Re: [dispatch] draft-storey-smtp-client-id-08.txt - privacy considerations
Brandon Long <blong@google.com> Mon, 23 March 2020 20:43 UTC
Return-Path: <blong@google.com>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEF6E3A0E84 for <dispatch@ietfa.amsl.com>; Mon, 23 Mar 2020 13:43:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XlF5_UxreEcV for <dispatch@ietfa.amsl.com>; Mon, 23 Mar 2020 13:43:05 -0700 (PDT)
Received: from mail-ua1-x934.google.com (mail-ua1-x934.google.com [IPv6:2607:f8b0:4864:20::934]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E87293A0E70 for <dispatch@ietf.org>; Mon, 23 Mar 2020 13:42:59 -0700 (PDT)
Received: by mail-ua1-x934.google.com with SMTP id g24so1715216uan.10 for <dispatch@ietf.org>; Mon, 23 Mar 2020 13:42:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JMU/c2p8raoDQThRWquVJ689Lzkm/oNniX/jwUOZydU=; b=TDTKS4cVo5BmULG2ibJrTtHuEDAALlapnQN6aDe1xuU+CU3FZfh4EpIYRuCvUB27L9 00XYPCn6DhF28MRbI7N42QfUNFWTB9FWBeNe4mvbtm6Jnx8G/DSg4ZwpbdDpdtQC05lX iqtLv5/yhbmANZqG7dDQO1VOWUsWS6Kf2mkxABhCHY7hlZw5PyqjbLvP3/8xFvF7y/p3 5VwaNvnscXeahPDJ2ZI71jDOFWMij+EvpqgvMY5UB58fMF0x3g/9ekVgXwWPjB35iSPF 1kzELQDazIOc+P7yZWHTtbYLGksfFodNev45g9TVPbIK9CebJaXqAThdIvsexyrn2fLk Ye6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JMU/c2p8raoDQThRWquVJ689Lzkm/oNniX/jwUOZydU=; b=RFLqeUs9BxDlXinlfOFfI9fgY17u65JL0C0fE960TbYTduupggBmxSKLoI6xzhh/ut dNDUfz4vDzwQaVIUC4geHapVPvoUGf9qD4fNyAqpDVJbfo/S1Th7Lcy7ybTAXMh/eZNK H/kBp4dzs1Uc7M6SEXjwEo3PNDiUmHz4OEBezn00ZK/Ae/79NGDQ2mWD3rsZ30yswfx/ TG/FCvzvGvFQvTXKlhKUCzgBVQR6c53DsupdIheRmB0GcMCRCwWMYpn89twar1qdTx8r aMwBkW6QM7znk7L3yuXPe993v1qr4Ow2Xk1OK5GYQXJk2UoiS1jdd9LailUYdh1lTKrp d+4A==
X-Gm-Message-State: ANhLgQ2kXxHy4WJZ99eQdop/J8ye4yhmgfX0DedC0lgQJqX8trTwPi1m d7e+VIhSvEIeXBAaMeNm12zE10Y2bVsf7dX9uYkue6I=
X-Google-Smtp-Source: ADFU+vt0sJ7Rv7U5XtkuRSO6koetiS2V+JNRCkudbNIi+7FP/0IpDGwFLRLxMoP6vbLMX4NNEyiUMchVEl/vZ16vQuE=
X-Received: by 2002:ab0:750c:: with SMTP id m12mr5574405uap.31.1584996178598; Mon, 23 Mar 2020 13:42:58 -0700 (PDT)
MIME-Version: 1.0
References: <7b8fafc9-9ea3-6180-8827-5d06b1930f18@alvestrand.no> <CABcZeBP2AzxKR6KHhqkEmx=YzJT4E5HCM2YRhXWYn1dp5mM7TQ@mail.gmail.com>
In-Reply-To: <CABcZeBP2AzxKR6KHhqkEmx=YzJT4E5HCM2YRhXWYn1dp5mM7TQ@mail.gmail.com>
From: Brandon Long <blong@google.com>
Date: Mon, 23 Mar 2020 13:42:46 -0700
Message-ID: <CABa8R6tMwZwvJtp5wCuDaJqZAG2Lt9cSNtoEMzC4HQF+GhyS+g@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Harald Alvestrand <harald@alvestrand.no>, DISPATCH <dispatch@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003298a505a18baef1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/fQV_YfUpSazx2WtbH-3AB2U2KYA>
Subject: Re: [dispatch] draft-storey-smtp-client-id-08.txt - privacy considerations
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2020 20:43:07 -0000
A random clientid generated by the client and only sent to the server with login information over an encrypted connection doesn't seem quite the same. Currently, login credentials are often reused and can be stolen in that way, so the risk of clientid theft is different. It does not benefit if the mechanism of theft is MITM or the client device itself is compromised. Risk evaluation at login should not ignore the possibility of clientid compromise. Short of a cryptographic exchange involving ondevice secure elements, I'm not sure what level of binding you think would work.. but I fully admit to not knowing much about it. Brandon On Mon, Mar 23, 2020 at 5:54 AM Eric Rescorla <ekr@rtfm.com> wrote: > I have also skimmed the draft and have a different security concern. > > In this context, the CLIENT_ID appears to be a bearer token which can, if > recovered, be replayable transplanted onto a new connection. We have quite > a bit of experience with this kind of token in HTTP (cookies) and it's bad. > Why isn't the CLIENT_ID cryptographically bound to the connection? Of > course, this will only be effective if the ID is high entropy, but that > should be the case as well. > > -Ekr > > > On Mon, Mar 23, 2020 at 4:50 AM Harald Alvestrand <harald@alvestrand.no> > wrote: > >> I've