IETF Logo Mail Archive

Re: [Secdispatch] [EXTERNAL] Please help dispatch "Dangerous Labels"

Mike Ounsworth <Mike.Ounsworth@entrust.com> Tue, 26 July 2022 18:19 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCF37C1A6495 for <secdispatch@ietfa.amsl.com>; Tue, 26 Jul 2022 11:19:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2kBs4SGwTFvZ for <secdispatch@ietfa.amsl.com>; Tue, 26 Jul 2022 11:19:46 -0700 (PDT)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD8E6C1C9510 for <secdispatch@ietf.org>; Tue, 26 Jul 2022 11:19:36 -0700 (PDT)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 26Q9R6P8003412; Tue, 26 Jul 2022 13:19:31 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=mail1; bh=jGSeuIT/NchIh97GiUFvnwZ4gG3eQNFf2BQOpvgRn4w=; b=GABNAlmOiQqkkhYiAVu8uYj3VcbpKqnYKmjYDsyfzTzVmOTMfxPhptn0EKMTmyS1B4Jt GVTf8pCqc8naPUY1eU7tK8+86CikdlPaA4FbrdU5k6T7ECY+BFIsXQJObBzNzuiY9kzw lwb4q98d9YsE6xjpSFGXTNnzkhsX3XGyv2cCEw/Bva3K1vZADUD3US7EDA6Gi6T1GHlX oyMH0bLvPwOcjMSAv6W3ugJOifSEVlokee58VzQaDQDHNPvziObXKjcCVWZeMoZA8D89 x8jDqNbtP7PbaVsxz/Kpset71ArUPXA/+lma0KCaUG1fIF2YhAmDjsKfspVxXk9HCpX8 wg==
Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2168.outbound.protection.outlook.com [104.47.58.168]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3hgbyr2a1q-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 26 Jul 2022 13:19:30 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hMGzFwRKblsaDQxCpxILHCIR9ym5oxjqatqZKo9vH8GDVwTla2HyeWBqSfp2WxNK5WN7jdkC5Z8YLEOttvdJZsJ11QHG9d4pn/zFDMgXBd2GpNU1YMs13+ODCTWtAOS0BcLGU4FUcLR2seUeb9Wdjw+ew63j8sENG3qlWZzPV5tYAhtOC/QdWrEu2pEGmMrgOVM4tKRsYt2/cVDHN/G46JSLt7bCNVwkxPyAknC5/z4t8J5wwhExwqLHv7lYGvx/v7jOPcsoOZwD9Aa79kWnPTKwYJVQgS0GisatfkTJCsP6Ta3T3aJ+1j+LiQ5K4ynZ2/49gMWXUwOOiUed7ZxT/g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jGSeuIT/NchIh97GiUFvnwZ4gG3eQNFf2BQOpvgRn4w=; b=lqM0V9Ozfar9w92RDT6h9WqS5NBtUIHosm9HdjTyequNrtDAmFJympxV6ivN7fcmeGNzVCRDoOGG/U2Jh6Jqz01mrvZkj2w95IX2hYkA30c9OlV3Fox2UDmkC2O9D75iwAJLBsnHSntqJSrhEifZzM0Kz92pi35c2Wv5OXhDdcHJO1xj9l+nIVlKbVm2un7RiKZ9z6JfSK1sOS6yP4UcJWM1n5sonD59DewWMw+KPViV7iGnhK4aUsXCYXQXcscPkaRgvwnMPsFXWxHQ6OFML+S0piJ0wETCkEtdPRXf6nGqh3VpU2dsnhrNBPBK08a/32EaKUkVkN2sSxQHqboRrA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by DM6PR11MB4578.namprd11.prod.outlook.com (2603:10b6:5:2a7::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5458.19; Tue, 26 Jul 2022 18:19:27 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::28d0:f946:27df:f27a]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::28d0:f946:27df:f27a%7]) with mapi id 15.20.5458.025; Tue, 26 Jul 2022 18:19:27 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, "secdispatch@ietf.org" <secdispatch@ietf.org>
