Re: [Acme] Last Call: <draft-ietf-acme-email-smime-08.txt> (Extensions to Automatic Certificate Mana

Alexey Melnikov <alexey.melnikov@isode.com> Fri, 26 June 2020 09:05 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53A723A11FD; Fri, 26 Jun 2020 02:05:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rdEoLIqUTw-g; Fri, 26 Jun 2020 02:05:26 -0700 (PDT)
Received: from statler.isode.com (Statler.isode.com [62.232.206.189]) by ietfa.amsl.com (Postfix) with ESMTP id 8A93E3A11EB; Fri, 26 Jun 2020 02:05:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1593162325; d=isode.com; s=june2016; i=@isode.com; bh=vIIoWn4cjrfUxWRWp1SAdVOsumr4dnQWGhhNwRdqUHE=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=K1OvsbWOZf42cHsnz1PDf+ig58i17skuzTLwscF4MVAGlXichtSYBGxutv60YX8P6XQIbj YZ+fWHRbLT1VIwsDlxYZk69D2DMyuxXtU3RFCvP0YiiaiadApjtXYGPlBwjZu5KSWU2gSI h7mCcC5GcGh3NKgM6DQVoytoFp8XPNE=;
Received: from [192.168.1.222] (host81-151-37-172.range81-151.btcentralplus.com [81.151.37.172]) by statler.isode.com (submission channel) via TCP with ESMTPSA id <XvW6VABLOT7C@statler.isode.com>; Fri, 26 Jun 2020 10:05:25 +0100
To: Sebastian Nielsen <sebastian@sebbe.eu>, 'S Moonesamy' <sm+ietf@elandsys.com>
Cc: rdd@cert.org, acme@ietf.org, draft-ietf-acme-email-smime@ietf.org, acme-chairs@ietf.org
References: <159311144759.26518.18413097757444174694@ietfa.amsl.com> <6.2.5.6.2.20200625123422.0ee35bb8@elandnews.com> <005801d64b39$472da0c0$d588e240$@sebbe.eu>
From: Alexey Melnikov <alexey.melnikov@isode.com>
Message-ID: <19f26447-af28-c2be-3ae6-7516e0503832@isode.com>
Date: Fri, 26 Jun 2020 10:05:00 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0
In-Reply-To: <005801d64b39$472da0c0$d588e240$@sebbe.eu>
MIME-Version: 1.0
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Language: en-GB
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/P5Un8YpMf39cWepL7XOTI5uRZ8o>
Subject: Re: [Acme] Last Call: <draft-ietf-acme-email-smime-08.txt> (Extensions to Automatic Certificate Mana
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jun 2020 09:05:32 -0000

On 25/06/2020 22:40, Sebastian Nielsen wrote:

> 1: Of course DKIM can be used to validate the authenticity of the email such
> as it has been sent from the specified domain.

Right. And the list of header fields to sign in case DKIM is used 
protects most important header fields that must not be tempered with.

> 2: Validation response messages should NOT be forwarded! Normally, you would
> send a response message like from sebastian@sebbe.eu to
> certvalidate@ca.example.org
> Of course, if ca.example.org is in full control of all email servers, they
> can easily do the validation at the leaf server ca.example.org, and then
> forward the email message to a internal server for SMIME issuance, for
> example by adding a encrypted and signed header with the validation, or
> communicating out-of-band - for example with a MySQL server, that the
> message X is propely SPF and DKIM validated.
>
> The type of forwarding SPF don't work with, would be if
> certvalidate@ca.example.org was forwarded to lets say
> suspicious.ca@gmail.com then if I send a validation reponse to
> certvalidate@ca.example.org from sebastian@sebbe.eu , validation would fail
> @ GMAIL when they receive the message from ca.example.org which is a server
> not on my authorization list.
>
> And a CA running an email server that forwards to an server they are not in
> full control of, is a HUGE security risk for SMIME issuance - unless they
> have proper agreements in place - for example a subCA that forwards their
> validations to the main CA, but still want a "branded" email adress for
> their ACME validations - but then their agreements could easily include that
> the subCA should do the validations at the leaf server, and then add
> information to the email that allows the main CA to see that SPF and DKIM
> was propely validated.
> Or include the client IP in the message, signed securely, so the main CA can
> validate SPF.

I basically agree with this.


> -----Ursprungligt meddelande-----
> Från: acme-bounces@ietf.org <acme-bounces@ietf.org> För S Moonesamy
> Skickat: den 25 juni 2020 21:59
> Till: Alexey Melnikov <alexey.melnikov@isode.com>
> Kopia: rdd@cert.org; acme@ietf.org; draft-ietf-acme-email-smime@ietf.org;
> acme-chairs@ietf.org
> Ämne: Re: [Acme] Last Call: <draft-ietf-acme-email-smime-08.txt> (Extensions
> to Automatic Certificate Mana
>
> Hi Alexey,
> At 11:57 AM 25-06-2020, The IESG wrote:
>> The IESG has received a request from the Automated Certificate
>> Management Environment WG (acme) to consider the following document: -
>> 'Extensions to Automatic Certificate Management Environment for end
>>     user S/MIME certificates'
>>    <draft-ietf-acme-email-smime-08.txt> as Proposed Standard
>>
>> The IESG plans to make a decision in the next few weeks, and solicits
>> final comments on this action. Please send substantive comments to the
> In Section 3.1, there is the following in Point 3 and 5: "The message MAY
> contain Reply-To header field."  Is the duplication a mistake?
>
> Point 6 states that its purpose is to "prove authenticity of a challenge
> message".  How does DKIM prove authenticity [1]?
>
> Why is there a requirement that the message has to pass DMARC validation?
> Has forwarding been taken into account [2]?
>
> Regards,
> S. Moonesamy
>
> 1. Please see Section 5.4 of RFC 6376.
> 2. That does not work well with SPF.
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>