IETF Logo Mail Archive

Re: [Uta] Comments on draft-ietf-uta-mta-sts-03

Daniel Margolis <dmargolis@google.com> Tue, 28 March 2017 16:25 UTC

Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 845C71296FB for <uta@ietfa.amsl.com>; Tue, 28 Mar 2017 09:25:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U6PFl2F0tEyY for <uta@ietfa.amsl.com>; Tue, 28 Mar 2017 09:25:49 -0700 (PDT)
Received: from mail-it0-x22f.google.com (mail-it0-x22f.google.com [IPv6:2607:f8b0:4001:c0b::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7181D128D8B for <uta@ietf.org>; Tue, 28 Mar 2017 09:25:39 -0700 (PDT)
Received: by mail-it0-x22f.google.com with SMTP id e75so61699859itd.1 for <uta@ietf.org>; Tue, 28 Mar 2017 09:25:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=qH15yuUrwltI1WcYuEeVjcf10mlMAtLKhmqLApc49Os=; b=t31PJk0li+BuMi+HmU++PJfq1crXSuE/FhFHCEZtGJPL/1tm04cD07uk16fz1Yn3i3 EojehAzHU+YPwZNmikNUW8SpoMs2Zd7+o8xu+dJfRbK0Om/k7K+QyHGckkShPD2+gNe7 h0pxUTy/dgq73HBIMDPFA06/itVNHGVqHKZ1VJdS9LBeR/+76fx5epZTFeqcKiNUKalt S1FJ0EWxPC3g7F2JIwoHCVBfpwg9rm9SZ9quPJWrID6FET/UoiN8vbMaPVtGSzLqSzny YwL4ZftEDl+qpTMJLI9GZFej84OGdSXc56F6bH5IcE07K2z3BVsqJzU/bvHBImaSmX/v mCJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=qH15yuUrwltI1WcYuEeVjcf10mlMAtLKhmqLApc49Os=; b=o13ZGvNw9rXV6724PPbxxyvq0E46ajuvo1tLrevVt9Kw2SetZrIu8EPsrE879E4VGA eOHPrU1EuFvo8VCRRC5zWLOoZA5zBO5kF3F+c1K+H2LQD0eYTf0Z+1p0sIengJ7bRZM8 pNzwq1J56lyr9LUiSsH+L5hQLMIiG8L+Rkuxj9twv0iYtluy+dHYHCk3XJbXl2nff7yU LBVoL+SvtboNJKoWHmjsrG0psI03gnjyFYXsI2QEb+Pr3vr23bv2QgR0c0bj6kBB6M2V I6+oeziahXOJzFM5VNNXxzSzsvroP1H/uznGGAEb+rSS+6HQT1jBQfSU13/D4BCgw7i+ 1GIQ==
X-Gm-Message-State: AFeK/H0qWkuDfs+F2JX6eToSXHR2BDwBdiDvovIc3yOFXachq3y++KCbfZYGOEntYfOpeZaFcM5fi55pcOKTyFXc
X-Received: by 10.107.133.159 with SMTP id p31mr19004515ioi.101.1490718337011; Tue, 28 Mar 2017 09:25:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.39.215 with HTTP; Tue, 28 Mar 2017 09:25:36 -0700 (PDT)
In-Reply-To: <7113f172-0742-05b3-c504-8763175df7f0@diennea.com>
References: <d42e535b43f14fc68b9b3e22cdff2e51@EXC01-Arezzo.diennea.lan> <7113f172-0742-05b3-c504-8763175df7f0@diennea.com>
From: Daniel Margolis <dmargolis@google.com>
Date: Tue, 28 Mar 2017 18:25:36 +0200
Message-ID: <CANtKdUdV1R+qMxj2y+HMBimWZ2+AAzpiTzgGTBzSJcaoVrDG1g@mail.gmail.com>
To: Federico Santandrea <federico.santandrea@diennea.com>
Cc: uta@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a113ec5c601589a054bcce9fa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/94GXn6eTOi6IrTQpoMKIypxrI08>
Subject: Re: [Uta] Comments on draft-ietf-uta-mta-sts-03
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2017 16:25:52 -0000

Yes, I think we have discussed the possibility of that before. You could
also do this with a new EKU value, I think. Ultimately the value of adding
this constraint is unclear to me; for example, dyndns.org would not be
saved by that (since a user who has "foo.dyndns.org" can easily get a cert
for that name); conversely, it could make it harder for some people to
adopt (I guess). So I Don't know.

On Tue, Mar 28, 2017 at 12:18 PM, Federico Santandrea <
federico.santandrea@diennea.com> wrote:

> From Security Considerations section of draft-ietf-uta-mta-sts-03:
>
>    "Similarly, we consider the possibilty of domains that deliberately
>    allow untrusted users to serve untrusted content on user-specified
>    subdomains.  In some cases (e.g. the service Tumblr.com) this takes
>    the form of providing HTTPS hosting of user-registered subdomains
>     [...] In these cases, there is a risk that untrusted users would be
>    able to serve custom content at the "mta-sts" host, including
>    serving an illegitimate SMTP STS policy."
>
> It's likely that such domains serve wildcard certificates for
> user-specified subdomains. I think a further mitigation of this could
> be to require the HTTPS connection's certificate to be valid precisely
> for the mta-sts.example.com host, ignoring wildcard matches.
>
> --
> Federico
>
>
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://www.ietf.org/mailman/listinfo/uta
>

v2.23.0 | Report a Bug | By Email