Re: Additional reviews of draft-daboo-srv-email-02.txt needed
Alessandro Vesely <vesely@tana.it> Tue, 25 August 2009 11:16 UTC
Return-Path: <vesely@tana.it>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7E86F3A6BC3 for <apps-discuss@core3.amsl.com>; Tue, 25 Aug 2009 04:16:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.9
X-Spam-Level:
X-Spam-Status: No, score=-2.9 tagged_above=-999 required=5 tests=[AWL=-0.482, BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, MANGLED_EMAIL=2.3, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ItIMl9m4VumJ for <apps-discuss@core3.amsl.com>; Tue, 25 Aug 2009 04:16:24 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) by core3.amsl.com (Postfix) with ESMTP id 42BE53A686D for <apps-discuss@ietf.org>; Tue, 25 Aug 2009 04:16:24 -0700 (PDT)
Received: from [172.25.197.158] (pcale.tana [172.25.197.158]) (AUTH: CRAM-MD5 ale@tana.it, TLS: TLS1.0, 256bits, RSA_AES_256_CBC_SHA1) by wmail.tana.it with esmtp; Tue, 25 Aug 2009 13:16:06 +0200 id 00000000005DC02F.000000004A93C7F6.000061E2
Message-ID: <4A93C7F5.5020108@tana.it>
Date: Tue, 25 Aug 2009 13:16:05 +0200
From: Alessandro Vesely <vesely@tana.it>
User-Agent: Thunderbird 2.0.0.22 (Windows/20090605)
MIME-Version: 1.0
To: Alexey Melnikov <alexey.melnikov@isode.com>
Subject: Re: Additional reviews of draft-daboo-srv-email-02.txt needed
References: <4A8D28AA.4060906@isode.com> <4A8E30A8.9050307@tana.it> <4A8E99B2.1060002@isode.com> <20090824180434.GA16812@isc.upenn.edu> <80915C5A84C4DABC6AC2B749@caldav.corp.apple.com> <4A92FADB.1030406@isode.com>
In-Reply-To: <4A92FADB.1030406@isode.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: apps-discuss@ietf.org
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Aug 2009 11:16:25 -0000
Alexey Melnikov wrote: > Cyrus Daboo wrote: >>> I'm not sure we have a good practical solution to this problem. >>> today. RFC 4985 (SRVName SAN) could be used in theory to compartmentalize >>> certificates to specific services at a domain name. But I'm not >>> sure any commercial CAs today will issue certs with such extensions. >> >> Right. This was why I suggested using the SRV query string in the >> subjectAltName, i.e. '_imap._tcp.example.com'. That way a client that >> gets to that cert via an SRV lookup can verify that it is valid, >> whilst other clients will effectively ignore that, and the cert can't >> "impersonate" another service. > > If you are going to do that, you need to update IMAP and POP3 specs > properly, i.e. to define TLS server identity verification procedure for > these protocols that requires that clients check srvName. Will the spec be flexible about that? I mean, checking them only if they are present? To recap, say mail.example.com hosts mail services for example.org and example.net. Assume its certificate may have SAN fields for any of the following: * otherName dNSName mail.example.com * iPAddress 192.0.2.3 * otherName srvName _imap.example.org * otherName srvName _imap.example.net * rfc822Name postmaster@example.org * rfc822Name postmaster@example.net The question is whether a suitable tradeoff among interoperability, compartmentalization, and other security issues may be obtained by tailoring those SAN fields, even without Server Name Indication. To complete the example, also assume the following RRs are set, and obtainable by regular DNS over UDP queries. mail.example.com IN A 192.0.2.3 mail.example.net IN A 192.0.2.3 3.2.0.192.in-addr.arpa IN CNAME 3.0-24.2.0.192.in-addr.arpa 0-24.2.0.192.in-addr.arpa IN NS ns.example.com 3.0-24.2.0.192.in-addr.arpa IN PTR mail.example.com 3.0-24.2.0.192.in-addr.arpa IN PTR mail.example.net _imap._tcp.example.org IN SRV 0 0 143 mail.example.com _imap._tcp.example.net IN SRV 0 0 143 mail.example.net example.com IN MX 0 mail.example.com example.org IN MX 0 mail.example.com example.net IN MX 0 mail.example.com Note that example.org is served by an host in a different domain zone. However, as far as DNS queries can be trusted, the client can check that example.com is compatible with example.org (because they share a primary MX.) If postmaster@example.org is included in the certificate, the client may trust that the signing CA had verified who got mail for it, and consider that as corroborating the value of the SRV RR. Am I missing something? IMHO, any MUST/MUST NOT in the spec should only prevent cases where phishing can actually be operated, so as not to standardize ill defined practices. I would suggest that the spec exemplifies, in an appendix, various cases of DNS and certificate settings, telling in what cases the client should trust the info, ask confirmation, or strongly discourage the user. The spec may also suggest that (in some cases) challenge/response authentication takes place even if the channel is crypted, to avoid phishing.
- Additional reviews of draft-daboo-srv-email-02.tx… Alexey Melnikov
- Re: Additional reviews of draft-daboo-srv-email-0… Alessandro Vesely
- Re: Additional reviews of draft-daboo-srv-email-0… Alexey Melnikov
- Re: Additional reviews of draft-daboo-srv-email-0… Vijay K. Gurbani
- Re: Additional reviews of draft-daboo-srv-email-0… Alexey Melnikov
- Re: Additional reviews of draft-daboo-srv-email-0… Vijay K. Gurbani
- Re: Additional reviews of draft-daboo-srv-email-0… Cyrus Daboo
- Re: Additional reviews of draft-daboo-srv-email-0… Vijay K. Gurbani
- Re: Additional reviews of draft-daboo-srv-email-0… Alexey Melnikov
- Re: Additional reviews of draft-daboo-srv-email-0… Cyrus Daboo
- Re: Additional reviews of draft-daboo-srv-email-0… Vijay K. Gurbani
- Re: Additional reviews of draft-daboo-srv-email-0… Alessandro Vesely
- Re: Additional reviews of draft-daboo-srv-email-0… Simon Josefsson
- Re: Additional reviews of draft-daboo-srv-email-0… Alessandro Vesely
- Re: Additional reviews of draft-daboo-srv-email-0… Alessandro Vesely
- Re: Additional reviews of draft-daboo-srv-email-0… Shumon Huque
- Re: Additional reviews of draft-daboo-srv-email-0… Vijay K. Gurbani
- Re: Additional reviews of draft-daboo-srv-email-0… Shumon Huque
- Re: Additional reviews of draft-daboo-srv-email-0… Cyrus Daboo
- Re: Additional reviews of draft-daboo-srv-email-0… Alexey Melnikov
- Re: Additional reviews of draft-daboo-srv-email-0… Shumon Huque
- Re: Additional reviews of draft-daboo-srv-email-0… Peter Saint-Andre
- Re: Additional reviews of draft-daboo-srv-email-0… Shumon Huque
- Re: Additional reviews of draft-daboo-srv-email-0… Shumon Huque
- Re: Additional reviews of draft-daboo-srv-email-0… Alexey Melnikov
- Re: Additional reviews of draft-daboo-srv-email-0… Alessandro Vesely
- Re: Additional reviews of draft-daboo-srv-email-0… Shumon Huque
- Re: Additional reviews of draft-daboo-srv-email-0… Alexey Melnikov
- Re: Additional reviews of draft-daboo-srv-email-0… Tony Finch
- Re: Additional reviews of draft-daboo-srv-email-0… Shumon Huque
- Re: Additional reviews of draft-daboo-srv-email-0… Alessandro Vesely