Re: [Gen-art] Gen-ART LC review of draft-ietf-uta-xmpp-05
Peter Saint-Andre - &yet <peter@andyet.net> Fri, 03 April 2015 21:33 UTC
Return-Path: <peter@andyet.net>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63F291A1A87 for <gen-art@ietfa.amsl.com>; Fri, 3 Apr 2015 14:33:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xWffWR6K45u4 for <gen-art@ietfa.amsl.com>; Fri, 3 Apr 2015 14:33:12 -0700 (PDT)
Received: from mail-ig0-f181.google.com (mail-ig0-f181.google.com [209.85.213.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0932C1A1A81 for <gen-art@ietf.org>; Fri, 3 Apr 2015 14:33:12 -0700 (PDT)
Received: by igblo3 with SMTP id lo3so15946964igb.0 for <gen-art@ietf.org>; Fri, 03 Apr 2015 14:33:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=ZM2JTSO6CYXC0ApWveV7ioibpzSfCtggAW+/Ex6/sds=; b=a6Es1jrC4d5otxBYnkMmBvmVjwwjLzXKNg/mx4apcQoTri1bDsGt2s0M9SCx63TWnV yq4f66rwIB+8UKy9mQek7hVOyGhUBVLPI70FjLrfcRWAGdD4nKlFrBld0thy8Au+BBhb 6nUHrXO/2D0rDfPb5rvHxyech+WO7M4Og+Ro+/hLFg9dh6ro0cHUSQEwon6j0ehghmiq VPYkNQflGV61XzgRiQ4AqwVWzxrb9j1JeGJflJxbpxnXBHGeG8hnnde+sN6ZT2MfSNnG aQZ2yeN3EoSGtAfAy9neJIJa1eMJyfP/Q8ItyUKEG3D7w1R2or+Swb2FKm7nJbLh+mKl uHOA==
X-Gm-Message-State: ALoCoQmYbyifu3FcVTu46/DWontanMbPyYx1n3/tIiFYc8NXF1pG5gU4QTrrEW0fl2mH+AVL2//8
X-Received: by 10.107.39.72 with SMTP id n69mr6602443ion.8.1428096791489; Fri, 03 Apr 2015 14:33:11 -0700 (PDT)
Received: from aither.local (c-73-34-202-214.hsd1.co.comcast.net. [73.34.202.214]) by mx.google.com with ESMTPSA id h15sm6282963ioh.27.2015.04.03.14.33.10 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 03 Apr 2015 14:33:10 -0700 (PDT)
Message-ID: <551F0715.2030504@andyet.net>
Date: Fri, 03 Apr 2015 15:33:09 -0600
From: Peter Saint-Andre - &yet <peter@andyet.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Roni Even <ron.even.tlv@gmail.com>, draft-ietf-uta-xmpp.all@tools.ietf.org
References: <020b01d06df4$ed64fa10$c82eee30$@gmail.com> <551EC0E0.3010003@andyet.net> <024501d06e4f$6d983df0$48c8b9d0$@gmail.com> <551F0148.30000@andyet.net>
In-Reply-To: <551F0148.30000@andyet.net>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/gen-art/WhxJ4j5TMJPXJRliV0znQw7jOZY>
Cc: uta@ietf.org, gen-art@ietf.org, ietf@ietf.org, 'XMPP Working Group' <xmpp@ietf.org>
Subject: Re: [Gen-art] Gen-ART LC review of draft-ietf-uta-xmpp-05
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2015 21:33:14 -0000
On 4/3/15 3:08 PM, Peter Saint-Andre - &yet wrote: > On 4/3/15 2:47 PM, Roni Even wrote: >> Hi Peter, >> The new text address my comments, I just have a proposal on section >> 3.5 see >> inline > > <snip/> > >>>> Section 3.4 may look like authentication is a MUST but section 3.5 >>>> talks about unauthenticated connections >>> >>> Well, there are client-to-server connections and server-to-server >> connections in >>> XMPP. The former need to be authenticated and the latter do not >>> (although >> we >>> are working on ways to make authentication easier and more pervasive for >>> server-to-server connections). I thought we had captured that in the >>> text, >> but >>> perhaps not. >> [Roni Even] Maybe start section 3.5 saying that it is only about >> server to >> server connection, currently the end of the section says " this at least >> enables encryption of server-to-server connections." But I did not >> understand it as saying that this section is only about server to server >> connection. > > Well, it *mostly* applies to server-to-server connections (there are > cases with multi-tenanted environments where something like DANE also > helps for client-to-server connections). The whole topic is messy on the > client side because of bad user habits about click-through security, > trust on first use, overriding defaults, etc. Here is a proposed change. > > OLD > Given the pervasiveness of passive eavesdropping, even an > unauthenticated connection might be better than an unencrypted > connection (this is similar to the "better than nothing security" > approach for IPsec [RFC5386]). Unauthenticated connections include > connections negotiated using anonymous Diffie-Hellman algorithms or > using self-signed certificates, among other scenarios. In > particular, because of current deployment challenges for > authenticated connections between XMPP servers (see > [I-D.ietf-xmpp-dna] and [I-D.ietf-xmpp-posh] for details), it can be > reasonable for XMPP server implementations to accept unauthenticated > connections when Server Dialback keys [XEP-0220] are used; although > such keys on their own provide only weak identity verification (made > stronger through the use of DNSSEC [RFC4033]), this at least enables > encryption of server-to-server connections. > > NEW > Although as just described authentication of the receiving entity