IETF Logo Mail Archive

Re: [Secdispatch] [EXTERNAL] Please help dispatch "Dangerous Labels"

Mike Ounsworth <Mike.Ounsworth@entrust.com> Tue, 26 July 2022 18:17 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68773C13CCE5 for <secdispatch@ietfa.amsl.com>; Tue, 26 Jul 2022 11:17:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HuaCnJsD-q1B for <secdispatch@ietfa.amsl.com>; Tue, 26 Jul 2022 11:17:34 -0700 (PDT)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47D2AC131951 for <secdispatch@ietf.org>; Tue, 26 Jul 2022 11:17:34 -0700 (PDT)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 26QDl5Wh017555; Tue, 26 Jul 2022 13:17:29 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=mail1; bh=WRc7t6mxyPoorfUusM6Py+J4bmQeuQatUOZTRwxMkJI=; b=DNmqUImP+gyU0hSrvycnZfQ8pztW84OKu57gAyCfE8Acr4wX50zKaK0kihENZ1AsvRYG Yb9Z3BCeFdlLIOqHMprTfji2QoZRvE/ysWqFlQJPDgO/0Vsy0GIWC7vyN2+mkKfmiEE8 Yndmg3OLolvxwDSNp3KEJAihB3w98gPQ9rR9Y1wGrmVXadpqca23HWVdOgjq4+wyr23h 9u8rxwhuh2vc2jKjXZIaDS2UlR42l3gkGpUzAERXulFCH7iF4HIYNSTAHBrsjmMpVIMn 259g5WDgkeiLs1AzD5X0AktSotnsZ6XeJFBvt506aWp0wYF1VuYWDFet9JqLxTwtUL17 aA==
Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2177.outbound.protection.outlook.com [104.47.56.177]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3hgdp2tdma-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 26 Jul 2022 13:17:28 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lWVR8E8DsBbQOkf/1s9xdxgE4O7/S7B3kUCbyt4vr92gxOsrSAjfLYXSF0aL1VFwyBjECE32gGGfUzsuG8GN0FLAkc9omCE/Y429o7rCswRYMnbVhk7yESi+Y+BQGqm+d5ua8AACl0ZunTpIgRKPRdUQ6H6Dd+byU+wt0OYSYJpPdkLMHTwRRBHHRChGRvQ0PGMw93r5hQXKE34ZrTTNub6R1Y1PQEmqQLI+TgqxBjVLLHu5iNhacgQ7tlcuh5BEaYwuHN3fNBYzD9iWsTxg0k9HtnN7t5fwLJL20aFFk3uDS3CGLvxDHYU8i6omXE0Yfn796YfoKHuGQ1horzK6rA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WRc7t6mxyPoorfUusM6Py+J4bmQeuQatUOZTRwxMkJI=; b=Ai3nzODwKiSHniS/X1+AJmDRi2pf7eSYRLu7INxUnvRFaopuMDmmncX7/59zjjxw9j4RguD+vzUx/4Awv1nVUhP/QtnIRh135qCh6vha3yqipl/lSskr9pCIGuhPfzXKq2LLhVuWmcCJmeElfNej5pPzOt5PbW2+GsXyK7jVE5YAolgMr2uMtKx31kWfCO44HBDf+Gjh/E0igw54Z/Bo5kxAv4zS7aOH496PvBUnPV0RlyL4vrDtgAKZKX5paH+pM66l0K0oG7ECva8OA/a08YvNd0gWmWilZvQhb+ErsPf6TETtkrRJv1OwecoyYr1m1yhiUE7jtzH2hgLHQ6wKzw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by BN9PR11MB5273.namprd11.prod.outlook.com (2603:10b6:408:132::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5458.19; Tue, 26 Jul 2022 18:17:25 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::28d0:f946:27df:f27a]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::28d0:f946:27df:f27a%7]) with mapi id 15.20.5458.025; Tue, 26 Jul 2022 18:17:25 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, "secdispatch@ietf.org" <secdispatch@ietf.org>
Thread-Topic: [EXTERNAL] [Secdispatch] Please help dispatch "Dangerous Labels"
Thread-Index: AQHYoQGuXWvn96pahEeGR1wyw2mkFq2Q9R4g
Date: Tue, 26 Jul 2022 18:17:25 +0000
Message-ID: <CH0PR11MB573918750DE36371FCA6AF759F949@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <87tu73q5c6.fsf@fifthhorseman.net>
In-Reply-To: <87tu73q5c6.fsf@fifthhorseman.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f3335230-43d9-49ca-6121-08da6f33179e
