Re: [dane] review of draft-ietf-dane-smtp-with-dane-02.txt
Viktor Dukhovni <viktor1dane@dukhovni.org> Thu, 07 November 2013 17:10 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF55921E81F9 for <dane@ietfa.amsl.com>; Thu, 7 Nov 2013 09:10:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z7KUrWoS4dgC for <dane@ietfa.amsl.com>; Thu, 7 Nov 2013 09:10:16 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 6383011E8276 for <dane@ietf.org>; Thu, 7 Nov 2013 09:10:07 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 15ACB2AB0B7; Thu, 7 Nov 2013 17:10:06 +0000 (UTC)
Date: Thu, 07 Nov 2013 17:10:06 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20131107171006.GC761@mournblade.imrryr.org>
References: <789202E67F7415FC98D8FECF@96B2F16665FF96BAE59E9B90>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <789202E67F7415FC98D8FECF@96B2F16665FF96BAE59E9B90>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] review of draft-ietf-dane-smtp-with-dane-02.txt
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2013 17:10:22 -0000
On Tue, Nov 05, 2013 at 05:01:54PM -0800, Chris Newman wrote: > I have read draft-ietf-dane-smtp-with-dane-02.txt and support > advancing it on standards track if three changes* are made to the > document as mentioned in my comments below. I believe this is a > plausible strategy to improve security/privacy for SMTP relay and is > close to ready for publication. Thanks for the feedback. The primary points of contention appear to be: - Objection to DANE TLSA for submission. - Objection to requirement to match any of multiple peer names. - Suggestion that SMTP servers not offer TLS if the configured trust chain lacks a suitable TA. - Objection to text recommending anonymous cipher support on the server. My response to each below: - DANE for SMTP Submission * This is good measure a response to RFC6409 which introduces SRV records as a means to offer zeroconf MSA deployments. With the client having no securely obtained name to check in the peer certificate, the peer certificate is unusable, one can check it is valid, but one check that it names the right server. My contention is that MUA + SRV is in the same boat as MTA + MX and the only practical way to make either secure is DANE. Once we have at least one use-case for MUA + DANE, there is also the use case in which the server administrator and MUA user prefer to use DANE. There needs to be standard for this, and an SMTP + DANE RFC seemed like a fine place to cover this. - Objection to multiple peer names. * This was adopted from Tony's expired SRV draft. I agree with the motivation to interoperate with existing practice. It is already common in bilateral SMTP security configurations to field certificates that match the recipient domain, not the MX host. Public CAs even market (I may have misremembered the name) Unified Messaging Certificates. So DANE SMTP clients need to be prepared to encounter certificates tailored to a pre-DANE world. Postfix (widely deployed) supported multiple name values, even before DANE. This is IMHO not a major obstacle. - SMTP server chain sanity checks * This is rather tricky. An SMTP server does not generally know whether it is doing DANE or not, clients know whether they are doing DANE when they obtain (or fail to obtain) appropriate TLSA records. To determine whether it is missing a TA cert, a server would have to look up TLSA records for all relevant domains, locate the MX record that identifies it, obtain the TLSA RRset. If that RRset has usage 2 entries, after (in the SNI use-case) figuring out which chain applies to that domain, it then needs to validate the chain to see whether the required TA is present. I don't see ever implementing this for Postfix. What I did implement is a command-line tool that allows one to probe SMTP server TLS support and determine whether TLS works, including tests of DANE verification when TLSA records are found. Server operators should test their servers from a client that is configured with zero trusted CAs and make sure that DANE works there, when DANE TLSA records are published. We can give some more specific guidance to server operators on testing their deployment, perhaps in the ops draft, but I would not object to additional overlap in the SMTP draft. - Anon ciphers * A substantial fraction of SMTP MTAs enable and will continue to enable anon ciphersuites when not authenticating the server. * The comment in the draft is recommending *server* server support for these. If the client has already sent a HELLO message with a bunch of anon ciphersuites, the server may as well use one, and though it may prefer non-anon ciphers, its TLS stack should not fail just because anon ciphers were offered. > The TLS protocol has interoperability problems if the client hello > has too many cipher suites in it. * This issue may have been substantially addressed yesterday, see the the IETF TLS mailing list thread on ALPIN: http://www.ietf.org/mail-archive/web/tls/current/msg10423.html Avoiding client HELLO with length in [256,512) resolves the SSLv2 vs. SSLv3 HELLO ambiguity. -- Viktor.
- [dane] review of draft-ietf-dane-smtp-with-dane-0… Chris Newman
- Re: [dane] review of draft-ietf-dane-smtp-with-da… James Cloos
- Re: [dane] review of draft-ietf-dane-smtp-with-da… Dickson, Brian
- Re: [dane] review of draft-ietf-dane-smtp-with-da… Viktor Dukhovni
- Re: [dane] review of draft-ietf-dane-smtp-with-da… Chris Newman
- Re: [dane] review of draft-ietf-dane-smtp-with-da… Viktor Dukhovni