Re: [dane] Barry Leiba's Discuss on draft-ietf-dane-smtp-with-dane-17: (with DISCUSS and COMMENT)
Barry Leiba <barryleiba@computer.org> Tue, 26 May 2015 02:58 UTC
Return-Path: <barryleiba@gmail.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C8CC1A8974; Mon, 25 May 2015 19:58:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.678
X-Spam-Level:
X-Spam-Status: No, score=-0.678 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, J_CHICKENPOX_25=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lNV0B4DPedSY; Mon, 25 May 2015 19:58:02 -0700 (PDT)
Received: from mail-ig0-x235.google.com (mail-ig0-x235.google.com [IPv6:2607:f8b0:4001:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E39141A894A; Mon, 25 May 2015 19:58:01 -0700 (PDT)
Received: by igbpi8 with SMTP id pi8so47746699igb.1; Mon, 25 May 2015 19:58:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=TZOkEmp04axzHJtIZIhAZ8YU7eXJ+URPYyngJSj7edE=; b=LoYhbhaCwvf1yd2Y2LoPPPVWbyOheWD6CY9TOmeKXXYRPQx1QRyOrbsvOvbgCa0Ui2 4To6CttB3fJqw6PfIAOycad0RvIFsLYfIZ9kScpic+pAZts1rYR57G+cGPOvlcWa5B0Z NUSYW2AFUiuX7hsGpVZGySaYI+VDCHtYx5y0T4oDpVs22qA/EDgp+DEPmzQXXwoMpX97 gqsUruVTrYtD2bEryzHKyoww9DIIwCHClolta1ZvQ3yGJ+4iI9ZJtfLSaRUjo5RryeUd rw5BGxpKG/h/JFec47IhwuqYAglfD+qsw4HGAAzbcHw0YrW7KRVkIXO7C//tEpta+BpY Sq0A==
MIME-Version: 1.0
X-Received: by 10.107.25.199 with SMTP id 190mr17610875ioz.11.1432609081414; Mon, 25 May 2015 19:58:01 -0700 (PDT)
Sender: barryleiba@gmail.com
Received: by 10.107.3.195 with HTTP; Mon, 25 May 2015 19:58:01 -0700 (PDT)
In-Reply-To: <20150525020430.GK17272@mournblade.imrryr.org>
References: <20150524204121.31745.72546.idtracker@ietfa.amsl.com> <20150525020430.GK17272@mournblade.imrryr.org>
Date: Mon, 25 May 2015 22:58:01 -0400
X-Google-Sender-Auth: 0Ej5K_PSpSclCA8bHa7IlGW8g68
Message-ID: <CALaySJK9PpqmpU2aSG9rzg_Uxhup7JjO9rMVo9wXBuy0_xJd7g@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: dane@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/r3BF5fbN9dF9W5qDykaHUIbiFbw>
Cc: draft-ietf-dane-smtp-with-dane@ietf.org
Subject: Re: [dane] Barry Leiba's Discuss on draft-ietf-dane-smtp-with-dane-17: (with DISCUSS and COMMENT)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 02:58:04 -0000
Quick response for tonight, with a fuller one on Tuesday, NY time: Thanks for the responses, Viktor and Olafur. Between the two, you've explained what I need for DISCUSS point 2. Tomorrow I'll clear the DISCUSS completely and give a better email response (short version: all is good on all comments, and thanks). As to when to post a revised I-D: my preference is always "early and often", but you should check with Stephen, as he's the responsible AD. Barry On Sun, May 24, 2015 at 10:04 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > On Sun, May 24, 2015 at 01:41:21PM -0700, Barry Leiba wrote: > >> 1. References and terminology: >> >> You use RFC 1034 to define "RR", and RFC 5598 to define "MSA", "MTA", and >> "MUA". And these are definitions that must be understood in order to >> properly understand this document. I think that makes those normative >> references, not informative ones, and they should be changed. (5598 is >> already in the downref registry, so,there's no problem with the downref >> here.) > > No objections from me. If nobody else objects, I'll move these to > normative in a few days. > >> 2. Section 2.2.1 says this: >> >> That said, the protocol in this memo is >> an "opportunistic security" protocol, meaning that it strives to >> communicate with each peer as securely as possible, while maintaining >> broad interoperability.? Therefore, the SMTP client MAY proceed to >> use DANE TLS (as described in Section 2.2.2 below) even with MX hosts >> obtained via an "insecure" MX RRSet.? For example, when a hosting >> provider has a signed DNS zone and publishes TLSA records for its >> SMTP servers, hosted