Re: [ietf-privacy] Privacy of CLIENTID for IMAP/SMTP
Benjamin Kaduk <kaduk@mit.edu> Wed, 21 August 2019 02:59 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: ietf-privacy@ietfa.amsl.com
Delivered-To: ietf-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DDC412082E for <ietf-privacy@ietfa.amsl.com>; Tue, 20 Aug 2019 19:59:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pek3H-YoLCN5 for <ietf-privacy@ietfa.amsl.com>; Tue, 20 Aug 2019 19:59:11 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C08F120045 for <ietf-privacy@ietf.org>; Tue, 20 Aug 2019 19:59:11 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x7L2x22l018738 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Aug 2019 22:59:06 -0400
Date: Tue, 20 Aug 2019 21:59:02 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Kai Engert <kaie@kuix.de>, ietf-privacy@ietf.org
Message-ID: <20190821025901.GI60855@kduck.mit.edu>
References: <ae89b75c-65c3-db47-8152-19ef3f96dcb1@kuix.de> <0f8bebcf-f4ae-85db-9e8e-5f1596c84238@cs.tcd.ie>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <0f8bebcf-f4ae-85db-9e8e-5f1596c84238@cs.tcd.ie>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-privacy/xmUJvP_wuO4mnHGfZATDwSD5ALY>
Subject: Re: [ietf-privacy] Privacy of CLIENTID for IMAP/SMTP
X-BeenThere: ietf-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Internet Privacy Discussion List <ietf-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-privacy>, <mailto:ietf-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-privacy/>
List-Post: <mailto:ietf-privacy@ietf.org>
List-Help: <mailto:ietf-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-privacy>, <mailto:ietf-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2019 02:59:13 -0000
On Mon, Aug 19, 2019 at 09:05:21PM +0100, Stephen Farrell wrote: > > Hiya, > > I didn't read the drafts, but Nick's comments make sense to > me so I'd give those a +1 (modulo not having read the draft > of course:-) > > One other thought... > > On 19/08/2019 17:07, Kai Engert wrote: > > If the client > > supports it, and if the connection is encrypted, then the client > > sends its client side identifier. > > Sometimes I've been prompted to accept a hotspot's bogus > certificate for IMAP if my MUA is the first to trip over > a hotspot. A user might hit yes in such a case which is > a bad idea yes, but I guess happens. I guess an active > attack could appear similarly. > > So is there a reason to tie the CLIENTID to the server > credentials I wonder? E.g. to rotate it whenever the > server cert changes. That might also discourage servers > from assuming that the CLIENTID never changes. I was going to say something similar. So, a "yes" from me :) -Ben
- [ietf-privacy] Privacy of CLIENTID for IMAP/SMTP Kai Engert
- Re: [ietf-privacy] Privacy of CLIENTID for IMAP/S… Nick Doty
- Re: [ietf-privacy] Privacy of CLIENTID for IMAP/S… Stephen Farrell
- Re: [ietf-privacy] Privacy of CLIENTID for IMAP/S… Fernando Gont
- Re: [ietf-privacy] Privacy of CLIENTID for IMAP/S… Benjamin Kaduk
- Re: [ietf-privacy] Privacy of CLIENTID for IMAP/S… Michael Peddemors
- Re: [ietf-privacy] Privacy of CLIENTID for IMAP/S… Kai Engert