Re: [Uta] Eric Rescorla's Discuss on draft-ietf-uta-mta-sts-17: (with DISCUSS and COMMENT)
Eric Rescorla <ekr@rtfm.com> Fri, 04 May 2018 12:12 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35023126BFD for <uta@ietfa.amsl.com>; Fri, 4 May 2018 05:12:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cK5h7wtYr4c4 for <uta@ietfa.amsl.com>; Fri, 4 May 2018 05:12:04 -0700 (PDT)
Received: from mail-ot0-x241.google.com (mail-ot0-x241.google.com [IPv6:2607:f8b0:4003:c0f::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB3F7120724 for <uta@ietf.org>; Fri, 4 May 2018 05:12:01 -0700 (PDT)
Received: by mail-ot0-x241.google.com with SMTP id l22-v6so24225433otj.0 for <uta@ietf.org>; Fri, 04 May 2018 05:12:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=4bGnmcBV1AVJM/1q+bW2FV+DOZ/unvT91gSEWdZSRKU=; b=YauPZZtxX56x9eZEdWdE717GxF6oWjAg/D5wqRICI8SzHr4MMnxmN3rkJANVemcWhl eqZBmYzCDWBlU3J3BzWbCkxDi0aKkO2nYNMxembWKtNZOojCVzSAI2Rm3uHAVN75m2sI OIlvcMtJJweoe+zqZmglAk2fLzRrlUeQQC9TJdXqD5txjip5C9iw1u3VUhPlkI8scnu7 W2vhzqz5+VAcUP/xaahvEXzxV0vvBbmDfBo/dihjBZE4Z/kIACE6zWUKWrOKSFdeMTFE M0Rx6CN18n4bdNJ6BOmqVCESp5YjaM36PDfyDbSxdRmwrMdyvPkjVkCYcYH0iu76JKEH +lJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=4bGnmcBV1AVJM/1q+bW2FV+DOZ/unvT91gSEWdZSRKU=; b=hP2e26oe2QX/gBHPOCFvCGHHTnnpSYR4nvcvI3esbjTpzDtpHF5pw+xGHVeLszgoWl 7T1VQ6hQpS7liCjIkd9UgMV6Juw0vCXUXarQ9PEkm741flnUw+r0iuvg+WCAsD+Y5VC8 5edYZ25QJdJG2Ma2TZl/CCO/eTjxpq/wLoPLO+CADTbHbdPJVtnSGyA3PiJedjz/M9DB pFC2qlP7QV1RPiIeJ8MuME4y8kYLr2Tjuavdkj2GQSg6iyxwg4+EUVgqLnUI07+vFQZB Xqf/FYpj8eQcpxaWtuLz6LEoekHIO7qbw2/HOtM5QDkWWuUxFTDiUl5/GTqa6CZT0lXf w5Bg==
X-Gm-Message-State: ALQs6tCVBdZgW+ciYl/dZNFgcrMhZJKa5QqR/prOcdg8uifWFakh7wfA CGJgUe+WoRb6P3SyxdH7+RB9KQlLr3IJA8gPpKMpQA==
X-Google-Smtp-Source: AB8JxZrViHJxFfEBIW6TUi6H7NAhS2sZj5TAsOkCl689LGGdt2blstvRz+QFhaK76YM5JkmD89ePfrWKQ/ebfb72EjA=
X-Received: by 2002:a9d:72c6:: with SMTP id d6-v6mr6304127otk.392.1525435921254; Fri, 04 May 2018 05:12:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.118.130 with HTTP; Fri, 4 May 2018 05:11:20 -0700 (PDT)
In-Reply-To: <20180504051945.GS3322@mournblade.imrryr.org>
References: <152539648489.11713.7895583526344282774.idtracker@ietfa.amsl.com> <20180504051945.GS3322@mournblade.imrryr.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 04 May 2018 05:11:20 -0700
Message-ID: <CABcZeBORH1iKZ2QZb_DBcwsDdBDS8Nbxb_A6Q7RxNL6X6Xg_BQ@mail.gmail.com>
To: Viktor Dukhovni <viktor@dukhovni.org>
Cc: uta@ietf.org, draft-ietf-uta-mta-sts@ietf.org, uta-chairs@ietf.org, The IESG <iesg@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000036e13f056b603a46"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/6W-Ca5X9Vga8znj-AziEKtkCg2g>
Subject: Re: [Uta] Eric Rescorla's Discuss on draft-ietf-uta-mta-sts-17: (with DISCUSS and COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2018 12:12:06 -0000
On Thu, May 3, 2018 at 10:19 PM, Viktor Dukhovni <viktor@dukhovni.org> wrote: > On Thu, May 03, 2018 at 06:14:44PM -0700, Eric Rescorla wrote: > > > S 10.2. > > > mode, to allow clean MTA-STS removal, as described in Section > 8.3.) > > > > > > Resistance to downgrade attacks of this nature--due to the > ability to > > > authoritatively determine "lack of a record" even for non- > > > participating recipients--is a feature of DANE, due to its use of > > > DNSSEC for policy discovery. > > > > I'm surprised that you don't note that if you use DNSSEC (and the > > client validates), you are in general resistant to this form of > > attack. > > With MTA-STS, hardening the DNS is not enough, the policy does not > take effect until it is first verified to work. First-contact > lookup failures for the TXT record do not cause email to be deferred. > > Indeed with MTA-STS, some MTAs may do *background* policy retrieval, > and the first few messages to a destination may go out unprotected. > > For a downgrade-resistant mechanism, a domain can use DANE SMTP > (RFC7672). If the destination domain is signed, the first step in > that direction is already taken. > > > > 2. That at least one of the policy's "mx" patterns matches at > least > > > one of the identities presented in the MX's X.509 > certificate, as > > > described in "MX Certificate Validation". > > > > IMPORTANT: This doesn't seem like quite what you want. Consider > > the case where the STS policy has: > > > > mx: mx1.example.com > > mx: mx2.example.com > > > > And I then attempt to send to mx1.example.com, send SNI=mx1.example.com, > > and get a cert that is only valid for mx2.example.com. > > [ This was discussed extensively in the WG. This part of the design > is substantially my doing... ] > > An MiTM attacker can direct the traffic to any MX host of his choice > by blocking