Re: [art] [FEEDBACK REQUEST] "Birds of a Feather" topic, email security threats
Brandon Long <blong@google.com> Tue, 04 February 2020 02:23 UTC
Return-Path: <blong@google.com>
X-Original-To: art@ietfa.amsl.com
Delivered-To: art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1427812004A for <art@ietfa.amsl.com>; Mon, 3 Feb 2020 18:23:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.499
X-Spam-Level:
X-Spam-Status: No, score=-17.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RSq9u7PlZkMe for <art@ietfa.amsl.com>; Mon, 3 Feb 2020 18:23:54 -0800 (PST)
Received: from mail-vs1-xe43.google.com (mail-vs1-xe43.google.com [IPv6:2607:f8b0:4864:20::e43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 239A412001A for <art@ietf.org>; Mon, 3 Feb 2020 18:23:28 -0800 (PST)
Received: by mail-vs1-xe43.google.com with SMTP id a2so10394216vso.3 for <art@ietf.org>; Mon, 03 Feb 2020 18:23:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GZmEQGBJ6FKkdc6Gxi5sZL6WK8/kx2PYvFJoNZGUX/0=; b=pazVz9omMJMspkzE0JwsrUFu0Sk1EI0W36Rf4ycmUHt+vxHRaRv2W9as12+F0yO2uE qOwWqRTFQrV2Wecv9gGSSuU3gD+CAdyUCJ1YqQjCrVoNFvobzj4KTcVg33v/vKuSUed+ UlyZnB7ALVT+3472P41KNH6k8+g+FaZBQP83wJKON+2Wl5VmVlJ+SLPUwn8JVhUdzZiW 36qQm3bhHx2aU6rB2oNMiG8/lAZXYIzDKz+uT6TkNEioF60xE/TT3B//eB6WCUvuQYtz SY8uyDZqXevmiW4JD/7exd9lkST1nMgESVwhZWAFPMA6wVES1etstLprPnoGXt2ezcG3 zwtw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GZmEQGBJ6FKkdc6Gxi5sZL6WK8/kx2PYvFJoNZGUX/0=; b=jXQMRyJwbY3KcjIY37NF4J/VHybt7pHmMCGBJXugvyEazfUkeiBtDf9LJ6VO2W2J5W E48lDLecVSlT0e9Jj2I8VIdyq7cpAyc1nkLaqXe50vC4nGigqs/1mvKQvREtAgw2abvR bdhHhFWWhQYX02ZFd2Bsx5XMB5kUEj8CaF5hsI6ywnwEqeuuyh96f2+6UCrz7yEujbGn mE4t0kvQwK8BR0fdfOQakzz1RKqIiUqUKLwEPw2too14pte/ic5qKG5yag17ndQnavfx p6qvbtcxG4P5FQM1PH3lRGCO3rI+3yiMBRCBTp55lXMXpiNqGFUrfImgG153e3JUNhQo 8+kw==
X-Gm-Message-State: APjAAAXhkcmM1Av4YsH5CZA5srwvJSmwU7LwvoLPyUQ26Yb3KBGLj2mM sPBNih31PxxMQXzZ3pgz9qRea7sEHa+vlSGqn1zo
X-Google-Smtp-Source: APXvYqyLPY3/X7etY429Q5pORjaE1/ird1XAtSUbGS9WhjLOAj4yYMA2JGNupGrgaJdMDf69b11KW56RMiPWTlXTt+8=
X-Received: by 2002:a05:6102:22f0:: with SMTP id b16mr15899167vsh.238.1580783006716; Mon, 03 Feb 2020 18:23:26 -0800 (PST)
MIME-Version: 1.0
References: <55abf67e-6a90-acff-a832-87a168d50522@linuxmagic.com> <298521FA-CC31-4888-99E3-7FE32419679C@cisco.com> <20200203231115.WTinN%steffen@sdaoden.eu> <CADZyTk=ySSVdjKpF4qTDos4etA6tu22==qBRyg_Mp7vMNuKVEg@mail.gmail.com>
In-Reply-To: <CADZyTk=ySSVdjKpF4qTDos4etA6tu22==qBRyg_Mp7vMNuKVEg@mail.gmail.com>
From: Brandon Long <blong@google.com>
Date: Mon, 03 Feb 2020 18:23:14 -0800
Message-ID: <CABa8R6tH0epA_9SB6=bcj7QUvL0P_6=L908=ywxbP7=jN29zNA@mail.gmail.com>
To: Daniel Migault <mglt.ietf@gmail.com>
Cc: Michael Peddemors <michael@linuxmagic.com>, Eliot Lear <lear@cisco.com>, art@ietf.org
Content-Type: multipart/alternative; boundary="00000000000095a875059db6b9d4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/J-SfFY932jonsnErOh2cXLHSlz4>
Subject: Re: [art] [FEEDBACK REQUEST] "Birds of a Feather" topic, email security threats
X-BeenThere: art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/art>, <mailto:art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art/>
List-Post: <mailto:art@ietf.org>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/art>, <mailto:art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2020 02:23:57 -0000
I mean, if it's part of auth, shouldn't it be in SASL? Michael and I have had that argument before, but in any case, where isn't really the question so much as whether it's useful, the details can be worked out. It has the benefit of simplicity vs things like OAUTHBEARER, but is that really the barrier here? Brandon On Mon, Feb 3, 2020 at 4:27 PM Daniel Migault <mglt.ietf@gmail.com> wrote: > While the use case is limited to email, I am wondering if the design of an > TLS extension would be in scope, so it could be re-used by other > applications. > > Yours, > Daniel > > On Mon, Feb 3, 2020 at 6:11 PM Steffen Nurpmeso <steffen@sdaoden.eu> > wrote: > >> Eliot Lear wrote in <298521FA-CC31-4888-99E3-7FE32419679C@cisco.com>: >> |> On 3 Feb 2020, at 22:06, Michael Peddemors <michael@linuxmagic.com> \ >> |> wrote: >> |> >> |> Call for Feedback: >> |> >> |> "Birds of a Feather (BOF)" on email authentication security. >> ... >> |> These (our) drafts are related to email security, but as we look \ >> |> at this serious problem (email compromises), I believe