Guidance for Implementers of Autocrypt Level 0¶
This document describes the basic capabilities required for a MUA to be Autocrypt-capable at Level 0. Some Autocrypt-capable clients may choose to go beyond these features, and future Levels of Autocrypt may require more specific control.
Throughout this document, we refer to a Mail User Agent (MUA) as though it was only capable of controlling a single e-mail account. A MUA that is capable of connecting to multiple e-mail accounts should have a separate Autocrypt state for each e-mail account it has access to.
Contents
- Guidance for Implementers of Autocrypt Level 0
- Requirements on MUA/E-mail Provider interactions
- Secret key generation and storage
- Claiming the Account
- Header injection in outbound mail
- Deriving a Parsed Autocrypt Header from a Message
- Internal state storage
- Updating internal state upon message receipt
- Provide a recommendation for message encryption
- Encrypt outbound mail as requested
- Specific User Interface Elements
Requirements on MUA/E-mail Provider interactions¶
Autocrypt tries to impose minimal requirements on how MUAs and e-mail services interact. We assume that an Autocrypt-capable MUA has credentials and capabilities to perform these network services:
- The ability to send e-mail (e.g. via SMTP or Submission) where the MUA can control the entire message being sent, including both message headers and message body.
- The ability to receive e-mail where the MUA gets access to the entire message being received, including both message headers and message body.
- Access to a special (IMAP) Shared Message Archive (SMA) folder which can be accessed by all MUAs of a user’s devices to co-ordinate between them. In Level 0 this is only used for ensuring that only one MUA has Autocrypt enabled for an e-mail account at once.
If a particular e-mail account does not expose these features (e.g. if it only exposes a javascript-driven web interface for message composition that does not allow setting of e-mail headers, or if it only offers POP access to the incoming mail) then the e-mail account cannot be used with Autocrypt. An Autocrypt-capable MUA may still access and control the account, but it will not be able to enable Autocrypt on it.
Todo
Discuss with webmail developers how to work with, refine the interactions.
Secret key generation and storage¶
The MUA MUST be capable of generating and storing two RSA 2048-bit secret keys, one for signing and self-certification and the other for decrypting. It MUST be capable of assembling these keys into an OpenPGP certificate (RFC 4880 “Transferable Public Key”) that indicates these capabilities.
These secret keys MUST be protected from access by other applications or co-tenants of the device at least as well as the passwords the MUA retains for the user’s IMAP or SMTP accounts. These secret keys MUST never be sent over the wire to any other party.
When an Autocrypt-enabled MUA configures an e-mail account, it should generate these keys and store them locally. Then it should proceed to try to “claim” the account to lock out other MUAs of the same users. In Level 0 only one MUA can send and receive encrypted mail through Autocrypt mechanisms.
Claiming the Account¶
Only one Level 0 MUA can have Autocrypt enabled for a given account at a time. The Autocrypt-enabled MUA “claims” the account so that others disable their Autocrypt features.
The Shared Mail Archive MUST contain a named location mechanism that all other Autocrypt clients can see. For example, an IMAP mailbox would have a named folder. Autocrypt uses the special name _autocrypt_sma to store “claim” announcements.
The MUA looks in the special location for a message whose form matches the standard claim announcement and is valid. If such a message is present, the MUA disables its Autocrypt features for this account.
If the special location does not exist, or it exists, but there are no valid claim announcements in it, the MUA crafts its own claim announcement and places it in the special location.
Todo
- Document the claim announcement format
- Clarify concerns about race conditions, case-sensitivity, etc.
Header injection in outbound mail¶
During message composition where the message will be marked as
From:
an e-mail address that the Autocrypt-capable agent knows the
secret key material for, it should always include an Autocrypt header
with the associated public key material as the key=
attribute, and
it should include the to=
attribute for recipients to match
on. The most minimal Level 0 MUA will only include these two
attributes.
If the From:
address changes during message composition (e.g. if
the user selects a different outbound identity, the Autocrypt-capable
client MUST change the Autocrypt:
header.
See “Happy path” example: 1:1 communication for examples of outbound headers and the following sections for header format definitions and parsing.
