Re: [art] [FEEDBACK REQUEST] "Birds of a Feather" topic, email security threats
Daniel Migault <mglt.ietf@gmail.com> Tue, 04 February 2020 00:26 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: art@ietfa.amsl.com
Delivered-To: art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A0CA1200B5 for <art@ietfa.amsl.com>; Mon, 3 Feb 2020 16:26:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SvyaFbqww_HT for <art@ietfa.amsl.com>; Mon, 3 Feb 2020 16:26:56 -0800 (PST)
Received: from mail-vs1-xe2b.google.com (mail-vs1-xe2b.google.com [IPv6:2607:f8b0:4864:20::e2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0222F12001A for <art@ietf.org>; Mon, 3 Feb 2020 16:26:51 -0800 (PST)
Received: by mail-vs1-xe2b.google.com with SMTP id n27so10265342vsa.0 for <art@ietf.org>; Mon, 03 Feb 2020 16:26:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=AXJqlYAXBBpKPZGeeVFkV3YCmJWGqHNVATFeFZTGYWM=; b=mqpVChBsoU9SlAVRSu1bREsvV3Ve1Ce4of0Y/S3SQnBL2cVpp1eXNOLs+GlzRQXqWz t/NB23xS4ajeD6fdGkpxn0a2n582eaQ1cTYAniTr8zoQRhQDH5MCgtGrybSXocxHUmhg QwW/9i+dRTk/tmZgGJsTabKMfs1OrjOl3sFFovsoajZhG4na34KV3oMGor2JXmDU/Lht ee5BzIP8F5c6iKmw9noW4rtkOgSN2v7lDhc+Ti1GDO9h38k8IOSRhzCzlgRJJpMNzoZ+ fAsnjcUrNrLUotc4k1Bhh0K6GIYsRcn/NQo0eLJvbrphohmYwEX78maRONuDYTSqxnbc 3qvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=AXJqlYAXBBpKPZGeeVFkV3YCmJWGqHNVATFeFZTGYWM=; b=olkZoCFv0n+6QATSGWmwq5lPEI0tJL4joKs0/hkyQAOcZBnvLbwRtFJwExc6QRBAeX yUGwGdSHXu5tFSB0mfXbzVJtzbaEYbocaAKwXWx6ASUzwSjC5rLmmYcLawF9l0EYkHft AGSlRePbhVDGGqu3eX/2SB7CvsHlzOAV3YUIjGD2m/IFJSJKFYvkXwuYx2yBZLtLJp9s ltdgc6rtPIIWP/ppKnry5olLJ2XStieUtv+MlHVxzb1Tn2AVzHmt4/RZXkk1FHaSy0Mv aNd2bbjzAdxTBEs1HBICvsLXHRxrInBK11Qy1q9OILztQ2QTZPq1HZX2p/QAOgJ4zuQw UcXA==
X-Gm-Message-State: APjAAAVcAT3BXaN5DcGSc6AKAUA6k7YSJW3XKf91IKiAA0ds0/akanMz +1Om06XsU39pUFVrnJ6q9q7s3OtNSISzYTl5Ad4=
X-Google-Smtp-Source: APXvYqzbkhPMDMlObhAp7tEYD5flEwDHdHZMrPULFTYIrrvpHE/C87PvZCbYrIRnEU56hsTDoMmKcNxV2B9LeyT+s7E=
X-Received: by 2002:a67:b309:: with SMTP id a9mr15908659vsm.97.1580776010090; Mon, 03 Feb 2020 16:26:50 -0800 (PST)
MIME-Version: 1.0
References: <55abf67e-6a90-acff-a832-87a168d50522@linuxmagic.com> <298521FA-CC31-4888-99E3-7FE32419679C@cisco.com> <20200203231115.WTinN%steffen@sdaoden.eu>
In-Reply-To: <20200203231115.WTinN%steffen@sdaoden.eu>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Mon, 03 Feb 2020 19:26:39 -0500
Message-ID: <CADZyTk=ySSVdjKpF4qTDos4etA6tu22==qBRyg_Mp7vMNuKVEg@mail.gmail.com>
To: Michael Peddemors <michael@linuxmagic.com>, Eliot Lear <lear@cisco.com>, art@ietf.org
Content-Type: multipart/alternative; boundary="0000000000008d1161059db51891"
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/AVTu1FzZofwUhke731owkaWnxYQ>
Subject: Re: [art] [FEEDBACK REQUEST] "Birds of a Feather" topic, email security threats
X-BeenThere: art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/art>, <mailto:art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art/>
List-Post: <mailto:art@ietf.org>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/art>, <mailto:art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2020 00:26:58 -0000
While the use case is limited to email, I am wondering if the design of an TLS extension would be in scope, so it could be re-used by other applications. Yours, Daniel On Mon, Feb 3, 2020 at 6:11 PM Steffen Nurpmeso <steffen@sdaoden.eu> wrote: > Eliot Lear wrote in <298521FA-CC31-4888-99E3-7FE32419679C@cisco.com>: > |> On 3 Feb 2020, at 22:06, Michael Peddemors <michael@linuxmagic.com> \ > |> wrote: > |> > |> Call for Feedback: > |> > |> "Birds of a Feather (BOF)" on email authentication security. > ... > |> These (our) drafts are related to email security, but as we look \ > |> at this serious problem (email compromises), I believe it might be \ > |> time to look at the problem in a wider scope, so I am looking at \ > |> having a "Birds of a Feather" meeting proposal, that can encompass \ > |> a wider discussion on IETF involvement in these