x-ms-traffictypediagnostic: BN9PR11MB5273:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Vdmp0My2lmnp+Bfozagvkw5/3Eu2hjzAINDCwhoaFqQTkkuQsbLkFcLDJ9rXX/r7F0fdvzc2hA1Eid9VUEVUdqD2ImdFKIWlPzxvU0+LKOowcRPi4JpWCdEK/5C+S6robobNm+voX84r/eNrvucHhhRjJlBtgx1Wtmj5iy+lFQGdTi6xS3PvU0zz+boV48PsqMMYWNeyCgAiWqPEqtdSLB7fwW9PkuQHIW+Ul7Ud4ZNASRm1lCuZ79EHOZ2Co5OD83SVh8nFAv2LjvNXMfWu/oJAM5SY07FgnNmmZNnx+i8htKkGZpcSaHYe5CrjhmB/w1oJSFqtEvOek6+Cx0lfBUvefbmAYRYtdR5+fx/pY9db8z9milahhy47yFIY6eSRge4RnhA2AnslqVpPzBG43zhpys17K9DlOBC1BP0oZaIoqkJD8hRz2zv1XkmEI44O4V1ettrhXNfXLkJrHj0cy6mri5CIZ5AdQCYp2kS1pOig6JHjcMUf8ivwWfrdLB3OSrffygPdfg+/n2Wum36wVkIf7IhBv3E8oI3uwjEhO4/LmSw2Ff5KfrfmOYn+FvKnQBwaEWtHollKEAK7DJ9EBY/R7UQ703UpCRieqi/kN0lolaIw2KwG4/K+6vWbKGFC2YRV5go7VPP14aT7LhbFl6lbhUAOO2RS1g4FMEA/Q1+OrpndRMJAYBga+s7olag+TbYaF30pVIjGK/gCXp/YTNr/Dp0cBjCoF+q/NeaXWI67RAK6dPsEOmQZGALJfbYlbf/DAOkKnLxv8JiYTDnjeJcucNIZ7li992TyI7vb+um761RZWv7J3HDoJWm5irVCeHThatAwCA/jidy3t98avQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(366004)(376002)(396003)(39860400002)(346002)(136003)(66446008)(316002)(38070700005)(122000001)(110136005)(8936002)(9686003)(41300700001)(38100700002)(8676002)(64756008)(76116006)(66556008)(66946007)(86362001)(66476007)(26005)(71200400001)(6506007)(7696005)(186003)(53546011)(55016003)(83380400001)(33656002)(478600001)(5660300002)(966005)(2906002)(52536014); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Z16e6d7qgk+Jto07hiFAJk/iQDbEaH3WQrnK0XBW4cjIC9AW9yJ+TJVfMQEc5Br0c2O6o4wjksb5nKv5wHYz9CJV+ldZlzLHsmevGHCfewQVEgkRe5gY83ZxWifHW/9LrFDtk6VOtxuwFwtFhdA30cKsvL//OPUIVeTyaterRtzHetg4kovXxa53SACABzm4SgBnFX6eC5EweXw66TMLnLZwdXqgjsA8IeSlsXbe3j1alFBYGilEJGNlo2wYe/s/w3QTCmQxQx7EgGYnjXkyyTr8/aljJmo735cjh4VZrbEfPXQQge556INwt8PDj+mv71eQ8+l4P9VexwcTguNDonmWjs7ibVulZwR+Wx1Bs8YsCbugbv4drc2WbLyIRCKlIfSpzd/hbFCq+K3V/sZyJLuYfBO7S6z7DlthzakBwRqL2fsygihdgVlGoroBFMMbJOwLWDhRzrG5Sp6kkxZsD49Vs1hhWk72QJjyTU5rd4J4fBNEaZwQDFHfXv77gC/kxaVaYArcAxRFijr+p4KznjmZH/RY+A0opLNy7MR65ytbQEPMDpoKne6lUfta9g/xd/gBVZ0DolJ47QsDR2AG2enjRiMBZw04qbdoS4wEd8+Wr1Yve6BWGFbZC43H6Hlp/auaJvYSjEWDGXVyJEk8xoe+MEg/oRr99b6i8+DS5QYgRabCEucwhb8QuxnAU3P3GXjvFE1+7zEu8LRWvQXb7RWtnqDTycvcOAco0TOAmewJW77p+EzKAEY+QHmgPDPuGyXzP7LjacQdtHPWfOWrYeX4eiJWYGFJ/RqH1D2qKLvCW4lwDiB89CdH3gP5/g/qPihjxmQk/JTUK2XszwcQTgmpTU4H9mR2FGcI/vvzR6bExd27JyIKhrbeKhQ4nU9atdTIYbMFUlA2ZvslNMS4oa5xV85h9JkKAw/01ccBdwlmS4xs+iW90AqKd7lYOzikCV3W5DHdSn/1yiBDCeCNUXR/vV+DF9oVdIHafa5/hTYlQ4JEzObrQqXsmgfhoUjxhZF24kEMJaXFxvx7TISuVGyH1we/VdNGO4cPCiWI8UFAvo7LgTbmD7uogYZgMzfJLIi5ATPM0Wlg4AEAzytCkCjslEAVdzGRt8fCNbhyBYEXbWwopBrq+ywSFG8b+XhlBuKF9Wu1/z+iQIix5TUf7qfjxlwOzj5JEUt5+gRmFx7hNgG3PL/i/u8Gbx+NEcVzqcRjc64LYU9h6AbizUVyxqU4f42UKWQybzVlSh35CyoHpSxDx2gwwwyb2MoEjOurdeG8Tms5FWzIVcefHVQqLRefR9SXuMR2wsaD+1TRMFK7wswhY9XfZuY/O4NygPAwgK08UVUQtLc6cpQpfchom4dBGX35/DX4q47w3Oz29nZg0cdif+W6mkkujvBdoqZY+YRlPT1nKvQXM2aQPKBmEXTWKR+WpQse9Z81seZHq7cihKzMV/CKxBwA4XkxcDrZwm+99JIUWMuOQUUPs2d6dQaRHi2wUo5KtzD9Yg2TUQfhRoCHYLg3FlyKTwnj8tAMsqPU7WSmVQ6BwcUfCwkGfu7fZWRZLa3AYu2VkIumCQaExkilvRnloVefXt4npRrwKKoIuTRtuWMtBrIvheYzEg==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f3335230-43d9-49ca-6121-08da6f33179e
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jul 2022 18:17:25.6461 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: vUds/8kinLYkG03SLcmbqcA5wvEzw0sOCfb83Wtkv7o5kiJSUszjvyzQnAOu6gE3TNvpNHVZKJPDCJA2XDgJ0hE8gbTLoWG3hPW82JXamHg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN9PR11MB5273
X-Proofpoint-GUID: M0OtKG2JjbIcrF6yjY0l4eZC_FKX4xIL
X-Proofpoint-ORIG-GUID: M0OtKG2JjbIcrF6yjY0l4eZC_FKX4xIL
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-07-26_05,2022-07-26_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 suspectscore=0 spamscore=0 phishscore=0 adultscore=0 bulkscore=0 mlxscore=0 priorityscore=1501 impostorscore=0 mlxlogscore=783 lowpriorityscore=0 clxscore=1011 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2206140000 definitions=main-2207260070
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/pGGuQmJw3DSEQgpyd_ZrGIeqjj0>
Subject: Re: [Secdispatch] [EXTERNAL] Please help dispatch "Dangerous Labels"
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jul 2022 18:17:38 -0000