Deriving a Parsed Autocrypt Header from a Message¶
The Autocrypt:
header MUST have the following format:
Autocrypt: to=a@b.example.org; [type=(p|_*);] [prefer-encrypted=(yes|no);] key=BASE64
Where the value of key
includes a Base64 representation of a
minimal key. For now we only support p
as the type, which
represents a specific subset of OpenPGP (see the the next section).
key
MUST be the last attribute.
prefer-encrypted
indicates that agents should default to
encrypting when composing e-mails to this recipient.
If prefer-encrypted
is not set,
the value of prefer-encrypted
is nopreference
.
If prefer-encrypted
is set, but neither yes
nor no
,
the MUA must skip the header as invalid.
Additional attributes unspecified here are also possible before the
key
attribute. If a MUA encounters an unknown attribute, if the
attribute name starts with an underscore (_
), this is a
“non-critical” attribute. The MUA MUST ignore the non-critical
attribute and continue parsing the header. If the unknown attribute
name does not start with an underscore, it is a “critical”
attribute, and the MUA must skip the header as invalid.
If a Level 0 MUA encounters an otherwise-valid header which has
type
set to something other than p
it MUST skip the header as
invalid.
When parsing an incoming message, a Level 0 MUA MUST examine all
headers with the name Autocrypt:
and collect all valid headers in a
list. If the list of valid headers has more than one entry, it should
be treated as 0 valid headers (that is, it should return null
).
type=p
: OpenPGP Based key data¶
For maximum interoperability and sanity a certificate sent by an Autocrypt-enabled Level 0 MUA MUST send an OpenPGP “Transferable Public Key” (see RFC 4880 §11.1) containing exactly these five OpenPGP packets:
- a primary key
Kp
- a uid that SHOULD be set to the e-mail address of the account
- a self signature
- an encryption-capable subkey
Ke
- a binding signature over
Ke
byKp
These packets should be assembled in binary format (not ASCII-armored), and then base64-encoded. During interpretation, whitespace should be stripped before base64-decoding.
A Level 0 MUA MUST be capable of processing and handling 2048-bit RSA
keys. It SHOULD be capable of handling Curve 25519 keys (ed25519 for
Kp
and cv25519 for Ke
), but some underlying toolkits may not
yet support Curve 25519.
Internal state storage¶
Note
You should be familiar with “Happy path” example: 1:1 communication before reading the following.
If a remote peer disables Autocrypt or drops back to using a non-Autocrypt MUA only we must be able to disable sending encrypted mails to this peer automatically. MUAs capable of Autocrypt level 0 therefore MUST store state about the capabilities of their remote peers.
Agents MAY also store additional information gathered for heuristic purposes, or for other cryptographic schemes. However, in order to support future syncing of Autocrypt state between agents, it is critical that Autocrypt-capable agents maintain the state specified here.
Conceptually, we represent this state as a table named
autocrypt_peer_state
indexed by the peer’s canonicalized
e-mail address and key type. In level 0,
there is only one type, p
, so level 0 agents can implement this by
indexing only the peer’s e-mail address.
For each e-mail and type, an Agent MUST store the following attributes:
pah
: Parsed Autocrypt header, which could benull
changed
: UTC Timestamp whenpah
was last changedlast_seen
: Most recent UTC time thatpah
was confirmed
Autocrypt-compatible agents SHOULD track and store in
autocrypt_peer_state
a parsed interpretation pah
, which is not
necessarily the literal header emitted (for the literal header, see
next section). The pah
MUST contain the following fields:
key
– the raw key material, after base64 decodingprefer_encrypted
– a tri-state:nopreference
,yes
, orno
Updating internal state upon message receipt¶
When first encountering an incoming e-mail M
from an e-mail address A
,
the MUA should follow the following autocrypt_update
algorithm:
- Set a local
message_date
to theDate:
header ofM
.- If
message_date
is in the future, setmessage_date
to the current time.
Todo
This implies that Autocrypt clients keep track of whether they have
encountered a given message before, but does not provide them with
guidance on how to do so. Message-ID? Digest of full message
body? The consequences of re-triggering the message receipt
process should only matter for messages that are erroneously marked
with a future date. Another approach that would not require keeping
track of the message would be to simply ignore messages whose
`Date:
header is in the future.