domains that are not signed may still benefit >> from the provider's TLSA records. >> >> That makes sense. Why doesn't the same thing apply for insecure TLSA >> records? Section 2.2 says that when TLSA records are insecure, you don't >> use them, and SHOULD use pre-DANE security. Please explain why they >> shouldn't use insecure TLSA records for opportunistic encryption. > > If I recall correctly, the working group was concerned about diluting > the otherwise clear position that TLSA should not be used without > DNSSEC. > > In the context this draft alone, the main reason to avoid using > TLSA records from insecure zones, is that lookups of such records > are prone to failures (with long timeouts while trying all NS > records) against "bare-bones" nameservers that support neither > DNSSEC nor TLSA records. > > When the MX RRset is secure, but the A/AAAA records are insecure, > no TLSA lookup takes place. I think that proceeding with (soft-fail) > TLSA lookups when the MX RRset is insecure invites implementation > errors. > >> 3. In Section 2.2.1: >> >> When DANE TLS is mandatory (Section 6) for >> a given destination, delivery MUST be delayed when the MX RRSet is >> not "secure". >> >> This contradicts the "delivery MAY proceed" in the previous paragraph >> (and it also doesn't really fit into the paragraph about logging anyway). >> If you want to restrict things, I think you should put the most >> restrictive condition first, so move this sentence to the top of the >> previous paragraph this way: >> >> OLD >> If the MX RRSet (or any CNAME leading to it) is "insecure" (see >> Section 2.1.1), DANE TLS need not apply, and delivery MAY proceed via >> pre-DANE opportunistic TLS. >> NEW >> If the MX RRSet (or any CNAME leading to it) is "insecure" (see >> Section 2.1.1), then if DANE TLS is mandatory (Section 6) for >> the given destination, delivery MUST be delayed. If DANE TLS >> is not mandatory, then it need not apply, and delivery MAY proceed >> via pre-DANE opportunistic TLS. >> END > > Thanks, this is a big improvement. Perhaps the "MAY proceed" should > probably also be clarified. The intention is to note the possibility > of using pre-DANE TLS (which is not required, cleartext is also > allowed). It is not the intention of this text to make using the > MX host optional. Delivery, with or without TLS, MUST be attempted. > > So perhaps better still: > > NEW > If the MX RRSet (or any CNAME leading to it) is "insecure" (see > Section 2.1.1), then if DANE TLS is mandatory (Section 6) for > the given destination, delivery MUST be delayed. If DANE TLS > is not mandatory, then DANE does not apply and delivery proceeds > with pre-DANE opportunistic TLS (perhaps even in cleartext). > END > >> -- Section 2.2 -- >> >> ... DNSSEC validated TLSA records MUST NOT be published for >> servers that do not support TLS. Clients can safely interpret their >> presence as a commitment by the server operator to implement TLS and >> STARTTLS. >> >> I don't know that this needs any text changes, though perhaps a mention >> of this in the Security Considerations would be good: I'm not sure how >> "safely" they will be able to do that in practice. > > Indeed the "safely" is the result of the server mandate, and also the > problems servers will incur when they mess up, once this protocol is > adopted sufficiently widely. So "safely" is somewhat forward-looking. > Should such a note be in "Security" or "Operational" considerations? > And is it really needed? > >> I'm hoping that once this really gets rolled out, that won't be a real >> issue, but it could be for a while. It might be worth saying in the >> Security Considerations that such a situation needs to be avoided, and >> coordination is important, to make sure it doesn't happen. Otherwise, >> according to Section 2.2, mail delivery from