0 to 5 | 0 | no color | 255 | | | | 256 | 6 | 1 | yellow | 257 | | | | 258 | 7 to 9 | 2 | green | 259 +--------------+------------+-------------+ 261 This mapping is used in current pEp implementations to signal the 262 Privacy Status (cf. Section 7.2). 264 2.4. Semantics of Color and Rating Codes 266 2.4.1. Red 268 The red color MUST only be used in three cases: 270 o Rating code -3: A man-in-the-middle (MITM) attack could be 271 detected. 273 o Rating code -2: The message was tempered with. 275 o Rating code -1: The user explicitly states he mistrusts a peer, 276 e.g., because a Handshake [I-D.marques-pep-handshake] mismatched 277 or when the user learns the communication partner was attacked and 278 might have gotten the corresponding secret key leaked. 280 2.4.2. No Color 282 No specific (or a gray color) MUST be shown in the following cases: 284 o Rating code 0: A message can be rendered, but the encryption 285 status is not clear, i.e., undefined 287 o Rating code 1: A message cannot be decrypted (because of an error 288 not covered by rating code 2 below). 290 o Rating code 2: No key is available to decrypt a message (because 291 it was encrypted with a public key for which no secret key could 292 be found). 294 o Rating code 3: A message is received or sent out unencrypted 295 (because it was received unencrypted or there's no public key to 296 encrypt a message to a recipient). 298 o Rating code 4: A message is sent out unencrypted for some of the 299 recipients of a group (because there's at least one recipient in 300 the group whose public key is not available to the sender). 302 o Rating code 5: A message is encrypted, but cryptographic 303 parameters (e.g., the cryptographic method employed or key length) 304 are insufficient. 306 2.4.3. Yellow 308 o Rating code 6: Whenever a message can be encrypted or decrypted 309 with sufficient cryptographic parameters, it's considered 310 reliable. It is mapped into the yellow color code. 312 2.4.4. Green 314 o Rating code 7: A message is mapped into the green color code only 315 if a pEp handshake [I-D.marques-pep-handshake] was successfully 316 carried out. 318 By consequence that means, that the pEp propositions don't strictly 319 follow the TOFU (cf. [RFC7435]) approach, in order to avoid 320 signaling trust without peers verifying their channel first. 322 In current pEp implementations (cf. Section 7) only rating code 7 is 323 achieved. 325 The rating codes 8 and 9 are reserved for future use in pEp 326 implementations which also secure meta-data (rating code 8), by using 327 a peer-to-peer framework like GNUnet [GNUnet], and/or allow for fully 328 anonymous communications (rating code 9), where sender and receiver 329 don't know each other, but trust between the endpoints could be 330 established nevertheless. 332 3. Per-Identity Privacy Rating 334 The same Color Codes (red, no color, yellow and green) as for 335 messages (cf. Section 2.2) MUST be applied for identities (peers), 336 so that a user can easily understand, which identities private 337 communication is possible with. 339 The green color code MUST be applied to an identity whom the pEp 340 handshake [I-D.marques-pep-handshake] was successfully carried out 341 with. 343 The yellow color code MUST be set whenever a public key could be 344 obtained to securely encrypt messages to an identity, although a MITM 345 attack cannot be excluded. 347 The no color code MUST be used for the case that no public key is 348 available to engage in private communications with an identity. 350 The red color code MUST only be used when an identity is marked as 351 mistrusted. 353 [[ It's not yet clear if there are proper cases where it makes sense 354 to set an identity automatically to the red color code, as it appears 355 to be difficult to detect attacks (e.g., secret key leakage) at the 356 other endpoint with certainty. ]] 358 4. Security Considerations 360 [[ TODO ]] 362 5. Privacy Considerations 364 [[ TODO ]] 366 6. IANA Considerations 368 This document has no actions for IANA. 370 7. Implementation Status 371 7.1. Introduction 373 This section records the status of known implementations of the 374 protocol defined by this specification at the time of posting of this 375 Internet-Draft, and is based on a proposal described in [RFC7942]. 376 The description of implementations in this section is intended to 377 assist the IETF in its decision processes in progressing drafts to 378 RFCs. Please note that the listing of any individual implementation 379 here does not imply endorsement by the IETF. Furthermore, no effort 380 has been spent to verify the information presented here that was 381 supplied by IETF contributors. This is not intended as, and must not 382 be construed to be, a catalog of available implementations or their 383 features. Readers are advised to note that other implementations may 384 exist. 