IETF Logo Mail Archive

Re: [Uta] MTA-STS-03 review

Daniel Margolis <dmargolis@google.com> Tue, 04 April 2017 07:24 UTC

Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DA52127071 for <uta@ietfa.amsl.com>; Tue, 4 Apr 2017 00:24:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ozHr8pl38f2l for <uta@ietfa.amsl.com>; Tue, 4 Apr 2017 00:24:08 -0700 (PDT)
Received: from mail-io0-x22e.google.com (mail-io0-x22e.google.com [IPv6:2607:f8b0:4001:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E44212420B for <uta@ietf.org>; Tue, 4 Apr 2017 00:24:08 -0700 (PDT)
Received: by mail-io0-x22e.google.com with SMTP id l7so89936065ioe.3 for <uta@ietf.org>; Tue, 04 Apr 2017 00:24:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=2d8qW5okcw7Kg+6gmAIAWt6gzgqzuwZd1D75FHsgGdU=; b=bn073oJvkwG/nujSGNXNggWJ0eydVqOHG1V/e+uEmwnm+KZjm+7T7AODrB67MkdGyg nnBUskSBlESWpKHaiYs0/TNAVQwRbcv6auq3KWV2LMR0Tz+ulOn2cwyp/Wu2Mk5Vkg2O 6Jlyw8N6oXmk5n7/IWhbqxRdg+xl00+Pwyu5H8SH/1m3T7x8/l53QxBAb0xJljLaQTvz 66TqVkyqOeWwVuohKfsPHvAy1Pax2QBGmKc1aWZ7UaYM4YDRrkAmLZjF/8xxa+O5y0jw 4C/eFMrHFR0CrCmCu7TZ6AyIQyjhN2MQKojiBJedQHnHF1lKp+Mb6+KKvo7yWW7pxLmJ GLmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=2d8qW5okcw7Kg+6gmAIAWt6gzgqzuwZd1D75FHsgGdU=; b=FbfjWyA4Q80I6WmX8gvaOqIAgv5iSrt+kYm2PCvEK9t70+Km4/LgSey9FtZzNnT2gg U1O+FWD389XAk2t20Fnz4+dz2KN2apHqutRjru9vB0hLV4y3hH0s+aYroyMp3XfHLJNv g93fWvZouv5Inh/lQE9bHWNwJojaCnOPtJD2luJt96ZNTML16jy/PstvYlqIQcLGuqpg izXCnL2+XVW6QwBN3D48UmONJa5nMz7JdAGljigwOO6uc60l1bn9UdK1M6cG4CTv/3J/ HzEAHcAasfzvNwkZxHIntj12CuS6gKms9P0GuD+AhxG6070amksQuCd8asnGFPhvjcD7 LekQ==
X-Gm-Message-State: AFeK/H36LtG0ZI4p6mKZJ+w1bWOMohdh2JkmOmvlGIQWepod+6mLo2L6wyrE9DSKWUh4KkHoYMZjQyjtfi0Bt1ht
X-Received: by 10.107.6.211 with SMTP id f80mr19761550ioi.96.1491290646634; Tue, 04 Apr 2017 00:24:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.39.215 with HTTP; Tue, 4 Apr 2017 00:24:05 -0700 (PDT)
In-Reply-To: <D0683AB1-4D85-4509-857F-AA17EC2334C6@dukhovni.org>
References: <4C0807DA-4852-4DAC-80ED-8A25371CFFAA@dukhovni.org> <CANtKdUfOZYSr_SuGHdDHHgrF8J5VjEWwVw_7KC2xS5DrCKhu-w@mail.gmail.com> <20170326205218.GN11426@blitiri.com.ar> <92500952-2A50-4508-8686-03CDBF72485D@dukhovni.org> <CANtKdUfL+RT05KSqj5i4YeoRa=gHywNosou2VPF6acPDpRhG0g@mail.gmail.com> <20170330105556.GR11426@blitiri.com.ar> <20170403193531.GO25754@mournblade.imrryr.org> <CANtKdUdYU0yvQOXHqkvtD06jvEyNhhtwA2JSS9MzFE-XHcJh_Q@mail.gmail.com> <D0683AB1-4D85-4509-857F-AA17EC2334C6@dukhovni.org>
From: Daniel Margolis <dmargolis@google.com>
Date: Tue, 04 Apr 2017 09:24:05 +0200
Message-ID: <CANtKdUd7dK6oG8maCpzMYDiWUi=ZMV8=KHaxa2J-EfezB=7J0g@mail.gmail.com>
To: uta@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a113fb930491d92054c522988"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/DdsqcLXtKt7PWmiE6I88sGeiPnA>
Subject: Re: [Uta] MTA-STS-03 review
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Apr 2017 07:24:11 -0000

