[ietf-smtp] ALPN

Jeremy Harris <jgh@wizmail.org> Wed, 07 July 2021 23:11 UTC

Return-Path: <jgh@wizmail.org>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC6D43A14CA for <ietf-smtp@ietfa.amsl.com>; Wed, 7 Jul 2021 16:11:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=wizmail.org header.b=7349F9lM; dkim=pass (2048-bit key) header.d=wizmail.org header.b=gxcSyz4z
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pUlYZZzp4Cp7 for <ietf-smtp@ietfa.amsl.com>; Wed, 7 Jul 2021 16:11:36 -0700 (PDT)
Received: from wizmail.org (wizmail.org [IPv6:2a00:1940:107::2:0:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 184F03A14C6 for <ietf-smtp@ietf.org>; Wed, 7 Jul 2021 16:11:35 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=wizmail.org; s=e202001; h=Content-Transfer-Encoding:Content-Type: MIME-Version:Date:Message-ID:Subject:From:To:From:Sender:Reply-To:Subject: Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive: Autocrypt; bh=9835PLkGyYkM6kPHX8RnmGipWepSo3fuCray9gwJPSs=; b=7349F9lMrZFkn/O 2EpzDc4KJLSY2jgPug6IIoQwxgVweoO7HHi0GIMbHXe0Ao4p+4nsj4SFwRtO7RHrzPkh+AA==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=wizmail.org ; s=r202001; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Date: Message-ID:Subject:From:To:From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive:Autocrypt; bh=9835PLkGyYkM6kPHX8RnmGipWepSo3fuCray9gwJPSs=; b=gxcSyz4zC0cuBM8D/VQ++lg+X/ 9hygDW60aZXlFMKAheB1EWsWOVc3HMHyjGHz04dVJjBbyyoCP/3c9g/BqmV2LA63m0mhuwAT2PVB1 1+PD78LSFRyYQYyd1umc2lodPhu86BQJd3Njx9hIpA+aT2FTTEkwV4S9IirSN1OPv4fKEGg4YJHHi Ly4KzTd8MhEzzYC5OF1Lh/W/sZ6jHj2Y1PK2KEMjMg2ULwCR9HzKVO0JEBCTEK6f77u+ev1MSS3Gm wsG57XGH/n6stF6ARVVRunYZu7AgwVO++2rHO9Hn8dcphkD8gQumBzV0hzQuUDkZtEMcUqpac97Wm 7b1cgffg==;
Authentication-Results: wizmail.org; iprev=pass (vgate18.wizint.net) smtp.remote-ip=2a00:1940:107::1:2f:0; auth=pass (PLAIN) smtp.auth=jgh@wizmail.org
Received: from vgate18.wizint.net ([2a00:1940:107::1:2f:0] helo=lap.dom.ain) by wizmail.org (Exim 4.94.128) (TLS1.3) tls TLS_AES_128_GCM_SHA256 with esmtpsa id 1m1GhX-001XGn-Si for ietf-smtp@ietf.org (return-path <jgh@wizmail.org>); Wed, 07 Jul 2021 23:11:31 +0000
To: ietf-smtp@ietf.org
From: Jeremy Harris <jgh@wizmail.org>
Message-ID: <85ce0c71-dbf6-7a32-cc11-8ef60e53adff@wizmail.org>
Date: Thu, 8 Jul 2021 00:11:31 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-GB
Content-Transfer-Encoding: 8bit
X-Pcms-Received-Sender: vgate18.wizint.net ([2a00:1940:107::1:2f:0] helo=lap.dom.ain) with esmtpsa
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/7VTzJR0wyIeaJti7oVrVKbMxCZU>
Subject: [ietf-smtp] ALPN
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jul 2021 23:11:42 -0000

Should we request a TLS ALPN identifier?

Current registry:
   https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids

Draft recommendation:

   draft-ietf-uta-rfc7525bis-01.txt
   - Section 5 "Applicability Statement" lists "SMTP traffic".
   - Section 3.8 "Application-Layer Protocol Negotiation" says that the TLS
     must support - but nothing is said about the application layer actually
     making use.



Implementing a defensive-only ALPN check (refusing a TLS startup, as
server, if anything but the obvious choice of "smtp" is offered as a
requested ALPN by the client) is not hard coding for either OpenSSL
or GnuTLS.  Locking out retries with downgrade to cleartext would be
more effort, but perhaps not relevant as a defence against the ALPACA
attack.

In client MTA mode I'd expect the coding to make an ALPN request to
be similarly simple. Administrative controls for non-use/offer/require-acceptance
would probably be more work than just the library interface.
-- 
Cheers,
   Jeremy