Re: [dane] review of draft-ietf-dane-smtp-with-dane-02.txt
Chris Newman <chris.newman@oracle.com> Fri, 08 November 2013 01:32 UTC
Return-Path: <chris.newman@oracle.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A810021E8181 for <dane@ietfa.amsl.com>; Thu, 7 Nov 2013 17:32:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.25
X-Spam-Level:
X-Spam-Status: No, score=-106.25 tagged_above=-999 required=5 tests=[AWL=0.349, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G9oaaNEx9wNm for <dane@ietfa.amsl.com>; Thu, 7 Nov 2013 17:32:38 -0800 (PST)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id A418621E817C for <dane@ietf.org>; Thu, 7 Nov 2013 17:32:31 -0800 (PST)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id rA81WSki027732 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <dane@ietf.org>; Fri, 8 Nov 2013 01:32:29 GMT
Received: from gotmail.us.oracle.com (gotmail.us.oracle.com [10.133.152.174]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id rA81WSwX009558 for <dane@ietf.org>; Fri, 8 Nov 2013 01:32:28 GMT
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-disposition: inline
Content-type: text/plain; CHARSET="US-ASCII"; format="flowed"
Received: from [10.159.102.20] (dhcp-amer-vpn-rmdc-anyconnect-10-159-104-97.vpn.oracle.com [10.159.104.97]) by gotmail.us.oracle.com (Oracle Communications Messaging Server 7.0.5.29.0 64bit (built Jul 9 2013)) with ESMTPA id <0MVX00C038A1UG00@gotmail.us.oracle.com> for dane@ietf.org; Thu, 07 Nov 2013 17:32:27 -0800 (PST)
Date: Thu, 07 Nov 2013 17:32:26 -0800
From: Chris Newman <chris.newman@oracle.com>
To: dane@ietf.org
Message-id: <B46500995FC1BC57A39C51E1@96B2F16665FF96BAE59E9B90>
In-reply-to: <20131107171006.GC761@mournblade.imrryr.org>
References: <789202E67F7415FC98D8FECF@96B2F16665FF96BAE59E9B90> <20131107171006.GC761@mournblade.imrryr.org>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Subject: Re: [dane] review of draft-ietf-dane-smtp-with-dane-02.txt
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Nov 2013 01:32:44 -0000
Thanks for the thoughtful response! --On November 7, 2013 17:10:06 +0000 Viktor Dukhovni <viktor1dane@dukhovni.org> wrote: > On Tue, Nov 05, 2013 at 05:01:54PM -0800, Chris Newman wrote: > >> I have read draft-ietf-dane-smtp-with-dane-02.txt and support >> advancing it on standards track if three changes* are made to the >> document as mentioned in my comments below. I believe this is a >> plausible strategy to improve security/privacy for SMTP relay and is >> close to ready for publication. > > Thanks for the feedback. The primary points of contention appear > to be: > > - Objection to DANE TLSA for submission. > > - Objection to requirement to match any of multiple peer names. > > - Suggestion that SMTP servers not offer TLS if the configured trust > chain lacks a suitable TA. > > - Objection to text recommending anonymous cipher support on > the server. > > My response to each below: > > - DANE for SMTP Submission > > * This is good measure a response to RFC6409 which introduces > SRV records as a means to offer zeroconf MSA deployments. I think you meant RFC 6186. Putting on my mail end-user hat, I'm not sufficiently concerned by active attacks during account setup that I'd be willing to spend more money on a mail client to get protection for that. Mail clients that implement 6186 can do the SRV lookup insecurely and then use traditional TLS with the resulting hostnames embedded in the account profile from then on. I believe that will be good enough for most end users and MUA vendors. How many people do you know who verify the SSH fingerprint the first time they connect to a server? > With the client having no securely obtained name to check in > the peer certificate, the peer certificate is unusable, one > can check it is valid, but one check that it names the right > server. > > My contention is that MUA + SRV is in the same boat as MTA + MX > and the only practical way to make either secure is DANE. What evidence do you have that DANE is practical for MUAs? Do you have any significant MUA vendors who want to implement DANE for submission? If RFC 6125 SRV validation deploys in SSL stacks, then MUAs could implement SRV validation for submission with a single function call. The chance an MUA vendor will instead do all the work of embedding a new DNS library to do DNSSEC and DANE seems remote to me. You do have evidence DANE for MTA + MX is practical because you've implemented it and other MTA vendors are paying attention. There also isn't a better option that includes server authentication for the deployed MX infrastructure. Many MTAs already have an embedded DNS library anyway for multi-threaded MX lookups so upgrading it to support DNSSEC seems plausible. I've been in the email standards world for quite a while and this sort of client/server deployment asymmetry is annoying and frustrating when trying to make the infrastructure better, but it's also reality. > - Objection to multiple peer names. > > * This was adopted from Tony's expired SRV draft. I agree with > the motivation to interoperate