TCP SYNs, or generating RST packets for traffic to all > the other MXs, causing the desired MX host to be the only one the > client can reach. Also, for a large fraction of domains a wildcard > certificate, or a certificate with all the names is used. For > example, below are the SANs from the certificate for gmail.com: > > DNS:mx.google.com > DNS:alt1.aspmx.l.google.com > DNS:alt1.gmail-smtp-in.l.google.com > DNS:alt1.gmr-smtp-in.l.google.com > DNS:alt2.aspmx.l.google.com > DNS:alt2.gmail-smtp-in.l.google.com > DNS:alt2.gmr-smtp-in.l.google.com > DNS:alt3.aspmx.l.google.com > DNS:alt3.gmail-smtp-in.l.google.com > DNS:alt3.gmr-smtp-in.l.google.com > DNS:alt4.aspmx.l.google.com > DNS:alt4.gmail-smtp-in.l.google.com > DNS:alt4.gmr-smtp-in.l.google.com > DNS:aspmx.l.google.com > DNS:aspmx2.googlemail.com > DNS:aspmx3.googlemail.com > DNS:aspmx4.googlemail.com > DNS:aspmx5.googlemail.com > DNS:gmail-smtp-in.l.google.com > DNS:gmr-mx.google.com > DNS:gmr-smtp-in.l.google.com > > So trying to make sure that you're reaching the MX host > you think you're reaching and not one of the others is > largely pointless and often a lost cause. > But not everyone is configured this way. > > This seems like it's extremely undesirable and might be the basis for > some kind of attack. > > See above. If the MX host has a certificate that matches the > client's SNI, it'll may return it, even if that's one of the other > MX hosts. If it does not return a matching certificate, the "attack" > fails. > This might be true, but this kind of informal reasoning is notoriously prone to error. We have a general pattern for TLS certificate verification, which you are deviating from, and we then need to analyze in detail. I'm not seeing any good reason for that. > > I think the rule you want is: > > > > You look up the MXes in the DNS. > > You select one that must match one of the things in the mx list in the > STS > > Preemptive removal of non-matching MX hosts is liable (in sloppy > implementations, and I expect enough to be sloppy) to cause routing > loops, when a backup MX host, not after removing itself early from > the list, fails to eliminate worse priority MX hosts. I don't understand this claim. It also > requires all sites to duplicate MX host updates from DNS into the > STS policy, disallowing the "low-maintenance" ".example.com" form. > I don't see why this would be true. You publish .example.com and then you modify the MX requires at will. provided that they all end in .example.com. > > The certificate MAY be checked for revocation via the Online > > > Certificate Status Protocol (OCSP) [RFC6960], certificate > revocation > > > lists (CRLs), or some other mechanism. > > > > Why is revocation only MAY? > > Looking at e.g. the X.509 certificate for Gmail, I don't see a > "must staple OCSP" extension. So we get no meaningful security > from OCSP stapling, an attacker who misappropriates the private > key will not staple OCSP responses. > > I have no intention of building an HTTP client into the Postfix > SMTP client to download CRLs from various CAs that remote peers > might use. Full CRLs might at least be cached on a per-CA basis, > while per-certificate OCSP requires a connection to the CA for each > new certificate. > > I'm afraid I see too little value in CRLs to consider CRL support > in Postfix. The OS platforms that Postfix runs on don't deliver > a full intermediate CA store with regular updates of the associated > CRLs. Doing CRL management in each application is IMHO impractical. > > In short, I have not implemented and don't expect to implement CRL > support in Postfix. > You seem to be omitting the obvious answer: regular OCSP. -Ekr
- [Uta] Eric Rescorla's Discuss on draft-ietf-uta-m… Eric Rescorla
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Eric Rescorla
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Alberto Bertogli
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Eric Rescorla
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Daniel Margolis
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Daniel Margolis
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Daniel Margolis
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Daniel Margolis
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Daniel Margolis
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Leif Johansson
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Leif Johansson
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Leif Johansson
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Daniel Margolis
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Alberto Bertogli
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Daniel Margolis