IETF Logo Mail Archive

Re: [Secdispatch] Please help dispatch "Dangerous Labels"

"Salz, Rich" <rsalz@akamai.com> Tue, 26 July 2022 17:21 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C651FC13CCCD for <secdispatch@ietfa.amsl.com>; Tue, 26 Jul 2022 10:21:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.685
X-Spam-Level:
X-Spam-Status: No, score=-2.685 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.582, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ll_BAilLQbRX for <secdispatch@ietfa.amsl.com>; Tue, 26 Jul 2022 10:21:55 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21A83C13CCCB for <secdispatch@ietf.org>; Tue, 26 Jul 2022 10:21:54 -0700 (PDT)
Received: from pps.filterd (m0050093.ppops.net [127.0.0.1]) by m0050093.ppops.net-00190b01. (8.17.1.5/8.17.1.5) with ESMTP id 26QFFrIB027255; Tue, 26 Jul 2022 18:21:50 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=aRbVde2HLu/8mr27UhO2ZZvzwHzmH6Q2tb4LHVFamp0=; b=EpAawF/aq7KmoGMWbn4YonCFi+FpW0JIl7fTX9qNrONAtJc55+Vak9G0UgrL11Evrk7Y 7EVmM9F3YkLm/OCxdvV2U1uUQ+2ux//hKTdSLWSVfP6RmNxwmWTZe1Ckw2UUEk+Jg1kw bFHeVUYBkOAixTVw0GGs8+3Krkk5QRmqv4bZErfmZos8siUN9oZGTUC/TebNmrlBlEE5 7KGRpNZnK67zxe9/pDNG/Jwgpht5nUtSWkWERL9Asdt3BIzwfKOsrRndF4OzonesAkvb udem72v3G5x+ykSVH8R8HgE1Axo2Pp+moAFFr0wKHbaNE6ZQ4qTaUVsTtsZX/VgWcZXu JQ==
Received: from prod-mail-ppoint3 (a72-247-45-31.deploy.static.akamaitechnologies.com [72.247.45.31] (may be forged)) by m0050093.ppops.net-00190b01. (PPS) with ESMTPS id 3hje1mgsmq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 26 Jul 2022 18:21:50 +0100
Received: from pps.filterd (prod-mail-ppoint3.akamai.com [127.0.0.1]) by prod-mail-ppoint3.akamai.com (8.17.1.5/8.17.1.5) with ESMTP id 26QFnCIY022067; Tue, 26 Jul 2022 13:21:49 -0400
Received: from email.msg.corp.akamai.com ([172.27.50.200]) by prod-mail-ppoint3.akamai.com (PPS) with ESMTPS id 3hgxgn8bbc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 26 Jul 2022 13:21:49 -0400
Received: from ustx2ex-dag4mb4.msg.corp.akamai.com (172.27.50.203) by ustx2ex-dag4mb5.msg.corp.akamai.com (172.27.50.204) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9; Tue, 26 Jul 2022 10:21:49 -0700
Received: from ustx2ex-dag4mb4.msg.corp.akamai.com ([172.27.50.203]) by ustx2ex-dag4mb4.msg.corp.akamai.com ([172.27.50.203]) with mapi id 15.02.1118.009; Tue, 26 Jul 2022 10:21:49 -0700
From: "Salz, Rich" <rsalz@akamai.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, "secdispatch@ietf.org" <secdispatch@ietf.org>
Thread-Topic: [Secdispatch] Please help dispatch "Dangerous Labels"
Thread-Index: AQHYoQHPhAHi78OwZ0GohxAPlYKojK2RGKEA
Date: Tue, 26 Jul 2022 17:21:49 +0000
Message-ID: <A1AA7379-D0D2-48E9-8063-D6FB70068DCA@akamai.com>
References: <87tu73q5c6.fsf@fifthhorseman.net>
In-Reply-To: <87tu73q5c6.fsf@fifthhorseman.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.61.22050700
x-originating-ip: [172.27.164.43]
Content-Type: text/plain; charset="utf-8"
Content-ID: <36D70F72D305634ABB4E6CA40A76A775@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-07-26_05,2022-07-26_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=907 suspectscore=0 adultscore=0 malwarescore=0 spamscore=0 bulkscore=0 mlxscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2206140000 definitions=main-2207260067
X-Proofpoint-GUID: L5GXtkmcxehUQS8w8rDFv35lrNz4fr6V
X-Proofpoint-ORIG-GUID: L5GXtkmcxehUQS8w8rDFv35lrNz4fr6V
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-07-26_05,2022-07-26_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 bulkscore=0 impostorscore=0 phishscore=0 malwarescore=0 clxscore=1015 mlxlogscore=860 adultscore=0 mlxscore=0 lowpriorityscore=0 priorityscore=1501 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2206140000 definitions=main-2207260067
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/JMlZSw4sXRyoxnDYN-1eu3wi4fw>
Subject: Re: [Secdispatch] Please help dispatch "Dangerous Labels"
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jul 2022 17:21:58 -0000

It's not really about dangerous words (or Carlin's seven naught words), but rather names that have been attributed by other RFC's to have special meaning. Think "postmaster@example.com" for an email address, for example.  It creates an IANA registry.  It's useful and important, and dispatching to someplace is a tough question.  Nice work, dkg.

On 7/26/22, 11:10 AM, "Daniel Kahn Gillmor" <dkg@fifthhorseman.net> wrote:

    I've written a document that tries to establish a registry of labels --
    just DNS labels and e-mail local parts at the moment -- that have
    surprising security properties:

       https://datatracker.ietf.org/doc/draft-dkg-intarea-dangerous-labels/

    The not-so-secret goal of the document is to *discourage* creation of
    new labels like this.  Or, rather, to discourage the creation of systems
    that treat certain "magic" labels as having special properties.

    For example, if the administrators of "example.com" permit Jennifer to
    take control of "mta-sts.example.com", she can change the e-mail
    transport security properties of the entire zone.  Similarly, if the
    admins allow Roberto to have access to the e-mail address
    hostmaster@example.com, he can create an X.509 certificate for any host
    in the zone, due to the CA/B Forum's baseline requirements.  Take a look
    at the doc for other examples.

    These dangerous labels are booby-traps for unwary administrators.

    If someone is designing a system that would want to add a label to
    either of the registries that this document designs, it gives us an
    opportunity to try to divert them to using something better, such as a
    .well-known URL, an underscore-prefixed DNS label, or anything more
    principled.

    If anyone knows of other dangerous labels that should be listed here
    (DNS labels, e-mail local parts, or even labels in other categories),
    feel free to reply directly to me, or open an issue or merge request on
    https://gitlab.com/dkg/dangerous-labels/

    But if this document goes forward, it has an explicit ask for IANA to
    create the registries, so it probably would need to culminate in an RFC.
    I have no idea where this document should live within the IETF.

    Suggestions?

            --dkg

v2.23.0 | Report a Bug | By Email