DANE-aware MTAs will fail. > > We're on the same page, the only question is whether this is > sufficiently obvious to avoid needing to explain it. > >> -- Sections 2.2.1 and 2.2.2 -- >> >> In 2.2.1: >> In the absence of DNS lookup errors (Section 2.1.1), if the MX RRset >> is not "insecure" then it is "secure", and the SMTP client MUST treat >> each MX hostname as a separate non-MX destination for opportunistic >> DANE TLS (as described in Section 2.2.2). >> >> In 2.2.2: >> This section describes the algorithm used to locate the TLSA records >> and associated TLSA base domain for an input domain that is not >> subject to MX resolution or that lacks MX records. >> >> NEW >> In the absence of DNS lookup errors (Section 2.1.1), if the MX RRset >> is not "insecure" then it is "secure", and the SMTP client MUST treat >> each MX hostname as described in Section 2.2.2. >> END >> >> NEW >> This section describes the algorithm used to locate the TLSA records >> and associated TLSA base domain for an input domain that is not >> subject to MX resolution, that represents a hostname from a secure MX >> RRset, or that lacks MX records. >> END > > Much better, thanks. When would you like to see a new version with > these changes? (I am guessing I should wait for any additional IESG > comments?) > >> You might also >> re-think the title for Section 2.2.2, but I think that's less important. > > I see what you mean, but nothing obvious comes to mind. Is "Post-MX" > better than "Non-MX"? > >> -- Section 2.2.3 -- >> >> If the ultimate response is a "secure" TLSA RRSet, then the candidate >> TLSA base domain will be the actual TLSA base domain and the TLSA >> RRSet will constitute the TLSA records for the destination. If none >> of the candidate TLSA base domains yield "secure" TLSA records then >> delivery MAY proceed via pre-DANE opportunistic TLS. SMTP clients >> MAY elect to use "insecure" TLSA records to avoid STARTTLS downgrades >> or even to skip SMTP servers that fail authentication, but MUST NOT >> misrepresent authentication success as either a secure connection to >> the SMTP server or as a secure delivery to the intended next-hop >> domain. > > Thanks for highlighting this. The same fix as above for "MAY > proceed via pre-DANE opportunistic TLS" should likely be applied > here. > >> When SMTP clients elect to use insecure TLSA records, this text implies, >> but doesn't make it completely clear, that they should only do that after >> checking all candidates. > > Yes. There are at most two choices (before and after CNAME > expansion). The expansion is tried first, and if that is not > secure, and there was in fact CNAME indirection, the origin MUST > be tried. If the origin is secure, that MUST be used. > > I can tweak this text for more clarity. > >> It would be good to be clear: check all >> candidates, stopping at the first secure TLSA. If no candidates produce >> secure TLSA, then you MAY use an insecure one, or you MAY use pre-DANE >> TLS. Is that right? > > Yes, and that "last" MAY, is really a "free to use TLS the old > way", but in any case MUST use the destination with whatever security > you can get. No skipping of insecure MX hosts. Adherence to MX > preference first, channel security second. > >> In general, I strongly encourage you to review Section 2.2.3 and make >> sure that it reads smoothly to someone who's not already familiar with >> the DANE SMTP work. I'm not sure the organization of the thoughts in >> this section is very good as it's currently written. > > Noted. How should I communicate any proposed revisions? > >> -- Section 3.1 -- >> >> In summary, we RECOMMEND the use of either "DANE-EE(3) SPKI(1) >> SHA2-256(1)" or "DANE-TA(2) Cert(0) SHA2-256(1)" TLSA records >> depending on site needs. > > Indeed, these two are a sufficient best-practice set to cover all > needs. > >> But later, in Section 3.1.1, you specifically single out the former: >> >> TLSA records published for SMTP servers SHOULD, in most cases, be >> "DANE-EE(3) SPKI(1) SHA2-256(1)" records. > > The vast majority of sites should (and do in fact among the early > adopters) stick to usage DANE-EE(3), the DANE-TA(2) case is for > select sites with an internal PKI (private CA) and lots of servers. > >> To be more consistent in your advice, I suggest changing the advice in >> 3.1 thus: >> >> NEW >> In summary, we RECOMMEND the use of "DANE-EE(3) SPKI(1) >> SHA2-256(1)", with "DANE-TA(2) Cert(0) SHA2-256(1)" TLSA >> records as a second choice, depending on site needs. See >> the following two subsections for more details. >> END > > This works. Thanks. > >> -- Section 3.1.1 -- >> >> Similarly, the expiration date of the server certificate MUST be >> ignored, the validity period of the TLSA record key binding is >> determined by the validity interval of the TLSA record DNSSEC >> signature. >> >> Editorial: "Similarly" to what? I'd remove the word. Also, the comma >> after "ignored" needs to be a colon (or a semicolon, but I think a colon >> is better here; the comma splice is just wrong). > > Will do. > >> With DANE-EE(3) servers need not employ SNI (may ignore the client's >> SNI message) even when the server is known under independent names >> >> Editorial: This needs a comma after "DANE-EE(3)", and would do well with >> "they" before "may ignore"). > > Thanks. > >> -- Section 3.1.1 -- >> >> Such servers MUST either publish DANE-TA(2) >> records for an intermediate certificate or MUST instead use DANE- >> EE(3) TLSA records. >> >> The first "MUST" should be moved one word later, after "either" (or else >> the second "MUST" should be removed). > > Thanks, no problem. > >> -- Section 3.1.3 -- >> >> Note, this section applies to MTA-to-MTA SMTP on port 25. >> >> Earlier, in 2.2.3, you note that "the destination TCP port is typically >> 25, but this may be different with custom routes specified by the MTA >> administrator". I don't think you mean for this section not to apply in >> the latter case, so I suggest changing this to, "Note, this section >> applies to MTA-to-MTA SMTP, which is normally on port 25." > > Thanks. Indeed that's the correct formulation. > >> Nothing is lost since the >> PKIX certificate usages cannot aid SMTP TLS security, they can only >> impede SMTP TLS interoperability. >> >> Editorial: You need a comma after "lost", and the existing comma needs to >> be a semicolon. >> >> The last paragraph of the section is missing a final period. > > No worries. > >> -- Section 6 -- >> >> Administrators of mail servers that employ mandatory DANE TLS, need >> to carefully monitor their mail logs and queues. >> >> Nit: the comma should be removed. > > Thanks. > > -- > Viktor. >
- [dane] Barry Leiba's Discuss on draft-ietf-dane-s… Barry Leiba
- Re: [dane] Barry Leiba's Discuss on draft-ietf-da… Viktor Dukhovni
- Re: [dane] Barry Leiba's Discuss on draft-ietf-da… Olafur Gudmundsson
- Re: [dane] Barry Leiba's Discuss on draft-ietf-da… Mark Andrews
- Re: [dane] Barry Leiba's Discuss on draft-ietf-da… Paul Wouters
- Re: [dane] Barry Leiba's Discuss on draft-ietf-da… Viktor Dukhovni
- Re: [dane] Barry Leiba's Discuss on draft-ietf-da… Mark Andrews
- Re: [dane] Barry Leiba's Discuss on draft-ietf-da… Paul Wouters
- Re: [dane] Barry Leiba's Discuss on draft-ietf-da… Mark Andrews
- Re: [dane] Barry Leiba's Discuss on draft-ietf-da… Barry Leiba
- Re: [dane] Barry Leiba's Discuss on draft-ietf-da… Stephen Farrell
- Re: [dane] Barry Leiba's Discuss on draft-ietf-da… Barry Leiba
- Re: [dane] Barry Leiba's Discuss on draft-ietf-da… Viktor Dukhovni
- Re: [dane] Barry Leiba's Discuss on draft-ietf-da… Stephen Farrell
- Re: [dane] Barry Leiba's Discuss on draft-ietf-da… Barry Leiba