Set a local
message_pah
to be theAutocrypt:
header inM
. This is either a single Parsed Autocrypt header, ornull
.If
message_pah
isnull
, and the MUA knows about additional OpenPGP keys, then we replacemessage_pah
with asynthesized_pah
generated from the message itself:
- If the message is not cryptographically signed, or there is an unverifiable or invalid message signature,
synthesized_pah
isnull
.- Alternately, the message is cryptographically signed, and the signature is verified and comes from a known OpenPGP certificate
K
: IfK
is not encryption-capable (i.e. if the primary key has no encryption-capabilities marked, and no valid subkeys are encryption-capable), or if K does not have an OpenPGP User ID which contains the e-mail address in the message’sFrom:
, thensynthesized_pah
is alsonull
. Otherwise, with an encryption-capableK
, thekey
element ofsynthesized_pah
is set toK
. In this case, theprefer_encrypted
element ofsynthesized_pah
is set based on whether the message is also encrypted in addition to being signed. If the message is encrypted, thenprefer_encrypted
is set toyes
. If it is not encrypted, thenprefer_encrypted
is set tonopreference
.Note
We do not synthesize the Autocrypt header from any
application/pgp-keys
message parts. This is because it’s possible that an attached OpenPGP key is not intended to be the sender’s OpenPGP key. For example, Alice might send Bob Carol’s OpenPGP key in an attachment, but Bob should not interpret it as Carol’s key.
Todo
Maybe move synthesized_pah
into Interoperability With Other Cryptographic E-mail Mechanisms ?
Note: The agent continues this message receipt process even when
message_pah
isnull
, since updating the stored state withnull
is sometimes the correct action.Next, the agent compares the
message_pah
with thepah
stored inautocrypt_peer_state[A]
.If
autocrypt_peer_state
has no record at all for addressA
, the MUA setsautocrypt_peer_state[A]
such thatpah
ismessage_pah
andchanged
andlast_seen
are bothmessage_date
, and then terminates this receipt process.If
autocrypt_peer_state[A]
haslast_seen
greater than or equal tomessage_date
, then the agent storesmessage_pah
and terminates this receipt process, since it already knows about something more recent. For example, this might be if mail is delivered out of order, or if an inbox is scanned from newest to oldest.If
autocrypt_peer_state[A]
has alast_seen
less thanmessage_date
, then we comparemessage_pah
with thepah
currently stored inautocrypt_peer_state[A]
.This is done as a literal comparison using only the
key
andprefer_encrypt
fields, even if the Agent stores additional fields as an augmentation, as follows:
- If
key
is bytewise different, or ifprefer_encrypted
has a different value, then this is an update.- If
key
andprefer_encrypted
match exactly, then it is considered a match.- If both
pah
andmessage_pah
arenull
, it is a match.- If one is
null
and the other is notnull
, it is a update.In the case of a match, set
autocrypt_peer_state[A].last_seen
tomessage_date
.In the case of an update, set
autocrypt_peer_state[A].pah
tomessage_pah
andautocrypt_peer_state[A].last_seen
andautocrypt_peer_state[A].changed
tomessage_date
.
Note
The above algorithm results in a non-deterministic
autocrypt_peer_state
if two Autocrypt headers are processed
using the same message_date
(depending on which message is
encountered first). For consistency and predictability across
implementations, it would be better to have a strict ordering
between parsed Autocrypt headers, and to always select the lower
header in case of equal values of message_date
.
Note
OpenPGP’s composable certificate format suggests that there could
be alternate ways to compare key
values besides strict bytewise
comparison. For example, this could be done by comparing only the
fingerprint of the OpenPGP primary key instead of the keydata.
However, this would miss updates of the encryption-capable subkey,
or updates to the capabilities advertised in the OpenPGP
self-signature. Alternately, the message receipt process could
incorporate fancier date comparisons by integrating the timestamps
within the OpenPGP messages during the date comparison step. For
simplicity and ease of implementation, level 0 Autocrypt-capable
agents are expected to avoid these approaches and to do full
bytestring comparisons of key
data instead.
Todo
the spec currently doesn’t say how to integrate Autocrypt processing on message receipt with spam filtering. Should we say something about not doing Autocrypt processing on message receipt if the message is believed to be spam?
Provide a recommendation for message encryption¶
On message composition, an Autocrypt-capable agent also has an opportunity to decide whether to try to encrypt an e-mail. Autocrypt aims to provide a reasonable recommendation for the agent.