Thread-Topic: [Secdispatch] [EXTERNAL] Please help dispatch "Dangerous Labels"
Thread-Index: AQHYoRw9rmq5gTdxe028ndEnWhmF+A==
Date: Tue, 26 Jul 2022 18:19:27 +0000
Message-ID: <CH0PR11MB5739D04969524F801D32F3209F949@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <87tu73q5c6.fsf@fifthhorseman.net> <CH0PR11MB573918750DE36371FCA6AF759F949@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB573918750DE36371FCA6AF759F949@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5060f3fb-6cc3-40df-4c9c-08da6f33606f
x-ms-traffictypediagnostic: DM6PR11MB4578:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: QWfiJcxGwSyrPxPjkhTdi705z2VchmzO9y5MBLBg1ZOCmfIjRvGIx6LG/dTXNEGqJvlsvwKuVzHtmtTlH8uBNkTaRmUO2vUX2CQMn3qkilIChddmfmmVhipz15SH00Q+COruFkgu6Ao7QRofkf2Kh1ki1GVlFwUTSRCeF4V35hZ4sM15r4dI16KWf2sSWvjV5BjVLaWV8bw/J6Z/HrrF25dKkrDMnppyLqHfFrUKd+mNTmkPqya2FfLrZsK8XMMK6c2ZD5dh6D6bzh4rUul2DBj5Xsj8EfX4Dni/P7BBuhd0yv40EESk3glvOB0RdbHnDtfUgAnK5u2iJtcRrjTsIZl7Z9dQ1fJwI3RsmALUZPtUn1zzTIqeKNeNKdu3d+2H8Uwt0i5CFMt6o6fJTCYvZXFpMDLII2alVLAQ4xxUummLBetJUnI3ecDWxZTXt/spJlWDiWKWWPptZKRRDgcWLMYpfgtmVq/jB4wFATr4rlXlW3wBWIq5vIFJ0MkGp1DnUoTIoZUu0DbGX+NDKqTGKpD03f+HethKIkoWNL2HyPmyra2du/2kFBFunH+cwsayn2Uu3ayJgwQ4kDm6vZj9O7Itbe+TGOGJP82TT/p8fstgUWZkPjY4gcjaaxBnvY5QkFpGEmsJAqgLKc+HPyJwf+z1RMZCE4IPL3iGt7XgXRHq098H2uHSE8ZAKusqoFMji054hRTqLMY4EF9/DzA86baKgVoWh2OvNVEplhy3BIhd8YiXMJhlmQFXyodFZODTpu+LrXoIlJ4deRqPl1JR/zw7wB7sFQYehAHMuYbSdSRVjJhaoFP3HDS4nydTdC7CRCFPm1rwL1j7kIWq9ESxDA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(39850400004)(366004)(346002)(396003)(376002)(136003)(186003)(7696005)(6506007)(316002)(53546011)(122000001)(41300700001)(2906002)(86362001)(38070700005)(83380400001)(38100700002)(5660300002)(66946007)(71200400001)(55016003)(2940100002)(8936002)(26005)(9686003)(33656002)(110136005)(478600001)(966005)(64756008)(52536014)(66446008)(76116006)(66476007)(66556008)(8676002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: FjN2PZNMupU9CHnhA03cdZuuUwpJ6dRUx40R00QcHhha2CDbzfPFTYJ2o3llbNROhVbNgZTZ8PQYOyGZHz0YzgZMbfmuw5bErwfUKq/Gsaz2KTt+Uov1fxYjHjg1VI9SiD6a/2nwxnKD8bXxXdeFZsg7lgllTlkfH7bhV8GeApI9M+igDzgJ+WSCO35YrZzVgEiYCA9aQcqgPOQqK2OJ6FikvMKOTDjJRJLfFDPECD77HnUtUmUN8Zh6ka30QEGWdwRKeiuqc7QqTjrPNJyTk7yEQYgZR0sFlf2lbunYoyv1E714otcUnxOX7J55wYJwSmJBufyfIZszpQAfQ0U4RLpwREAmfjnjuPLtG4H2pdkRwpRcs/EMSVDlZKTBjd7YixHV8EuG8PW9tQkdZRQj83HFDi/AwgY85E8e3Lngx4lnEkkB+KtLLvqPnZpN2a0JtWK6Qp2vknwftJRRIcs+ojs54pbAVrJGoSuq7+tBTpm3FKCl3rTA7agm4wnCNbkHtG5VeadFpYIalGsrQsDzMFJcMlg9aDRiiykrj/EaW6W4QbhwXziGRhtrtuFX/n81ykZNWTTixUfXumlZTvNxdvlib+xArSo03QaOrWO4Vu32DEBiMLkMsX9XPZ5H8ZLvbrpRTvOs9mTpxlGhqfxEIUqwAJLscTZdAIeJ8QT6KgxZEBXjEzSx0net1+ZCTpfx0jGwS4ybchPuGsLK+XLD5XoiKju5asWOAuZWyQ+2eVZoYgpd/nod2hgr5bKz8H0/qgSVCEF9xEUJoq9UqOFWOz052gOf9kwV0/xlQpWpmt+uKsbHHlASM47eSToAl8E9lfIm/XcMF57BWVPwapYGsNkjZpd0A2ksrukWOrEw6B5/BdcDJwQnUJWbvKYdeVUMrjoXMSaA9wlNCDgCxU790O1VbWHy61bwH7eD7T8LQDvZy/I0/jbRCWSCjyeV7XhumYlqXPmcQUQ42bcNYYokIz8vzi85Sw4rs2voFeD0xH/laWQQCbPguz7DKMaUGjbWF48efbJ0ZPRghybsSpa1d2hNhII2CwUsVQb4G5/QY34gbLJD2SB07/2CJf2tfhnN28RyuNW3y8RAQPjV5K4YSB2NL6Ahn/EUKWz0ZzEEG0bvEhK5D/tDmVhG1m8WNq6NEMARxTaooHlT0tlLjZDSE/7prQC6NJuL1xlw+621Gb4oivnfOetgxm0dVdlCTSJsEPWVr0fMkVVKMO1OdeBgPOmlTpDR5Kc/LIXtTjFcPt1dCRQsv/UycM9E9mXTMpsRRXRobkeIGUf6OAcye/DLBiqYLLVVdPyU7Tot1vKiN2cM0niDedpQflgGlrZ4tBCly19w5mw98jBSHdUXF+yAQTUC2TlvYUV3eP3Z5uauJlTDajqpTxBddeQvqjAj/jzjHo+1InnySsDJOO15AVIkSczMHi5Sum+wCSpomZeJjcYLNlYwxAcvwRn6GZxvfLrXYjoLRQHtc4W6Z17AlvXKb4CRcKwqip1H1BBE7iZgL/4v9+v3zGisTPIxOVwCdHC/iBDWjY9BqRR5O7gDJ9uRdN1zoYITtzbKWA2eiDVyBSsifO4MPWdTjlaFCA7ND27vZSzj3aiDojFJy1eSQze7MA==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5060f3fb-6cc3-40df-4c9c-08da6f33606f
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jul 2022 18:19:27.7643 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: /UUAEJqVaVPlf5iDwqGm+c6GCBSjpjZ/NoYPwN93erGjAFl6nr7/+4g27MHakSZho7SIIf+No659BUt7Kz1wisbU2NUzHKlm17DPeAbB2XQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB4578
X-Proofpoint-GUID: 6-B4PhpdS9uFHVwy4T4MDlF_d_LnUHht
X-Proofpoint-ORIG-GUID: 6-B4PhpdS9uFHVwy4T4MDlF_d_LnUHht
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-07-26_05,2022-07-26_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 clxscore=1011 lowpriorityscore=0 mlxlogscore=946 spamscore=0 suspectscore=0 bulkscore=0 mlxscore=0 phishscore=0 priorityscore=1501 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2206140000 definitions=main-2207260070
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/sbwKbQvnFHcsn3SE6fMGxdiui88>
Subject: Re: [Secdispatch] [EXTERNAL] Please help dispatch "Dangerous Labels"
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jul 2022 18:19:50 -0000

