Re: [Acme] Last Call: <draft-ietf-acme-email-smime-08.txt> (Extensions to Automatic Certificate Management Environment for end user S/MIME certificates) to Proposed Standard

Alexey Melnikov <alexey.melnikov@isode.com> Fri, 26 June 2020 09:14 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADED63A1210; Fri, 26 Jun 2020 02:14:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vxOkMR3_fQz8; Fri, 26 Jun 2020 02:14:57 -0700 (PDT)
Received: from statler.isode.com (Statler.isode.com [62.232.206.189]) by ietfa.amsl.com (Postfix) with ESMTP id 082C63A120F; Fri, 26 Jun 2020 02:14:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1593162896; d=isode.com; s=june2016; i=@isode.com; bh=BhoqsdUYFOcZ0id1B+B1LJZX9rv8aVtzjmHAmHnRVc8=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=GfvfauR/C3T3yeY9qh2/rd13UM0BrZVko0SWDu6Y7iroeu7F8c0JR/9Sdx3y4FItbOVHkr aRnmScX744zAOn2PtaZ3kc2ErJYFO73EA71vtVrTZxzk5DMPsuvgRv9ol5yvW3VR9HEHw1 pPjD8VxhstIQZ5zDnyuxoviQFk/wdm0=;
Received: from [172.27.252.104] (connect.isode.net [172.20.0.72]) by statler.isode.com (submission channel) via TCP with ESMTPSA id <XvW8jwBLOaHR@statler.isode.com>; Fri, 26 Jun 2020 10:14:55 +0100
To: S Moonesamy <sm+ietf@elandsys.com>
Cc: rdd@cert.org, acme@ietf.org, draft-ietf-acme-email-smime@ietf.org, acme-chairs@ietf.org
References: <159311144759.26518.18413097757444174694@ietfa.amsl.com> <6.2.5.6.2.20200625123422.0ee35bb8@elandnews.com>
From: Alexey Melnikov <alexey.melnikov@isode.com>
Message-ID: <a2458424-3929-5dc1-8c8c-a6bb424b0440@isode.com>
Date: Fri, 26 Jun 2020 10:14:33 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0
In-Reply-To: <6.2.5.6.2.20200625123422.0ee35bb8@elandnews.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-GB
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/CBGjPsv7wlt_76AzPWQTHn-HuH0>
Subject: Re: [Acme] Last Call: <draft-ietf-acme-email-smime-08.txt> (Extensions to Automatic Certificate Management Environment for end user S/MIME certificates) to Proposed Standard
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jun 2020 09:14:59 -0000

Hi SM,

On 25/06/2020 20:56, S Moonesamy wrote:
> Hi Alexey,
> At 11:57 AM 25-06-2020, The IESG wrote:
>> The IESG has received a request from the Automated Certificate 
>> Management
>> Environment WG (acme) to consider the following document: - 
>> 'Extensions to
>> Automatic Certificate Management Environment for end
>>    user S/MIME certificates'
>>   <draft-ietf-acme-email-smime-08.txt> as Proposed Standard
>>
>> The IESG plans to make a decision in the next few weeks, and solicits 
>> final
>> comments on this action. Please send substantive comments to the
>
> In Section 3.1, there is the following in Point 3 and 5: "The message 
> MAY contain Reply-To header field."  Is the duplication a mistake?
Yes, cut & paste error.
> Point 6 states that its purpose is to "prove authenticity of a 
> challenge message".  How does DKIM prove authenticity [1]?
See my other reply.
> Why is there a requirement that the message has to pass DMARC validation?
Because this is the best mail indistry has to offer to prevent message 
spoofing.
>   Has forwarding been taken into account [2]?

I don't think my proposal is inteded to work with mailing list 
forwarding. This sounds pretty dangerous and defeats the prescribed 
recipient email validation check. Maybe the document should say 
something about this.

If you are thinking about recipient end alias-type forwarding, then I 
can add some text that validation has to happen before forwarding, but 
this ACME mechanism might still break if the From header field email 
address of the response message doesn't match the email address used to 
request the certificate for.

Best Regards,

Alexey

>
> Regards,
> S. Moonesamy
>
> 1. Please see Section 5.4 of RFC 6376.
> 2. That does not work well with SPF.
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme