[dane] review of draft-ietf-dane-smtp-with-dane-02.txt
Chris Newman <chris.newman@oracle.com> Wed, 06 November 2013 01:12 UTC
Return-Path: <chris.newman@oracle.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C22721E80E2 for <dane@ietfa.amsl.com>; Tue, 5 Nov 2013 17:12:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gSNo9o723gNF for <dane@ietfa.amsl.com>; Tue, 5 Nov 2013 17:12:45 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 4D2E021E80CA for <dane@ietf.org>; Tue, 5 Nov 2013 17:12:43 -0800 (PST)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id rA61CgfS006620 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <dane@ietf.org>; Wed, 6 Nov 2013 01:12:42 GMT
Received: from gotmail.us.oracle.com (gotmail.us.oracle.com [10.133.152.174]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id rA61Cfcg011651 for <dane@ietf.org>; Wed, 6 Nov 2013 01:12:41 GMT
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-disposition: inline
Content-type: text/plain; CHARSET="US-ASCII"; format="flowed"
Received: from [10.159.121.65] (dhcp-amer-vpn-rmdc-anyconnect-10-159-121-65.vpn.oracle.com [10.159.121.65]) by gotmail.us.oracle.com (Oracle Communications Messaging Server 7.0.5.29.0 64bit (built Jul 9 2013)) with ESMTPA id <0MVT00L8HI10MZ00@gotmail.us.oracle.com> for dane@ietf.org; Tue, 05 Nov 2013 17:12:40 -0800 (PST)
Date: Tue, 05 Nov 2013 17:01:54 -0800
From: Chris Newman <chris.newman@oracle.com>
To: dane@ietf.org
Message-id: <789202E67F7415FC98D8FECF@96B2F16665FF96BAE59E9B90>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Subject: [dane] review of draft-ietf-dane-smtp-with-dane-02.txt
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Nov 2013 01:12:51 -0000
I have read draft-ietf-dane-smtp-with-dane-02.txt and support advancing it on standards track if three changes* are made to the document as mentioned in my comments below. I believe this is a plausible strategy to improve security/privacy for SMTP relay and is close to ready for publication. Page 6: > or all destinations, in which case mail delivery will be deferred > when "secure" TLSA records are absent. *1* This should state whether the error is permanent or temporary (deferred implies a temporary error but it'd be nice to make it explicit). An SMTP enhanced status code should be defined and registered for this error condition. The registry was introduced by RFC 5248. Here's the IANA link: http://www.iana.org/assignments/smtp-enhanced-status-codes/smtp-enhanced-status-codes.xhtml#smtp-enhanced-status-codes-3 I suggest a new X.7.X code would be appropriate for this case. A few lines of text describing the meaning of the code in an IANA Considerations section is all that's needed. Page 9: > Note: CNAMEs are not legal in the exchange field of MX records, thus > MTAs are not obligated to perform MX exchange CNAME expansion. If an > MTA does not perform CNAME expansion, there is potential risk, that > the MTA may fail to notice that it is one of the MX hosts for the > destination and that it must skip MX records with equal or worse > (numerically higher precedence). If an MTA does allow CNAMEs to be > used in MX records, it SHOULD process them recursively as described > above to determine the most appropriate TLSA RRset base domain. This document is a bit long. I suggest dropping all text after the first sentence in this paragraph. I don't think it's worth the words to describe how to accommodate misconfigured deployments. > with custom routes specified by the MTA administrator or when an MUA > connects to a submission server on port 587. The SMTP client MUST *2* I believe it's undesirable to attempt to deploy DANE TLSA for submission services (port 587 or de-facto port 465) as it may cause confusion and possibly harm to the MUA infrastructure more than it causes benefit. I'd prefer for submission clients to implement the same TLS certificate algorithm for all three of POP, IMAP and Submission. The current algorithm described in RFC 3501 (similar to RFC 6125) is what many implement. A compromise position would be to link the DANE TLSA lookup with an attempted MX lookup. That is, if a submission client looks for MX records with the submission server's name (a practice that is uncommon), then it should also look for DANE TLSA. Otherwise traditional TLS verification should be used by submission clients. The MUA infrastructure is much more fragile than the MTA infrastructure when it comes to security. And it's often subject to the whims and limitations of client-OS-provided SSL libraries; having two different ways to validate certificates at the client side is more likely to break things than to improve them. For MTA relay, the opposite is true both due to the use of MX records and because traditional TLS server authentication is generally not used for relay. Page 12: > anchor certificates in server trust chains. SMTP client > implementations SHOULD support these TLSA RRs, unless, despite the > above warning, a non-trivial fraction of server operators fail to > publish certificate chains that include the required TA > certificate. It sounds like you really want this to deploy (because it simplifies the operator's job) but you're worried it won't due to operator CA management errors. So how about adding a requirement for server implementers so the management error is likely to be noticed by the right people. Something like: "SMTP servers implementing DANE TLSA SHOULD verify that the CA for a server certificate that will be provided by TLS is installed on the server and SHOULD log an error or disable TLS support if the required CA is missing." Speaking with my server implementer hat on, I think I know how to write that code, but I won't be able to justify the time to do so unless it's at least a recommendation in a spec we claim to implement. > or "1". SMTP clients cannot be expected to be configured with a ^ relay >... > public CAs, SMTP clients cannot (without relying on DNSSEC for secure ^ relay I disagree that this statement is true for submission clients. > SMTP client treatment of TLSA RRs with certificate usages "0" or "1" ^ relay > MX: If the TLSA base domain was obtained indirectly via an MX lookup > (it is the name of an MX exchange that may be securely CNAME > expanded), then the initial query name used in the MX lookup > SHOULD be accepted in the peer certificate. The CNAME-expanded > initial query name SHOULD also be accepted if different from the > initial query name. This text makes me quite uncomfortable and I think some discussion is merited. I'm not sure if all TLS stacks support certificate validation against more than one name. And having a single name is a common simplification in higher-level TLS APIs. I'd prefer an algorithm where only one name is valid. Common TLS practice has been that the name that was used prior to any DNS or remote lookup (regardless of record type) is the only valid name. This issue isn't a show stopper issue to me, but it may be a deployment barrier and I want as few of those as possible. Page 14: > The client may even offer to use anonymous TLS ciphersuites and > servers SHOULD support these. No security is gained by sending a *3* This paragraph needs to be removed. Here are my reasons: 1. For clients, using a regular cipher suite means the client has the option of pinning the server certificate and then it can at least record in an audit log if it's talking to the same server as last time (even if it continues sending if the certificate changes). 2. TLS stacks are complex and the more code they contain the more risk there is of a vulnerability. As clients have the option of ignoring server certificate validation (or doing 1), there's no functionality gain by having anonymous cipher suites in the stack. But there is increased security risk by having that code present. Some TLS stacks are removing anonymous cipher suites (or never included them) for this reason. 3. The TLS protocol has interoperability problems if the client hello has too many cipher suites in it. So some TLS stacks are busily discussing which cipher suites to trim out of the default client hello so that they can get a good "moving window" of security technology allowing backwards compatibility and upgrade to strong modern cipher suites. Enabling the anonymous cipher suites would cause the moving window to be smaller and thus deter upgrading to better cipher suites. As for the auditing benefit of anonymous cipher suites, I agree but I believe there's a better way to address that issue that can be handled in the document Keith & I are writing. >3. Opportunistic TLS for Submission *2* For reasons stated above I believe this section should be removed. Page 17: > Opportunistic SMTP TLS depends critically on DNSSEC for downgrade > resistance and secure resolution of the destination name. If DNSSEC > is compromised, it is not possible to fall back on the public CA PKI > to prevent MITM attacks. A successful breach of DNSSEC enables the > attacker to publish TLSA usage 3 certificate associations, and > thereby bypass any security benefit the legitimate domain owner might > hope to gain by publishing usage 0 or 1 TLSA RRs. Given the lack of > public CA PKI support in existing MTA deployments, deprecating > certificate usages 0 and 1 in this specifications improves > interoperability without degrading security. For SMTP relay, this is not a problem because there is near zero deployment of RFC 6125 certificate verification in that context. However, for SMTP submission, RFC 6125 verification is deployed somewhat and works reasonably well (assuming one doesn't use SRV records or does not mind a one-time MITM risk during account setup). So the introduction of DANE TLSA to SMTP submission adds a this new serious vulnerability that was not previously present. So this is now another reason I oppose recommending DANE TLSA for submission. - Chris
- [dane] review of draft-ietf-dane-smtp-with-dane-0… Chris Newman
- Re: [dane] review of draft-ietf-dane-smtp-with-da… James Cloos
- Re: [dane] review of draft-ietf-dane-smtp-with-da… Dickson, Brian
- Re: [dane] review of draft-ietf-dane-smtp-with-da… Viktor Dukhovni
- Re: [dane] review of draft-ietf-dane-smtp-with-da… Chris Newman
- Re: [dane] review of draft-ietf-dane-smtp-with-da… Viktor Dukhovni