Any Autocrypt-capable agent may have other means for making this decision outside of Autocrypt (see Interoperability With Other Cryptographic E-mail Mechanisms). Autocrypt provides a recommendation to this process, but there is no requirement for Autocrypt-capable agents to always follow the Autocrypt recommendation.
That said, all Autocrypt-capable agents should be able to calculate the same Autocrypt recommendation due to their internal state.
The Autocrypt recommendation depends on the list of recipient addresses for the message being composed. When the user edits the list of recipients, the recommendation may change. The MUA should reflect this change.
Note
It’s possible that the user manually overriddes the Autocrypt recommendation and then edits the list of recipients. The MUA SHOULD retain the user’s manual choices for a given message even if the Autcrypt recommendation changes.
Todo
Discuss how to deal with the case where the user manually selects encryption and subsequently adds a recipient whom the MUA has no key.
Autocrypt can produce three possible recommendations to the agent during message composition:
disable
: Disable or hide any UI that would allow the user to choose to encrypt the message. Prepare the message in cleartext.available
: Enable UI that would allow the user to choose to encrypt the message, but do not default to encryption. Prepare the message in cleartext.encrypt
: Enable UI that would allow the user to choose to send the message in cleartext, and default to encryption. Prepare the message as an encrypted message.
Todo
The Autocrypt recommendation should probably change depending on whether the mail is a reply to an encrypted e-mail or not.
Recommendations for single-recipient messages¶
For level 0 MUAs, the Autocrypt recommendation for message composed to
a single recipient with e-mail address A
is derived from the value
stored in autocrypt_peer_state[A]
.
If the pah
is null
, or if pah.key
is known to be unusable
for encryption (e.g. it is otherwise known to be revoked or expired),
then the recommendation is disable
.
If the pah
is not null
, and prefer-encrypted
is yes
,
then the recommendation is encrypt
.
If pah
is not null
, and prefer-encrypted
is either no
or nopreference
, then the recommendation is available
.
Recommendations for messages to multiple addresses¶
For level 0 agents, the Autocrypt recommendation for a message composed to multiple recipients is derived from the recommendations for each recipient individually.
If any recipient has a recommendation of disable
then the message
recommendation is disable
.
If every recipient other than “myself” (the e-mail address that the
message is From:
) has a recommendation of encrypt
then the
message recommendation is encrypt
.
Otherwise, the message recommendation is available
.
Encrypt outbound mail as requested¶
As the user composes mail, in some circumstances, the MUA may be
instructed by the user to encrypt the message. If the recipient’s
keys are all of type=p
, and the sender has keys for all recipients
(as well as themselves), they should construct the encrypted message
as a PGP/MIME (RFC 3156) encrypted+signed message, encrypted to all
recipients and the public key whose secret is controlled by the MUA
itself.
For messages that are going to be encrypted when sent, the MUA MUST NOT leak the cleartext of drafts or other partially-composed messages to the SMA (e.g. in the “Drafts” folder).
If there is any chance that the message could be encrypted, the MUA SHOULD encrypt drafts only to itself before storing in any Drafts folder on the SMA.
Specific User Interface Elements¶
Ideally, Autocrypt users see very little UI. They might never see any UI at all by default. However, some UI is inevitable, even if only tucked away in an arcane “preferences pane” or something.
Account Preferences¶
Level 0 MUAs MUST allow the user to disable Autocrypt completely for each account they control.
If Autocrypt is enabled for a given account, the MUA MUST allow the user to specify whether they explicitly prefer encryption for inbound messages, or explicitly prefer cleartext for inbound messages, or choose to express no preference. The default SHOULD be “no preference” unless the MUA has good reason to know better.
Please see Example User Interface for Autocrypt for specific examples of how this might look.
Message Composition¶
If an MUA is willing to compose encrypted mail, it SHOULD include some UI mechanism at message composition time for the user to choose an encrypted message or cleartext. This may be as simple as a single checkbox.
If the Autocrypt recommendation is disable
for a given message,
the MUA MAY choose to avoid exposing this UI during message
composition at all.
If the Autocrypt recommendation is either available
or
encrypt
, the MUA SHOULD expose this UI during message composition
to allow the user to make a different decision.