Re: [art] [FEEDBACK REQUEST] "Birds of a Feather" topic, email security threats
Michael Peddemors <michael@linuxmagic.com> Mon, 03 February 2020 22:54 UTC
Return-Path: <michael@linuxmagic.com>
X-Original-To: art@ietfa.amsl.com
Delivered-To: art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72D8F12007C for <art@ietfa.amsl.com>; Mon, 3 Feb 2020 14:54:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.228
X-Spam-Level: **
X-Spam-Status: No, score=2.228 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_SBL_CSS=3.335, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VTjdgU2J6vBO for <art@ietfa.amsl.com>; Mon, 3 Feb 2020 14:54:10 -0800 (PST)
Received: from fe3.cityemail.com (unknown [104.128.152.20]) by ietfa.amsl.com (Postfix) with ESMTP id CEBDE12001B for <art@ietf.org>; Mon, 3 Feb 2020 14:54:10 -0800 (PST)
Received: (qmail 15242 invoked from network); 3 Feb 2020 22:54:10 -0000
Received: from riddle.wizard.ca (HELO [192.168.1.55]) (michael@wizard.ca@104.128.144.8) by fe3.cityemail.com with (AES128-SHA encrypted) SMTP (170f2b62-46d8-11ea-a7de-2f6235286947); Mon, 03 Feb 2020 14:54:10 -0800
To: Eliot Lear <lear@cisco.com>
Cc: art@ietf.org
References: <55abf67e-6a90-acff-a832-87a168d50522@linuxmagic.com> <298521FA-CC31-4888-99E3-7FE32419679C@cisco.com>
From: Michael Peddemors <michael@linuxmagic.com>
Organization: LinuxMagic Inc.
Message-ID: <4150b6d5-ab85-ba54-f36e-96d36fb65026@linuxmagic.com>
Date: Mon, 03 Feb 2020 14:54:10 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <298521FA-CC31-4888-99E3-7FE32419679C@cisco.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-MagicMail-OS: Linux 3.11 and newer
X-MagicMail-UUID: 170f2b62-46d8-11ea-a7de-2f6235286947
X-MagicMail-Authenticated: michael@wizard.ca
X-MagicMail-SourceIP: 104.128.144.8
X-MagicMail-RegexMatch: 0
X-MagicMail-EnvelopeFrom: <michael@linuxmagic.com>
X-Archive: Yes
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/sgPW8wAKlTrUFUaJ14-_9vFxwZc>
Subject: Re: [art] [FEEDBACK REQUEST] "Birds of a Feather" topic, email security threats
X-BeenThere: art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/art>, <mailto:art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art/>
List-Post: <mailto:art@ietf.org>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/art>, <mailto:art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Feb 2020 22:54:12 -0000
On 2020-02-03 2:44 p.m., Eliot Lear wrote: > Hi Michael, > > IMHO the issue is not one of client identity, but rather preauthorization versus non-prearranged communication. As to your recommendations below, while there’s nothing wrong with them, even if you implemented them, I do not believe that spam would be reduced one iota. > > I would suggest that one delve a bit into per-destination preauthorization and how that might work from a UX perspective. > > In any case, I’m not sure a formal BoF is called for at this point. Maybe a bar bof. > > Eliot I do want to point out, this is not about spam, but rather email security, unless you are recommending that we enlarge the topic that much? And BTW, for the record the CLIENTID is only one of many email security related topics that might be discussed. Looking in general to see if others think that there are important things to add/avoid in this topic for a BOF. (off thread, sending authorization is about validating ones identity to access an email resource, CLIENTID is a step in that direction, when used to that affect, but it can also relate to a class of allowed/expected devices that can access/authenticate to access a resource) > > > >> On 3 Feb 2020, at 22:06, Michael Peddemors <michael@linuxmagic.com> wrote: >> >> Call for Feedback: >> >> "Birds of a Feather (BOF)" on email authentication security. >> >> As some may know, we have a couple of IETF Drafts looking for a Working Group home, but because it crosses over several protocols, discussions on these can extend beyond groups which cover only one protocol. There are some issues that extend across the ecosystem. >> >> These (our) drafts are related to email security, but as we look at this serious problem (email compromises), I believe it might be time to look at the problem in a wider scope, so I am looking at having a "Birds of a Feather" meeting proposal, that can encompass a wider discussion on IETF involvement in these issues. >> >> For instance, aside from our IETF drafts on CLIENTID extensions/enhancements for IMAP/SMTP AUTH, (for those not familiar, references at the bottom), there are other things that could be addressed in such a meeting. >> >> * POP/SMTP authentication sent unencrypted over the network >> * AutoDiscovery should NEVER test unencrypted methods >> * Email Clients should deprecate the above >> * Other ideas to address email compromise risks worldwide? >> >> Given that in todays climate, of millions of compromised devices on the internet designed to 'sniff' traffic, sending authentication over the clear IMHO should NOT be recommended or referenced in RFC's, otherwise vendors will continue to support these. We still see 'pop connectors' by 3rd parties, various auto-discovery methods that attempt to connect using POP 110, all whom send email credentials in the clear, risking unintended exposure of this data. >> >> All modern email clients have a role in protecting users, and by supporting such legacy methods, these risks will continue. >> >> While some new RFC materials cover the SHOULD be over encrypted, and some cover recommendations, a larger discussion in general over whether updates should occur, to deprecate language that would allow for insecure transmission of authentication protocols. >> >> And aside from our own methods to make a more transparent form of native ability in legacy protocols to support tokens that be sent before authentication credentials are received, to allow systems, users, and authentication tools to decide whether to accept authentication requests unless supported by a recognized token, there may be others working on improvements in security that crossed protocol boundaries, or address other security related threats in email. >> >> My question to the list is this: >> >> * How wide/narrow should the topic/mandate be? >> >> -- Email Authentication & Security >> -- Communication Authentication Security >> -- POP/IMAP/SMTP Authentication >> -- POP/IMAP/SMTP Policies And Considerations >> >> >> I look forward to your feedback and suggestions, but note we only have a few days left to decide on the scope, in order to to request this BOF at the Vancouver EITF meeting in March. >> >> -- Michael -- >> >> >> For those not informed, we are looking for a home as well to discuss our CLIENTID initiatives >> >> https://datatracker.ietf.org/doc/draft-storey-smtp-client-id/?include_text=1 >> https://tools.ietf.org/html/draft-yu-imap-client-id-03 >> >> >> >> -- >> "Catch the Magic of Linux..." >> ------------------------------------------------------------------------ >> Michael Peddemors, President/CEO LinuxMagic Inc. >> Visit us at http://www.linuxmagic.com @linuxmagic >> A Wizard IT Company - For More Info http://www.wizard.ca >> "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. >> ------------------------------------------------------------------------ >> 604-682-0300 Beautiful British Columbia, Canada >> >> This email and any electronic data contained are confidential and intended >> solely for the use of the individual or entity to which they are addressed. >> Please note that any views or opinions presented in this email are solely >> those of the author and are not intended to represent those of the company. >> >> _______________________________________________ >> art mailing list >> art@ietf.org >> https://www.ietf.org/mailman/listinfo/art > -- "Catch the Magic of Linux..." ------------------------------------------------------------------------ Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. ------------------------------------------------------------------------ 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
- [art] [FEEDBACK REQUEST] "Birds of a Feather" top… Michael Peddemors
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Stephen Farrell
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Eliot Lear
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Michael Peddemors
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Steffen Nurpmeso
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Daniel Migault
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Brandon Long
- [art] =?UTF-8?Q?Re:__[FEEDBACK_REQUEST]_"Birds_of… Alexey Melnikov
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Michael Peddemors
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Daniel Migault
- Re: [art] [FEEDBACK REQUEST] "Birds of a Feather"… Alessandro Vesely