>
> If the policy restricts the acceptable content of the MX RRset
> in DNS, then one ought to avoid connections to "forged" MX hosts,
> which requires changes to the MX selection loop.


Pseudocode in the draft notwithstanding, a compliant implementation
*may* connect
to the "wrong" MX hosts if it wants to. That was my only point.

The draft suggests pre-filtering for efficiency's sake only--when MX host
validation is used, hosts can be determined to be invalid before the
connection, so we can avoid the slightly wasteful step of connecting. But
of course they can be invalid only after connection, too (if they have a
valid hostname but an invalid cert), so obviously we cannot consider
connecting to the "wrong" host to be some kind of security issue (and it is
not).

Like I said, this is mostly a digression, since we've already adopted the
SAN-validation approach in the Github (and it should be in the next draft,
unless I hear major objections, per the seeming consensus at the UTA
meeting). But I believe this pro/con is largely a red herring.

On Mon, Apr 3, 2017 at 11:05 PM, Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

>
> > On Apr 3, 2017, at 4:53 PM, Daniel Margolis <dmargolis@google.com>
> wrote:
> >
> > In hypothetical pseudocode, your MX is going to be doing something like
> this:
> >
> > for candidate in mx_list:
> >   if try_to_send(candidate):
> >     success = True
> >     break
>
> Yes, but with an initial step to prune the MX list when the sending host
> is a member of that list...  And of course dealing with multi-recipient
> messages, ...
>
> > And in the cert validation (or DANE validation or anything else) step,
> > we modify "try_to_send()" to close the connection and return False if
> > the cert validation fails, no?
>
> When authentication is required and fails, all recipients tempfail, and
> the next candidate MX is tried (ignoring details of what "next host" means
> when MX hosts have multiple IP addresses).
>
> > So your point seems to be that the MX selection logic must be modified
> > to support the MX matching approach:
>
> The draft suggests filtering the MX host list first, and then looping
> over the remaining hosts.
>
> > for candidate in filter_mx_list(mx_list):
> >    # etc
>
> As above.
>
> > Right? But why would you not simply modify "try_to_send()"
> > to check the hostname against the policy (same as it would
> > check the cert SANs or CN against the policy)?
>
> One could defer the hostname validation, but if it is really
> just an MX hostname filter, and not a certificate filter,
> then there would be a futile connection to the host, and
> a TLS handshake, before the TLS layer discovers that the
> MX hostname is a priori forbidden by the STS policy.
>
> > I'm afraid I don't understand the distinction you are drawing
> > between modifying candidate selection and modifying cert
> > validation. Can you explain a little more?
>
> If the policy restricts the acceptable content of the MX RRset
> in DNS, then one ought to avoid connections to "forged" MX hosts,
> which requires changes to the MX selection loop.
>
> If the policy restricts the acceptable names in the MX host
> certificate, then MX selection remains unaffected, and one
> tempfails connections where the peer certificate fails to
> validate (for any of a set of reasons, including name check
> failure).
>
> --
>         Viktor.
>
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://www.ietf.org/mailman/listinfo/uta
>

v2.23.0 | Report a Bug | By Email