Re: [Uta] draft-ietf-uta-mta-sts-04 Review
Daniel Margolis <dmargolis@google.com> Tue, 18 April 2017 16:15 UTC
Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBD5612EBFA for <uta@ietfa.amsl.com>; Tue, 18 Apr 2017 09:15:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xW7nGgXH4sNm for <uta@ietfa.amsl.com>; Tue, 18 Apr 2017 09:15:12 -0700 (PDT)
Received: from mail-io0-x235.google.com (mail-io0-x235.google.com [IPv6:2607:f8b0:4001:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC792128ACA for <uta@ietf.org>; Tue, 18 Apr 2017 09:15:11 -0700 (PDT)
Received: by mail-io0-x235.google.com with SMTP id o22so2282720iod.3 for <uta@ietf.org>; Tue, 18 Apr 2017 09:15:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Jlz72dmGc+7hsfLvSkcEM4grLlJA08eboW8+YdSusuo=; b=XoX9TGekr5QNLLsb5AtSzFG3srv15G+UgZ8BmwWv/YANrvuIMw/JOqvdw6PqvRljSr o5nNatZxvT3V8jLg1kGYVY5aWyR8TDzyB92c+TwhoFRtCpANkE7J/rrC9w8r9/4TtfMX eKxx4HV7hIy9nstLHuDy8dUDNjG83nlT8V2hgSvu7NSd0DibcuWYcqRaYCuTr/Nue3+J LRPOj+OCzPYptjdtU3PLhWs9YEZa9U6tQZsJxxFt5N38ow7M+OlEGjy/buycvp/BF1WZ trFMs1JKDowZOynrI3JfAiXQRZDMofo2V/3nkGoviGSg6f4szzhOHA/lqSB+K4fWlcSy XTog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Jlz72dmGc+7hsfLvSkcEM4grLlJA08eboW8+YdSusuo=; b=PeMNdSySN9tTW2NTL/1tE9YU29ytuNnW/+xyD9BhPR+ozw3hLrrPh3U+36iAghg5gc c1fh8JRelh0a9xCG/lXAJCk4MPWOW4Xd/suLCVn4nNdD2OpZB6BLcvPHA0YArMCSJj+F au8pxKwoMZE3sPVe96qNz5KGOhsaIMprTy/7Ytv0pQCdCmEQ9+0DW/DvNmlbKVeSdcOe fyuelVRH+sNWper7kBG/eqTZj8A7pMCMH3P0nq7/iqmEVNIoKqrIU5ts7n9qw63qBj7o a3BOSLybAaey0BBAExiKQcj2Ui0GxwNHfLxoorffScF0VEuRswjPcoJZJWqC6mBqUDm7 aM7A==
X-Gm-Message-State: AN3rC/6cOuPfrewbJx1ZvaQxY8RrpRbMTGbpr/K4fPrsINJazp7uuOkp xhqXaz+UpZcoIppb9Br9IwOuQWnPrFFH
X-Received: by 10.36.80.213 with SMTP id m204mr15388332itb.105.1492532110568; Tue, 18 Apr 2017 09:15:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.39.215 with HTTP; Tue, 18 Apr 2017 09:15:09 -0700 (PDT)
In-Reply-To: <2DB01F3A9898AE41BB3266315D9FDA2704903D88@S-DC-ESTE03-B.net1.cec.eu.int>
References: <2DB01F3A9898AE41BB3266315D9FDA2704903D88@S-DC-ESTE03-B.net1.cec.eu.int>
From: Daniel Margolis <dmargolis@google.com>
Date: Tue, 18 Apr 2017 18:15:09 +0200
Message-ID: <CANtKdUe3CS3A_czWURR_h9Z0r803sX-MQMZOMHioZJnCaauEWw@mail.gmail.com>
To: Gerard.DRAPER-GIL@ec.europa.eu
Cc: uta@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a1145f2fa50671c054d73361f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/8DTkbUoDq580ywrNhYVYSK2cgLU>
Subject: Re: [Uta] draft-ietf-uta-mta-sts-04 Review
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2017 16:15:14 -0000
On Thu, Apr 6, 2017 at 11:08 AM, <Gerard.DRAPER-GIL@ec.europa.eu> wrote: > Some minor comments and a question on policy updates. > > > > _ Section 3.2 MTA-STS Policies, when describing the "mx" parameter, it > says: > > > > "For example, "["mail.example.com", ".example.net"]" indicates that > > mail for this domain might be handled by any MX with a certificate > > valid for a host at "example.com" or "example.net"..." > > Should't it say: " valid for a host at 'mail.example.com'"? > > Yes! Thanks. Fixed in Github and the next draft. > _ Section 3.3 HTTPS Policy Fetching > > > > "When fetching a new policy or updating a policy, the HTTPS endpoint > > MUST present a X.509 certificate which is valid for the "mta-sts" > > host (as described in [RFC6125]), chain to a root CA that is trusted > > by the sending MTA, and be non-expired." > > Maybe it's redundant, but since it explicitly mention non-expired, > > should it also mention not revocated? > Do relevant RFCs for HTTPS specify CRL/OCSP checking? If not--and in practice it varies by implementation, such that some major browsers do not implement one or the other--I would not want to mandate it here, even if it's a good idea. (And I agree it's a good idea in the abstract, but to my very limited knowledge, the state of deployment is haphazard, so it seems a bit risky to require it.) > "If a valid TXT record is found but no policy can be fetched via > > HTTPS, and there is no valid (non-expired) previously-cached policy, > > senders MUST treat the recipient domain as one that has not > > implemented MTA-STS." > > I think that a better option would be to report the recipient and > > continue with opportunistic TLS. > Agreed. Added. > > > _ Section 4 Policy Validation: > > > > "2. That at least one of the policy's "mx" patterns matches at least > > one of the identities presented in the MX's X.509 certificate, as > > descriped in "MX Certificate Validation"." > > > > The last line should say "described in ..." > Fixed. > > > > > _ Section 4.1 MX Certificate Validation: (Same than in section 3.3 about > certificates) > > > > "The certificate presented by the receiving MX MUST chain to a root CA > > that is trusted by the sending MTA and be non-expired. " > > Maybe it's redundant, but since it explicitly mention non-expired, > > should it also mention not revocated? > See above. > > > _ Section 5.1 Policy Application Control Flow > > > > "3. Upon message retries, a message MAY be permanently failed > > following first checking for