with existing practice. It is > already common in bilateral SMTP security configurations to > field certificates that match the recipient domain, not the > MX host. Public CAs even market (I may have misremembered > the name) Unified Messaging Certificates. > > So DANE SMTP clients need to be prepared to encounter certificates > tailored to a pre-DANE world. > > Postfix (widely deployed) supported multiple name values, even > before DANE. This is IMHO not a major obstacle. I think Postfix uses OpenSSL. Our MTA uses NSS. The basic certificate validation API in NSS takes a single name, and I haven't yet investigated the extent to which it has callbacks to support multiple names. I generally consider NSS the #2 open source SSL library in terms of deployment as it's used in Thunderbird and Firefox as well as elsewhere. Anyway my concern is that multiple names could be a deployment barrier. So if there's a way to write the standard that didn't require multiple names it might be easier to deploy the standard. However, if it's necessary to support two names to make the model work, then it might be worth additional investigation of how big a barrier it will be and if that barrier can be mitigated. I'll take an action item to investigate the NSS API further to see how easy it is to work around that problem. > - SMTP server chain sanity checks > > * This is rather tricky. An SMTP server does not generally know whether > it is doing DANE or not, clients know whether they are doing DANE > when they obtain (or fail to obtain) appropriate TLSA records. Point taken. I withdraw the suggestion. > - Anon ciphers > > * A substantial fraction of SMTP MTAs enable and will continue > to enable anon ciphersuites when not authenticating the server. I have no problem with this. Those MTAs are free to make that choice. > * The comment in the draft is recommending *server* server support > for these. Why does this draft need to recommend them? It's inviting unnecessary problems and disrespect for other recommendations in the draft. I work on the SSL stack integration for our Messaging Server for IMAP/POP/SMTP/LDAP/etc. I want to keep configuration of that stack as simple as possible to avoid inadvertent security configuration errors. Having a different set of ciphers that are enabled for different purposes makes the product unnecessarily complicated and increases the chances of a security configuration or coding error. I do allow the site admin to do that with configuration if they really want to, but there will be a single default set of ciphers enabled for all uses of SSL/TLS in our product and it won't include the anonymous ciphers. I wouldn't consider changing that because I don't want to explain it in the documentation nor take the risk I'll make a mistake and enable the anon ciphers when they're inappropriate. It can be argued that the presence of the anon ciphers in a TLS stack is a security design error. It's hard enough to get certificate validation right so the server is authenticated (far too much code ignores certificate validation failures). But if it's also necessary to double-check the list of enabled ciphers to make sure authentication works when it's needed, that's just asking for more broken security in the wild. There was a discussion on the NSS developers list about removing the anonymous ciphers from that library. I don't recall the outcome of the discussion, but I'd support their removal simply on the basis that less code is almost always safer. And if they're not in the SSL library they won't be enabled and any recommendation you put in the draft will be ignored. You also might get challenges during IETF last call on this topic for various reasons. That's somewhat less likely now the general attitude in the IETF is more supportive of opportunistic encryption after recent events. But I'd prefer to see this document finished sooner rather than later, so let's drop this unnecessary advice when it's easier to do so rather than later in the process where it can take longer. As a suggestion: the draft might recommend servers log the cipher suite and note that if an anonymous cipher suite is negotiated that the server's log will then indicate no authentication was performed. That's true and non-controversial. >> The TLS protocol has interoperability problems if the client hello >> has too many cipher suites in it. > > * This issue may have been substantially addressed yesterday, > see the the IETF TLS mailing list thread on ALPIN: > > http://www.ietf.org/mail-archive/web/tls/current/msg10423.html > > Avoiding client HELLO with length in [256,512) resolves the > SSLv2 vs. SSLv3 HELLO ambiguity. Glad to hear that! - Chris
- [dane] review of draft-ietf-dane-smtp-with-dane-0… Chris Newman
- Re: [dane] review of draft-ietf-dane-smtp-with-da… James Cloos
- Re: [dane] review of draft-ietf-dane-smtp-with-da… Dickson, Brian
- Re: [dane] review of draft-ietf-dane-smtp-with-da… Viktor Dukhovni
- Re: [dane] review of draft-ietf-dane-smtp-with-da… Chris Newman
- Re: [dane] review of draft-ietf-dane-smtp-with-da… Viktor Dukhovni