Wait, that is exactly what this draft is doing. Please disregard.

---
Mike Ounsworth

-----Original Message-----
From: Secdispatch <secdispatch-bounces@ietf.org> On Behalf Of Mike Ounsworth
Sent: July 26, 2022 1:17 PM
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>; secdispatch@ietf.org
Subject: Re: [Secdispatch] [EXTERNAL] Please help dispatch "Dangerous Labels"

I love the concept of this draft, but I wonder of a draft is the right format? This list is likely to be ever-evolving.

It was suggested during SECDISPATCH (I think) that maybe an IANA registry of Dangerous Labels would be more appropriate; thereby if a future draft introduces a new dangerous label, then that should be indicated in its IANA Considerations to be added to the registry.

---
Mike Ounsworth

-----Original Message-----
From: Secdispatch <secdispatch-bounces@ietf.org> On Behalf Of Daniel Kahn Gillmor
Sent: July 26, 2022 10:09 AM
To: secdispatch@ietf.org
Subject: [EXTERNAL] [Secdispatch] Please help dispatch "Dangerous Labels"

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

______________________________________________________________________
I've written a document that tries to establish a registry of labels -- just DNS labels and e-mail local parts at the moment -- that have surprising security properties:

   https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-dkg-intarea-dangerous-labels/__;!!FJ-Y8qCqXTj2!aCAmiYQiMTV_HUnnPG_57Y5F3iUU4YDneMgNQKCCORx1pU16QQQ2S5GulE3ndMrgT4g0PcwmTCcJ6x3u2de_GTrbYqn3oi01r8_X3ZuXig$ 

The not-so-secret goal of the document is to *discourage* creation of new labels like this.  Or, rather, to discourage the creation of systems that treat certain "magic" labels as having special properties.

For example, if the administrators of "example.com" permit Jennifer to take control of "mta-sts.example.com", she can change the e-mail transport security properties of the entire zone.  Similarly, if the admins allow Roberto to have access to the e-mail address hostmaster@example.com, he can create an X.509 certificate for any host in the zone, due to the CA/B Forum's baseline requirements.  Take a look at the doc for other examples.

These dangerous labels are booby-traps for unwary administrators.

If someone is designing a system that would want to add a label to either of the registries that this document designs, it gives us an opportunity to try to divert them to using something better, such as a .well-known URL, an underscore-prefixed DNS label, or anything more principled.

If anyone knows of other dangerous labels that should be listed here (DNS labels, e-mail local parts, or even labels in other categories), feel free to reply directly to me, or open an issue or merge request on https://urldefense.com/v3/__https://gitlab.com/dkg/dangerous-labels/__;!!FJ-Y8qCqXTj2!aCAmiYQiMTV_HUnnPG_57Y5F3iUU4YDneMgNQKCCORx1pU16QQQ2S5GulE3ndMrgT4g0PcwmTCcJ6x3u2de_GTrbYqn3oi01r896Dg14Mg$ 

But if this document goes forward, it has an explicit ask for IANA to create the registries, so it probably would need to culminate in an RFC.
I have no idea where this document should live within the IETF.

Suggestions?

        --dkg
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

_______________________________________________
Secdispatch mailing list
Secdispatch@ietf.org
https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/secdispatch__;!!FJ-Y8qCqXTj2!aCAmiYQiMTV_HUnnPG_57Y5F3iUU4YDneMgNQKCCORx1pU16QQQ2S5GulE3ndMrgT4g0PcwmTCcJ6x3u2de_GTrbYqn3oi01r8-s28-OHg$

v2.23.0 | Report a Bug | By Email