the presence of a new policy (as > > indicated by the "id" field in the "_mta-sts" TXT record)." > > > > It does not specify the number of retries. A parameter could be added to > > the policy to indicate the number of retries before permanent failure, > > with a default value of X. > This is up to the sending MTA. We mandate a minimum retry count only in order to ensure that cached policies are refreshed before any message is perm-failed. In any reasonable implementation, you probably have some high number of retries with backoff, but I think it's appropriate to leave it to MTA implementors (who already have similar configurations for things like MX lookup failures or server temp-failures. > > > Maybe I missed it, but I didn't see any mention to what to do if > > the id from the TXT record does not match the id from the HTTPS policy. > We have removed the ID from the HTTPS policy, so this cannot happen. :) > > > _ Security considerations: > > > > The first paragraph of Section 6.1 contradicts the second paragraph on > Section 8.3 > > > > "Updating the policy requires that the owner make changes in two > > places: the "_mta-sts" TXT record in the Policy Domain's DNS zone and > > at the corresponding HTTPS endpoint. As a result, recipients should > > thus expect a policy will continue to be used by senders until both > > the HTTPS and TXT endpoints are updated and the TXT record's TTL has > > passed." (1st paragraph Section 6.1) > > > > "This attack is mitigated in part by the ability of a victim domain to > > (at any time) publish a new policy updating the cached, malicious > > policy, though this does require the victim domain to both obtain a > > valid CA-signed certificate and to understand and properly configure > > MTA-STS." (2nd paragraph Section 8.3) > > > > If I am able to publish a new policy, but this policy does not reach > > the senders, then I am not solving the problem. > > > > The whole policy application, update is not clear to me, it seems there is > > a contradiction between the fact, mentioned a couple of times, that a > policy > > can be updated any time, and the resistance to "TLS downgrade" attacks. > Please > > correct me if I'm wrong. > I am not sure I understand you. If you can publish a new policy _and_ it is reachable, you can update any maliciously-published policy. If you cannot publish a new policy and have senders fetch it because the MITM is ongoing, a DoS is possible in any event (someone who can DoS HTTPS fetches can, *at the time*, also DoS SMTP directly). So the only concern here is that a temporary MITM against DNS/HTTPS can become a long-term MITM against SMTP (due to policy caching), which is mitigated by the ability to publish a new policy *once the MITM is over*. Does that address your question? > In the policy updates, it clearly states that updating a policy requires > > updating both the TXT record and the HTTPS policy. > > > > DNS request are usually served by intermediary DNS servers, that will > update > > the cache based on the TTL of records, whereas HTTPS requests will be > usually > > served by the "final" server itself, therefore policy updates will > immediately > > (almost) be deployed. > > > > This creates a dilemma. Using short TTLs to allow frequent policy updates > increases > > the window of vulnerability (policy update requires fetching the TXT > record), > > but using long TTLs reduces the ability to update the policy on-demand. > The DNS TTL is independent of the max_age. Using a reasonably short DNS TTL is probably a good idea--say, something similar to the TTL on the MX records. Using a long policy max_age is also a good idea, for the reason you suggest. So using a short DNS TTL does not introduce any real vulnerability that I can see, does it? > A possible solution could be to unlink the id from the TXT record from the > id of the policy. > > A long TTL (1 month?) can be used to "broadcast" that a domain applies > MTA-STS, and a short > > max-age (hours, minutes?) can be used to facilitate frequent policy > updates. > > > > Finally, regarding the JSON vs pair-of-values, I think that at this stage > the opinion of the > > Implementors (those who will implement it) should prevail, to facilitate > its future acceptance. > > I don't think it makes much difference for domain controllers, who may > deploy it. > I unfortunately don't know everyone's names, so I don't know who is an implementor and who is not. :) I've hopefully made clear that I don't personally have a strong opinion about this, but I hope we can reach a consensus that most people are reasonably comfortable with. > > > > Gerard Draper Gil > > > > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta > >
- Re: [Uta] draft-ietf-uta-mta-sts-04 Review Daniel Margolis
- Re: [Uta] draft-ietf-uta-mta-sts-04 Review Alexey Melnikov
- Re: [Uta] draft-ietf-uta-mta-sts-04 Review Viktor Dukhovni
- Re: [Uta] draft-ietf-uta-mta-sts-04 Review Daniel Margolis
- Re: [Uta] draft-ietf-uta-mta-sts-04 Review Jeremy Harris
- [Uta] draft-ietf-uta-mta-sts-04 Review Gerard.DRAPER-GIL