386 According to [RFC7942], "[...] this will allow reviewers and working 387 groups to assign due consideration to documents that have the benefit 388 of running code, which may serve as evidence of valuable 389 experimentation and feedback that have made the implemented protocols 390 more mature. It is up to the individual working groups to use this 391 information as they see fit." 393 7.2. Current software implementing pEp 395 The following software implementing the pEp protocols (to varying 396 degrees) already exists: 398 o pEp for Outlook as add-on for Microsoft Outlook, release 399 [SRC.pepforoutlook] 401 o pEp for Android (based on a fork of the K9 MUA), release 402 [SRC.pepforandroid] 404 o Enigmail/pEp as add-on for Mozilla Thunderbird, release 405 [SRC.enigmailpep] 407 o pEp for iOS (implemented in a new MUA), beta [SRC.pepforios] 409 pEp for Android, iOS and Outlook are provided by pEp Security, a 410 commercial entity specializing in end-user software implementing pEp 411 while Enigmail/pEp is pursued as community project, supported by the 412 pEp Foundation. 414 All software is available as Free Software and published also in 415 source form. 417 8. Acknowledgements 419 The authors would like to thank the following people who have 420 provided feedback or significant contributions to the development of 421 this document: Leon Schumacher and Volker Birk 423 This work was initially created by pEp Foundation, and then reviewed 424 and extended with funding by the Internet Society's Beyond the Net 425 Programme on standardizing pEp. [ISOC.bnet] 427 9. References 429 9.1. Normative References 431 [I-D.birk-pep] 432 Birk, V., Marques, H., and B. Hoeneisen, "pretty Easy 433 privacy (pEp): Privacy by Default", draft-birk-pep-05 434 (work in progress), November 2019. 436 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 437 Requirement Levels", BCP 14, RFC 2119, 438 DOI 10.17487/RFC2119, March 1997, 439 . 441 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", 442 FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, 443 . 445 [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection 446 Most of the Time", RFC 7435, DOI 10.17487/RFC7435, 447 December 2014, . 449 9.2. Informative References 451 [GNUnet] Grothoff, C., "The GNUnet System", October 2017, 452 . 454 [I-D.birk-pep-trustwords] 455 Hoeneisen, B. and H. Marques, "IANA Registration of 456 Trustword Lists: Guide, Template and IANA Considerations", 457 draft-birk-pep-trustwords-04 (work in progress), July 458 2019. 460 [I-D.marques-pep-handshake] 461 Marques, H. and B. Hoeneisen, "pretty Easy privacy (pEp): 462 Contact and Channel Authentication through Handshake", 463 draft-marques-pep-handshake-03 (work in progress), July 464 2019. 466 [ISOC.bnet] 467 Simao, I., "Beyond the Net. 12 Innovative Projects 468 Selected for Beyond the Net Funding. Implementing Privacy 469 via Mass Encryption: Standardizing pretty Easy privacy's 470 protocols", June 2017, . 474 [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running 475 Code: The Implementation Status Section", BCP 205, 476 RFC 7942, DOI 10.17487/RFC7942, July 2016, 477 . 479 [SRC.enigmailpep] 480 "Source code for Enigmail/pEp", July 2019, 481 . 483 [SRC.pepforandroid] 484 "Source code for pEp for Android", July 2019, 485 . 487 [SRC.pepforios] 488 "Source code for pEp for iOS", July 2019, 489 . 491 [SRC.pepforoutlook] 492 "Source code for pEp for Outlook", July 2019, 493 . 495 Appendix A. Excerpts from the pEp Reference Implementation 497 This section provides excerpts of the running code from the pEp 498 reference implementation pEp engine (C99 programming language). 500 A.1. pEp rating 502 From the reference implementation by the pEp foundation, src/ 503 message_api.h: 505 typedef enum _PEP_rating { 506 PEP_rating_undefined = 0, 507 PEP_rating_cannot_decrypt, 508 PEP_rating_have_no_key, 509 PEP_rating_unencrypted, 510 PEP_rating_unencrypted_for_some, 511 PEP_rating_unreliable, 512 PEP_rating_reliable, 513 PEP_rating_trusted, 514 PEP_rating_trusted_and_anonymized, 515 PEP_rating_fully_anonymous, 517 PEP_rating_mistrust = -1, 518 PEP_rating_b0rken = -2, 519 PEP_rating_under_attack = -3 520 } PEP_rating; 522 Appendix B. Document Changelog 524 [[ RFC Editor: This section is to be removed before publication ]] 526 o draft-marques-pep-rating-03: 528 * Updates terms and references; other minor changes 530 o draft-marques-pep-rating-02: 532 * Add Privacy and IANA Considerations sections 534 * Updated Terms 536 o draft-marques-pep-rating-01: 538 * Update references 540 * Minor edits 542 o draft-marques-pep-rating-00: 544 * Initial version 546 Appendix C. Open Issues 548 [[ RFC Editor: This section should be empty and is to be removed 549 before publication ]] 551 o Better explain usage of Color Codes in Per-Identity Privacy Rating 552 o Decide whether rating code scalars 6 and 7-9 should be raised to 553 leave space for future extensions 555 o Add Security Considerations 557 o Add more source code excerpts to Appendix 559 o Add rating codes for secure cryptographic methods and parameters 560 and reference them 562 Authors' Addresses 564 Hernani Marques 565 pEp Foundation 566 Oberer Graben 4 567 CH-8400 Winterthur 568 Switzerland 570 Email: hernani.marques@pep.foundation 571 URI: https://pep.foundation/ 573 Bernie Hoeneisen 574 pEp Foundation 575 Oberer Graben 4 576 CH-8400 Winterthur 577 Switzerland 579 Email: bernie.hoeneisen@pep.foundation 580 URI: https://pep.foundation/