it might be \ >> |> time to look at the problem in a wider scope, so I am looking at \ >> |> having a "Birds of a Feather" meeting proposal, that can encompass \ >> |> a wider discussion on IETF involvement in these issues. >> |> >> |> For instance, aside from our IETF drafts on CLIENTID >> extensions/enhancem\ >> |> ents for IMAP/SMTP AUTH, (for those not familiar, references at the \ >> |> bottom), there are other things that could be addressed in such a \ >> |> meeting. >> |> >> |> * POP/SMTP authentication sent unencrypted over the network >> |> * AutoDiscovery should NEVER test unencrypted methods >> |> * Email Clients should deprecate the above >> |> * Other ideas to address email compromise risks worldwide? >> ... >> |> For those not informed, we are looking for a home as well to discuss \ >> |> our CLIENTID initiatives >> |> >> |> >> https://datatracker.ietf.org/doc/draft-storey-smtp-client-id/?include_te\ >> |> xt=1 >> |> https://tools.ietf.org/html/draft-yu-imap-client-id-03 >> >> |IMHO the issue is not one of client identity, but rather >> preauthorization \ >> |versus non-prearranged communication. As to your recommendations >> below, \ >> |while there’s nothing wrong with them, even if you implemented them, \ >> |I do not believe that spam would be reduced one iota. >> | >> |I would suggest that one delve a bit into per-destination >> preauthorization \ >> |and how that might work from a UX perspective. >> | >> |In any case, I’m not sure a formal BoF is called for at this point. \ >> | Maybe a bar bof. >> >> New nuto-configurations (with old software), and old dangling >> configurations on user boxes, maybe. But new clients, or users >> which create new accounts manually, or users in an environment >> with an active administrator, i do not know. >> >> I would vote for keeping complexity low, especially when >> unnecessary. For example the new Unix Alpine version ships with >> direct XOAUTH2 support, including credential creation and renewal, >> it needs JSON and HTTP for this, i think. This makes more >> dependencies etc. etc. I would include that in the protocol, for >> example, add a renew parameter, and let that cause an >> additional/extended authentication response with includes the >> renewed access token. Just as an example, the entire additional >> logic, or usage of external tools (like mine needs), etc., is >> gone. Lesser configuration for the user also. >> >> And i personally do not think adding yet more to a protocol itself >> is a right thing to do, especially if the protocol is only payload >> for a security layer which has the potential to provide desired >> additional information. For example, EXTERNAL authentication >> (which however does not seem to be supported well by widely used >> server/s). Or passing a client certificate as part of the >> authentication step, if you all enforce XOAUTH2 then this can very >> well be passed as a base64 token, too. No need for more commands >> which even possibly require roundtrips, or at least more C/S >> answer/response interaction. >> Requiring EXTERNAL has the nice property that the secure transport >> is implicit. >> >> --steffen >> | >> |Der Kragenbaer, The moon bear, >> |der holt sich munter he cheerfully and one by one >> |einen nach dem anderen runter wa.ks himself off >> |(By Robert Gernhardt) >> >> _______________________________________________ >> art mailing list >> art@ietf.org >> https://www.ietf.org/mailman/listinfo/art >> > > > -- > Daniel Migault > Ericsson > _______________________________________________ > art mailing list > art@ietf.org > https://www.ietf.org/mailman/listinfo/art >
- [art] [FEEDBACK REQUEST] "Birds of a Feather" top… Michael Peddemors
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Stephen Farrell
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Eliot Lear
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Michael Peddemors
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Steffen Nurpmeso
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Daniel Migault
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Brandon Long
- [art] =?UTF-8?Q?Re:__[FEEDBACK_REQUEST]_"Birds_of… Alexey Melnikov
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Michael Peddemors
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Daniel Migault
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Alessandro Vesely