I love the concept of this draft, but I wonder of a draft is the right format? This list is likely to be ever-evolving.

It was suggested during SECDISPATCH (I think) that maybe an IANA registry of Dangerous Labels would be more appropriate; thereby if a future draft introduces a new dangerous label, then that should be indicated in its IANA Considerations to be added to the registry.

---
Mike Ounsworth

-----Original Message-----
From: Secdispatch <secdispatch-bounces@ietf.org> On Behalf Of Daniel Kahn Gillmor
Sent: July 26, 2022 10:09 AM
To: secdispatch@ietf.org
Subject: [EXTERNAL] [Secdispatch] Please help dispatch "Dangerous Labels"

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

______________________________________________________________________
I've written a document that tries to establish a registry of labels -- just DNS labels and e-mail local parts at the moment -- that have surprising security properties:

   https://datatracker.ietf.org/doc/draft-dkg-intarea-dangerous-labels/

The not-so-secret goal of the document is to *discourage* creation of new labels like this.  Or, rather, to discourage the creation of systems that treat certain "magic" labels as having special properties.

For example, if the administrators of "example.com" permit Jennifer to take control of "mta-sts.example.com", she can change the e-mail transport security properties of the entire zone.  Similarly, if the admins allow Roberto to have access to the e-mail address hostmaster@example.com, he can create an X.509 certificate for any host in the zone, due to the CA/B Forum's baseline requirements.  Take a look at the doc for other examples.

These dangerous labels are booby-traps for unwary administrators.

If someone is designing a system that would want to add a label to either of the registries that this document designs, it gives us an opportunity to try to divert them to using something better, such as a .well-known URL, an underscore-prefixed DNS label, or anything more principled.

If anyone knows of other dangerous labels that should be listed here (DNS labels, e-mail local parts, or even labels in other categories), feel free to reply directly to me, or open an issue or merge request on https://gitlab.com/dkg/dangerous-labels/

But if this document goes forward, it has an explicit ask for IANA to create the registries, so it probably would need to culminate in an RFC.
I have no idea where this document should live within the IETF.

Suggestions?

        --dkg
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

v2.23.0 | Report a Bug | By Email