scanned this draft: >> >> draft-storey-smtp-client-id-08.txt >> >> 9. Security Considerations >> >> As this extension provides an additional means of communicating >> information from a client to a server it is clear there is additional >> information divulged to the server. This may have privacy >> considerations depending on the client identity type or its contents. >> For example, it may reveal a MAC address of the device used to >> communicate with a server that would not previously have been >> revealed. While it has been useful to use identifier such as email >> address for authentication it is easy for these authetication tokens >> to be shared and/or reused and/or be publically available for other >> purposes. An SMTP server and or its operators SHOULD not share >> any CLIENTID information presented with a third party as it may >> represent or be linked to an individual and SHOULD never be shared in >> association with authentication tokens. >> >> Together with this section: >> >> >> Some examples of identity type might be UUID, LICENSE, >> DEVICE_ID, MAC and/or COOKIE. It is expected that the most common >> types might be related to distinct UUID, LICENSEKEY, or HARDWAREID. >> >> >> 2. LICENSE >> >> An SMTP client may find it useful to identify the license key of >> software it is using. Such licenses are typically crafted such >> that they are unique and useful to identify a software >> installation. This is more normally suited for a software >> designed for a single-user. While LICENSE could be standard type >> again, it might more more helpful to specify a vendor specific >> type such as BBLICENSEKEY. >> >> 3. DEVICE_ID >> >> Many hardware devices are designed to be used by a single >> individual and already have an associated hardware device id. >> While a standard type might be defined, it also might be more >> helpful to use a vendor specific type, such as ATOM-DEVICEID. >> >> 4. MAC >> >> The MAC address traditionally was used as a worldwide identifier >> both of the unique device, as well as it's vendor and product >> category, however this is not always the case anymore, in the case >> of it's usage in 'virtual' devices. But for many hardware devices >> which are required to access a defined SMTP resource, the MAC >> address may still be a simple unique identifier. MAC should NOT >> be used, unless this is a MAC address that can be associated to a >> vendor using standard MAC registration information as defined or >> set by the IEEE Standards Association and is meant to represent a >> unique device. >> >> I will note that all these categories reveal privacy sensitive >> information. >> >> My preference would be that the draft take a strong stance that the >> CLIENTID MUST NOT reveal information that can be cross-correlated with >> any other persionally identifiable information (we have the authorized >> identity for that, thank you very much); if suggestions are to remain in >> the draft that indicate that CLIENTID may be used to reveal personally >> sensitive information, the Security Considerations need to spell this >> out, and describe what mechanisms (such as client verifying the >> certificate of the server in STARTTLS and using CLIENTID only with >> servers with which one has a preexisting trust relationshiop) are used >> to safeguard such information against harvesting. >> >> (I remain doubtful about the usefulness of the extension. This critique >> is not to be perceived as any form of endorsement of the rest of the >> document.) >> >> >> Harald >> >> >> _______________________________________________ >> dispatch mailing list >> dispatch@ietf.org >> https://www.ietf.org/mailman/listinfo/dispatch >> > _______________________________________________ > dispatch mailing list > dispatch@ietf.org > https://www.ietf.org/mailman/listinfo/dispatch >
- [dispatch] draft-storey-smtp-client-id-08.txt - p… Harald Alvestrand
- Re: [dispatch] draft-storey-smtp-client-id-08.txt… Eric Rescorla
- Re: [dispatch] draft-storey-smtp-client-id-08.txt John Levine
- Re: [dispatch] draft-storey-smtp-client-id-08.txt… Brandon Long