IETF Logo Mail Archive

Re: [saag] IETF 93 Agenda Request - Key Discovery

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 23 July 2015 16:23 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0404C1A0029 for <saag@ietfa.amsl.com>; Thu, 23 Jul 2015 09:23:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OiDM8bLJSum5 for <saag@ietfa.amsl.com>; Thu, 23 Jul 2015 09:23:30 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32B1B1A001A for <saag@ietf.org>; Thu, 23 Jul 2015 09:23:30 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 49793284B53; Thu, 23 Jul 2015 16:23:29 +0000 (UTC)
Date: Thu, 23 Jul 2015 16:23:29 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: saag@ietf.org
Message-ID: <20150723162329.GW4347@mournblade.imrryr.org>
References: <20150723150446.GT4347@mournblade.imrryr.org> <20150723153131.67097.qmail@ary.lan> <CAL02cgR2oTx0xypXAZKBONyxSDgGb_jNJZWGeqbF-7NVpdxxSg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAL02cgR2oTx0xypXAZKBONyxSDgGb_jNJZWGeqbF-7NVpdxxSg@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/MlB9-hEuAZU6Q1VFy-pfEu81PTg>
Subject: Re: [saag] IETF 93 Agenda Request - Key Discovery
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: saag@ietf.org
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2015 16:23:32 -0000

On Thu, Jul 23, 2015 at 05:54:20PM +0200, Richard Barnes wrote:

> > My MTA already knows where it routes that address and can find the
> > appropriate account and the corresponding keys.  Webfinger or anything
> > else would either need a side channel into the MTA or try to match the
> > local address resolution logic.  Ugh.
> 
> Consider the security requirements.  The MUA needs to know that it's
> got the authentic address/key binding, where the address is the one
> the user put into the MUA.  So if it's going to talk to an MTA, it
> needs to be the REMOTE MTA.  If it reaches that remote MTA through its
> local MTA, that's a problem, since now either (1) the MUA has to trust
> the local MTA for all of its keys or (2) the remote MTA needs to sign
> its address/key bindings.  Both of which are gross.

The MSA authenticates the requestor, which is not something the
remote WebFinger server can do, and might be required to authenticate
itself to the remote MTA (Shumon Huque and I are proposing extending
DANE TLSA to client auth).  This will help reduce abuse vectors
for the key lookup service.

Recall that the party managing the MSA is generally also the party
managing the Inbox, and can supply MiTM keys to the user's
correspondents.  Reading the reverse traffic is often sufficient
to recover most of the forward traffic.

In the simplest model, the MUA will need to trust its MSA as an
introducer of said keys.  Just like Webmail clients trust the
javascript email application engine from the Webmail provider.
Just as the MUA would have to trust the WebFinger server, and
whatever sources that server consults to vend the keys.

Note that keys will be exchanged via ongoing email traffic, not
just initial contact.  The MSA's role will then be mostly as a
proxy to confirm the freshness of those keys, and lying about that
would be distruptive and rather noticeable.  Tamper-evidence is
likely to deter the majority of attacks.

It is of course also possible to specify that the protocol preserve
remote signatures across the MSA proxy, along with the appropriate
DNSSEC RRs to authenticate those signatures.  I am just not sure
it is worth it.  Injection of MiTM keys is difficult to do
undetectably.  Security savvy users can always check fingerprints
via additional channels, plus see above comments on ongoing traffic.

--
	Viktor.

v2.23.0 | Report a Bug | By Email