is > either mandatory (for client-to-server connections) or strongly > preferred (for server-to-server connections), given the pervasiveness > of eavesdropping [RFC7258] even an unauthenticated connection might > be better than an unencrypted connection (this is similar to the > "better than nothing security" approach for IPsec [RFC5386]). > Unauthenticated connections include connections negotiated using > anonymous Diffie-Hellman algorithms or using self-signed > certificates, among other scenarios. > > At present there are deployment challenges for authenticated > connections between XMPP servers, especially in multi-tenanted > environments (see [I-D.ietf-xmpp-dna] and [I-D.ietf-xmpp-posh] for > details). In some of these scenarios, it can be reasonable for XMPP > server implementations to accept unauthenticated but encrypted > connections when Server Dialback keys [XEP-0220] are used; such keys > on their own provide only weak identity verification (made stronger > through the use of DNSSEC [RFC4033]), but this at least enables > encryption of server-to-server connections. The Domain Name > Associations (DNA) prooftypes described in the previous section are > intended to mitigate the residual need for unauthenticated > connections in these scenarios. I don't think that text is quite right. I suggest that we merge the sections on Authenticated Connections and Unauthenticated Connections, as follows: 3.4. Authenticated Connections Both the core XMPP specification [RFC6120] and the "CertID" specification [RFC6125] provide recommendations and requirements for certificate validation in the context of authenticated connections. This document does not supersede those specifications (e.g., it does not modify the recommendations in [RFC6120] regarding the Subject Alternative Names or other certificate details that need to be supported for authentication of XMPP connections using PKIX certificates). Wherever possible, it is best to prefer authenticated connections (along with SASL [RFC4422]), as already stated in the core XMPP specification [RFC6120]. In particular, clients MUST authenticate servers and servers MUST authenticate clients. This document does not mandate that servers need to authenticate peer servers, although such authentication is strongly preferred and servers SHOULD authenticate each other. Unfortunately, in multi- tenanted environments it can be extremely difficult to obtain or deploy PKIX certificates with the proper Subject Alternative Names (see [I-D.ietf-xmpp-dna] and [I-D.ietf-xmpp-posh] for details). To overcome that difficulty, the Domain Name Associations (DNA) specification [I-D.ietf-xmpp-dna] describes a framework for XMPP server authentication methods, which include not only PKIX but also DNS-Based Authentication of Named Entities (DANE) as defined in [I-D.ietf-dane-srv] and PKIX over Secure HTTP (POSH) as defined in [I-D.ietf-xmpp-posh]. These methods can provide a basis for server identity verification when appropriate PKIX certificates cannot be obtained or deployed. Given the pervasiveness of eavesdropping [RFC7258] even an unauthenticated connection might be better than an unencrypted connection in these scenarios (this is similar to the "better than nothing security" approach for IPsec [RFC5386]). Unauthenticated connections include connections negotiated using anonymous Diffie- Hellman algorithms or using self-signed certificates, among others. In particular for XMPP server-to-server interactions, it can be reasonable for XMPP server implementations to accept unauthenticated but encrypted connections when Server Dialback keys [XEP-0220] are used; such keys on their own provide only weak identity verification (made stronger through the use of DNSSEC [RFC4033]), but this at least enables encryption of server-to-server connections. The Domain Name Associations (DNA) prooftypes described above are intended to mitigate the residual need for unauthenticated connections in these scenarios. Peter -- Peter Saint-Andre https://andyet.com/
- [Gen-art] Gen-ART LC review of draft-ietf-uta-xmp… Roni Even
- Re: [Gen-art] Gen-ART LC review of draft-ietf-uta… Peter Saint-Andre - &yet
- Re: [Gen-art] Gen-ART LC review of draft-ietf-uta… Roni Even
- Re: [Gen-art] Gen-ART LC review of draft-ietf-uta… Peter Saint-Andre - &yet
- Re: [Gen-art] Gen-ART LC review of draft-ietf-uta… Peter Saint-Andre - &yet
- Re: [Gen-art] Gen-ART LC review of draft-ietf-uta… Roni Even
- Re: [Gen-art] Gen-ART LC review of draft-ietf-uta… Leif Johansson
- Re: [Gen-art] Gen-ART LC review of draft-ietf-uta… Peter Saint-Andre - &yet
- Re: [Gen-art] Gen-ART LC review of draft-ietf-uta… Leif Johansson
- Re: [Gen-art] Gen-ART LC review of draft-ietf-uta… Peter Saint-Andre - &yet