Re: [art] [FEEDBACK REQUEST] "Birds of a Feather" topic, email security threats
Eliot Lear <lear@cisco.com> Mon, 03 February 2020 22:45 UTC
Return-Path: <lear@cisco.com>
X-Original-To: art@ietfa.amsl.com
Delivered-To: art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00D7F120044 for <art@ietfa.amsl.com>; Mon, 3 Feb 2020 14:45:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.502
X-Spam-Level:
X-Spam-Status: No, score=-14.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GyLNEPzrFTiS for <art@ietfa.amsl.com>; Mon, 3 Feb 2020 14:45:03 -0800 (PST)
Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B308612006E for <art@ietf.org>; Mon, 3 Feb 2020 14:45:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4951; q=dns/txt; s=iport; t=1580769902; x=1581979502; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=tPf6/Fuqq4ORX8nZeE+LmFz7Oss1aVL1B3ZlpdcbjLM=; b=b8GL7jL00FXWzEaRuQv6W4uIsO9XKB2m2y/LFUZXvVuVBTVCKq+d/a8R bDnMCrLE7X4V+I7VfdnNDA9tQUs38BfKNybrLgFLpdKQKaoMBrcPvYC9R upZOMwqq9hOD7y0AqzKBawcOp8Wh/yP6U1PWKMXTnkvVLto1StJczfx+/ o=;
X-IPAS-Result: A0DkBwAMojhe/xbLJq1cBgMeAQschRBQBAEgEiqEFIkDh3klmVGBZwkBAQEMAQEYDQoBAYRAAoJYOBMCAwEBAQMCAwEBAQEEAQEBAgEFBG2FNwyFZgEBAQECAQEBGwYyEQgLBQsLGAICJgICJzAGE4MmAYJbIA+sJnWBMoQ5Ag5BQIR9gQ4qgiOGCYIhgTY3ggCBEScMFIJMPmsZAYFfAQECAQEYgQsJAQgKASEhJoJJMoIsBI1BARyiBIJFgk6EeIVHhCgGgkCCRRuCSIgOhCGMEZdIjwWDLgIEBgUCFXhxImdxMxoIGxU7KgGCQQk1EhgNjjWDB1SFFIVAQAMwjFeCMgEB
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.70,398,1574121600"; d="scan'208";a="20603196"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 03 Feb 2020 22:44:58 +0000
Received: from [10.61.163.150] ([10.61.163.150]) by aer-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 013Miusq001568 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 3 Feb 2020 22:44:56 GMT
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
From: Eliot Lear <lear@cisco.com>
In-Reply-To: <55abf67e-6a90-acff-a832-87a168d50522@linuxmagic.com>
Date: Mon, 03 Feb 2020 23:44:55 +0100
Cc: art@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <298521FA-CC31-4888-99E3-7FE32419679C@cisco.com>
References: <55abf67e-6a90-acff-a832-87a168d50522@linuxmagic.com>
To: Michael Peddemors <michael@linuxmagic.com>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
X-Outbound-SMTP-Client: 10.61.163.150, [10.61.163.150]
X-Outbound-Node: aer-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/b5I78lEQFga8xvdtKYlHnqyS1ig>
Subject: Re: [art] [FEEDBACK REQUEST] "Birds of a Feather" topic, email security threats
X-BeenThere: art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/art>, <mailto:art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art/>
List-Post: <mailto:art@ietf.org>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/art>, <mailto:art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Feb 2020 22:45:06 -0000
Hi Michael, IMHO the issue is not one of client identity, but rather preauthorization versus non-prearranged communication. As to your recommendations below, while there’s nothing wrong with them, even if you implemented them, I do not believe that spam would be reduced one iota. I would suggest that one delve a bit into per-destination preauthorization and how that might work from a UX perspective. In any case, I’m not sure a formal BoF is called for at this point. Maybe a bar bof. Eliot > On 3 Feb 2020, at 22:06, Michael Peddemors <michael@linuxmagic.com> wrote: > > Call for Feedback: > > "Birds of a Feather (BOF)" on email authentication security. > > As some may know, we have a couple of IETF Drafts looking for a Working Group home, but because it crosses over several protocols, discussions on these can extend beyond groups which cover only one protocol. There are some issues that extend across the ecosystem. > > These (our) drafts are related to email security, but as we look at this serious problem (email compromises), I believe it might be time to look at the problem in a wider scope, so I am looking at having a "Birds of a Feather" meeting proposal, that can encompass a wider discussion on IETF involvement in these issues. > > For instance, aside from our IETF drafts on CLIENTID extensions/enhancements for IMAP/SMTP AUTH, (for those not familiar, references at the bottom), there are other things that could be addressed in such a meeting. > > * POP/SMTP authentication sent unencrypted over the network > * AutoDiscovery should NEVER test unencrypted methods > * Email Clients should deprecate the above > * Other ideas to address email compromise risks worldwide? > > Given that in todays climate, of millions of compromised devices on the internet designed to 'sniff' traffic, sending authentication over the clear IMHO should NOT be recommended or referenced in RFC's, otherwise vendors will continue to support these. We still see 'pop connectors' by 3rd parties, various auto-discovery methods that attempt to connect using POP 110, all whom send email credentials in the clear, risking unintended exposure of this data. > > All modern email clients have a role in protecting users, and by supporting such legacy methods, these risks will continue. > > While some new RFC materials cover the SHOULD be over encrypted, and some cover recommendations, a larger discussion in general over whether updates should occur, to deprecate language that would allow for insecure transmission of authentication protocols. > > And aside from our own methods to make a more transparent form of native ability in legacy protocols to support tokens that be sent before authentication credentials are received, to allow systems, users, and authentication tools to decide whether to accept authentication requests unless supported by a recognized token, there may be others working on improvements in security that crossed protocol boundaries, or address other security related threats in email. > > My question to the list is this: > > * How wide/narrow should the topic/mandate be? > > -- Email Authentication & Security > -- Communication Authentication Security > -- POP/IMAP/SMTP Authentication > -- POP/IMAP/SMTP Policies And Considerations > > > I look forward to your feedback and suggestions, but note we only have a few days left to decide on the scope, in order to to request this BOF at the Vancouver EITF meeting in March. > > -- Michael -- > > > For those not informed, we are looking for a home as well to discuss our CLIENTID initiatives > > https://datatracker.ietf.org/doc/draft-storey-smtp-client-id/?include_text=1 > https://tools.ietf.org/html/draft-yu-imap-client-id-03 > > > > -- > "Catch the Magic of Linux..." > ------------------------------------------------------------------------ > Michael Peddemors, President/CEO LinuxMagic Inc. > Visit us at http://www.linuxmagic.com @linuxmagic > A Wizard IT Company - For More Info http://www.wizard.ca > "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. > ------------------------------------------------------------------------ > 604-682-0300 Beautiful British Columbia, Canada > > This email and any electronic data contained are confidential and intended > solely for the use of the individual or entity to which they are addressed. > Please note that any views or opinions presented in this email are solely > those of the author and are not intended to represent those of the company. > > _______________________________________________ > art mailing list > art@ietf.org > https://www.ietf.org/mailman/listinfo/art
- [art] [FEEDBACK REQUEST] "Birds of a Feather" top… Michael Peddemors
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Stephen Farrell
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Eliot Lear
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Michael Peddemors
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Steffen Nurpmeso
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Daniel Migault
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Brandon Long
- [art] =?UTF-8?Q?Re:__[FEEDBACK_REQUEST]_"Birds_of… Alexey Melnikov
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Michael Peddemors
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Daniel Migault
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Alessandro Vesely