Re: [art] [FEEDBACK REQUEST] "Birds of a Feather" topic, email security threats
Steffen Nurpmeso <steffen@sdaoden.eu> Mon, 03 February 2020 23:11 UTC
Return-Path: <steffen@sdaoden.eu>
X-Original-To: art@ietfa.amsl.com
Delivered-To: art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7CEC12006E for <art@ietfa.amsl.com>; Mon, 3 Feb 2020 15:11:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EllFGG2oZTFW for <art@ietfa.amsl.com>; Mon, 3 Feb 2020 15:11:17 -0800 (PST)
Received: from sdaoden.eu (sdaoden.eu [217.144.132.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA9EF120044 for <art@ietf.org>; Mon, 3 Feb 2020 15:11:17 -0800 (PST)
Received: by sdaoden.eu (Postfix, from userid 1000) id 3799A16054; Tue, 4 Feb 2020 00:11:16 +0100 (CET)
Date: Tue, 04 Feb 2020 00:11:15 +0100
From: Steffen Nurpmeso <steffen@sdaoden.eu>
To: Michael Peddemors <michael@linuxmagic.com>
Cc: Eliot Lear <lear@cisco.com>, art@ietf.org
Message-ID: <20200203231115.WTinN%steffen@sdaoden.eu>
In-Reply-To: <298521FA-CC31-4888-99E3-7FE32419679C@cisco.com>
References: <55abf67e-6a90-acff-a832-87a168d50522@linuxmagic.com> <298521FA-CC31-4888-99E3-7FE32419679C@cisco.com>
Mail-Followup-To: Michael Peddemors <michael@linuxmagic.com>, Eliot Lear <lear@cisco.com>, art@ietf.org
User-Agent: s-nail v14.9.17-43-g63b6e03a
OpenPGP: id=EE19E1C1F2F7054F8D3954D8308964B51883A0DD; url=https://ftp.sdaoden.eu/steffen.asc; preference=signencrypt
BlahBlahBlah: Any stupid boy can crush a beetle. But all the professors in the world can make no bugs.
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/gm1Hm4nxYSa_N9M7z8l7h8J4_5o>
Subject: Re: [art] [FEEDBACK REQUEST] "Birds of a Feather" topic, email security threats
X-BeenThere: art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/art>, <mailto:art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art/>
List-Post: <mailto:art@ietf.org>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/art>, <mailto:art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Feb 2020 23:11:20 -0000
Eliot Lear wrote in <298521FA-CC31-4888-99E3-7FE32419679C@cisco.com>: |> On 3 Feb 2020, at 22:06, Michael Peddemors <michael@linuxmagic.com> \ |> wrote: |> |> Call for Feedback: |> |> "Birds of a Feather (BOF)" on email authentication security. ... |> These (our) drafts are related to email security, but as we look \ |> at this serious problem (email compromises), I believe it might be \ |> time to look at the problem in a wider scope, so I am looking at \ |> having a "Birds of a Feather" meeting proposal, that can encompass \ |> a wider discussion on IETF involvement in these issues. |> |> For instance, aside from our IETF drafts on CLIENTID extensions/enhancem\ |> ents for IMAP/SMTP AUTH, (for those not familiar, references at the \ |> bottom), there are other things that could be addressed in such a \ |> meeting. |> |> * POP/SMTP authentication sent unencrypted over the network |> * AutoDiscovery should NEVER test unencrypted methods |> * Email Clients should deprecate the above |> * Other ideas to address email compromise risks worldwide? ... |> For those not informed, we are looking for a home as well to discuss \ |> our CLIENTID initiatives |> |> https://datatracker.ietf.org/doc/draft-storey-smtp-client-id/?include_te\ |> xt=1 |> https://tools.ietf.org/html/draft-yu-imap-client-id-03 |IMHO the issue is not one of client identity, but rather preauthorization \ |versus non-prearranged communication. As to your recommendations below, \ |while there’s nothing wrong with them, even if you implemented them, \ |I do not believe that spam would be reduced one iota. | |I would suggest that one delve a bit into per-destination preauthorization \ |and how that might work from a UX perspective. | |In any case, I’m not sure a formal BoF is called for at this point. \ | Maybe a bar bof. New nuto-configurations (with old software), and old dangling configurations on user boxes, maybe. But new clients, or users which create new accounts manually, or users in an environment with an active administrator, i do not know. I would vote for keeping complexity low, especially when unnecessary. For example the new Unix Alpine version ships with direct XOAUTH2 support, including credential creation and renewal, it needs JSON and HTTP for this, i think. This makes more dependencies etc. etc. I would include that in the protocol, for example, add a renew parameter, and let that cause an additional/extended authentication response with includes the renewed access token. Just as an example, the entire additional logic, or usage of external tools (like mine needs), etc., is gone. Lesser configuration for the user also. And i personally do not think adding yet more to a protocol itself is a right thing to do, especially if the protocol is only payload for a security layer which has the potential to provide desired additional information. For example, EXTERNAL authentication (which however does not seem to be supported well by widely used server/s). Or passing a client certificate as part of the authentication step, if you all enforce XOAUTH2 then this can very well be passed as a base64 token, too. No need for more commands which even possibly require roundtrips, or at least more C/S answer/response interaction. Requiring EXTERNAL has the nice property that the secure transport is implicit. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
- [art] [FEEDBACK REQUEST] "Birds of a Feather" top… Michael Peddemors
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Stephen Farrell
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Eliot Lear
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Michael Peddemors
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Steffen Nurpmeso
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Daniel Migault
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Brandon Long
- [art] =?UTF-8?Q?Re:__[FEEDBACK_REQUEST]_"Birds_of… Alexey Melnikov
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Michael Peddemors
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Daniel Migault
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Alessandro Vesely