issues. > |> > |> For instance, aside from our IETF drafts on CLIENTID > extensions/enhancem\ > |> ents for IMAP/SMTP AUTH, (for those not familiar, references at the \ > |> bottom), there are other things that could be addressed in such a \ > |> meeting. > |> > |> * POP/SMTP authentication sent unencrypted over the network > |> * AutoDiscovery should NEVER test unencrypted methods > |> * Email Clients should deprecate the above > |> * Other ideas to address email compromise risks worldwide? > ... > |> For those not informed, we are looking for a home as well to discuss \ > |> our CLIENTID initiatives > |> > |> > https://datatracker.ietf.org/doc/draft-storey-smtp-client-id/?include_te\ > |> xt=1 > |> https://tools.ietf.org/html/draft-yu-imap-client-id-03 > > |IMHO the issue is not one of client identity, but rather > preauthorization \ > |versus non-prearranged communication. As to your recommendations below, > \ > |while there’s nothing wrong with them, even if you implemented them, \ > |I do not believe that spam would be reduced one iota. > | > |I would suggest that one delve a bit into per-destination > preauthorization \ > |and how that might work from a UX perspective. > | > |In any case, I’m not sure a formal BoF is called for at this point. \ > | Maybe a bar bof. > > New nuto-configurations (with old software), and old dangling > configurations on user boxes, maybe. But new clients, or users > which create new accounts manually, or users in an environment > with an active administrator, i do not know. > > I would vote for keeping complexity low, especially when > unnecessary. For example the new Unix Alpine version ships with > direct XOAUTH2 support, including credential creation and renewal, > it needs JSON and HTTP for this, i think. This makes more > dependencies etc. etc. I would include that in the protocol, for > example, add a renew parameter, and let that cause an > additional/extended authentication response with includes the > renewed access token. Just as an example, the entire additional > logic, or usage of external tools (like mine needs), etc., is > gone. Lesser configuration for the user also. > > And i personally do not think adding yet more to a protocol itself > is a right thing to do, especially if the protocol is only payload > for a security layer which has the potential to provide desired > additional information. For example, EXTERNAL authentication > (which however does not seem to be supported well by widely used > server/s). Or passing a client certificate as part of the > authentication step, if you all enforce XOAUTH2 then this can very > well be passed as a base64 token, too. No need for more commands > which even possibly require roundtrips, or at least more C/S > answer/response interaction. > Requiring EXTERNAL has the nice property that the secure transport > is implicit. > > --steffen > | > |Der Kragenbaer, The moon bear, > |der holt sich munter he cheerfully and one by one > |einen nach dem anderen runter wa.ks himself off > |(By Robert Gernhardt) > > _______________________________________________ > art mailing list > art@ietf.org > https://www.ietf.org/mailman/listinfo/art > -- Daniel Migault Ericsson
- [art] [FEEDBACK REQUEST] "Birds of a Feather" top… Michael Peddemors
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Stephen Farrell
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Eliot Lear
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Michael Peddemors
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Steffen Nurpmeso
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Daniel Migault
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Brandon Long
- [art] =?UTF-8?Q?Re:__[FEEDBACK_REQUEST]_"Birds_of… Alexey Melnikov
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Michael Peddemors
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Daniel Migault
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Alessandro Vesely