Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-email-deep-09: (with COMMENT)

[Eric Rescorla <ekr@rtfm.com>]

On Tue, Oct 24, 2017 at 5:31 PM, Keith Moore <moore@network-heretics.com>
wrote:

> (inline)
>
> Line 186
>>     TLS, and to encourage a greater consistency for how TLS is used, this
>>     specification now recommends use of Implicit TLS for POP, IMAP, SMTP
>>     Submission, and all other protocols used between a Mail User Agent
>> Do you want to say RECOMMENDED?
>>
>
> Lower case "recommends" (non-2119 meaning) was intentional, though my
> reasoning may be unclear:  One of the first things I learned while studying
> engineering was to not specify the same thing in two different ways,
> because subtle differences between the two could create ambiguity.   (I
> remember this point clearly because about a year before, someone had
> constructed a beautiful piece of cabinetry to my specifications, which
> completely did not fit into the intended space because I had made this very
> error.)
>
> So when writing technical specifications, I believe there should be a
> clear distinction between summary text (which glosses over details), and
> the text that actually defines the requirements of the specification.
> Admittedly this could be called out more explicitly, though it doesn't seem
> conventional for IETF RFCs to do so.


OK, this was just a note.




>        the TLS ciphersuite of the session in which the mail was received,
>>        in the Received field of the outgoing message.  (See Section 4.3.)
>> Do you want to also suggest that it include the name of the DH group, if
>> any?
>>
>
> I've attempted to add that attribute but please check the text:
>
>       The ESMTPS transmission type <xref target="RFC3848"/> provides trace
>       information that can indicate TLS was used when transferring mail.
>       However, TLS usage by itself is not a guarantee of confidentiality or
>       security. The TLS cipher suite provides additional information about
> the
>       level of security made available for a connection. This defines a new
>       SMTP "tls" Received header additional-registered-clause that is used
> to
>       record the TLS cipher suite that was negotiated for the connection.
> The
>       value included in this additional clause SHOULD be the registered
> cipher
>       suite name (e.g., TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) included
> in the TLS
>       cipher suite registry. In the event the implementation does not know
> the
>       name of the cipher suite (a situation that should be remedied
> promptly),
>       a four-digit hexadecimal cipher suite identifier MAY be used.
>       In addition, the Diffie-Hellman group name associated with the
>       ciphersuite MAY be included (when applicable and known) following the
>       ciphersuite name.   The ABNF for the field follows:
>       <figure>
>         <artwork type="abnf">
> tls-cipher-clause  =  CFWS "tls" FWS tls-cipher [ "group" dh-group ]
>
> tls-cipher         =  tls-cipher-name / tls-cipher-hex
>
> tls-cipher-name    =  ALPHA *(ALPHA / DIGIT / "_")
> ; as registered in IANA cipher suite registry
>
> tls-cipher-hex     =  "0x" 4HEXDIG
>
> dh-group           = ALPHA *(ALPHA / DIGIT / "_")
>

I might want to include hyphen here because "P-256"



> Line 405
>>     implementation does not know the name of the cipher suite (a
>>     situation that should be remedied promptly), a four-digit hexadecimal
>>     cipher suite identifier MAY be used.  The ABNF for the field follows:
>> Hard to see how you could realistically get into this state...
>>
> Chris wrote this so this is just a guess on my part:   I'm assuming there
> are TLS APIs out there that let the caller query which ciphersuite is being
> used, but the implementation returns an integer rather than the name, and
> provides no convenience routine to look up the name text.


OK. Chris?



Line 594
>>     accounts SHOULD be at least use of TLS version 1.1 or greater, and
>>     successful validation of the server's certificate.  (Future revisions
>>     to this specification may raise these requirements or impose
>> This second requirement is more important.
>>
>
> Agree, or at least I think I do (are MiTM attacks taking advantage of no
> or weak cert validation really more of a threat than attacks on TLS < 1.1
> protocol or ciphersuites?  yeah, I could see that.).


No, they're not.


> But I certainly want implementors to pay more attention to cert validation.
>
> I'm not sure what change to the text you had in mind, but I reversed the
> order to put cert validation first.


I think that success validation needs to be a MUST.


added a note about this.
>
>> Line 679
>>     TLS handshake unless the server requests one and the client has
>>     determined the certificate can be safely used with that specific
>>     server, OR the client has been explicitly configured by the user to
>> Can you note that this is just a restatement of the rules in TLS?
>>
>
> I attempted to fix this as well as the next item, though it's possible I'm
> still missing something:
>
>     MUAs MAY implement client certificate authentication on the
>     Implicit TLS port.  An MUA MUST NOT provide a client certificate
>     during the TLS handshake unless the server requests one AND at
>     least one of the following is true: the client has determined the
>     certificate can be safely used with that specific server, OR the
>     client has been explicitly configured by the user to use that
>     particular certificate with that server. How to make this
>     determination is presently implementation specific. (The
>     requirement that the server request a certificate is just a
>     restatement of the TLS protocol rules, e.g.
>     <xref target="RFC5246"/> section 7.4.6.  The requirement that the
> client
>     not send a certificate not known to be acceptable to the server is
>     pragmatic in multiple ways: the current TLS protocol provides no way
> for
>     the client to know which of potentially multiple certificates it
>     should use; also, when the client sends a certificate it is
>     potentially disclosing its identity (or its user's identity) to
>     the server - perhaps unnecessarily and for no useful purpose.


This is fine.


Line 681
>>     server, OR the client has been explicitly configured by the user to
>>     use that particular certificate with that server.  How to make this
>>     determination is presently implementation specific.
>> The structure of this text is confusing. The rule is:
>>
>> if (server asked &&
>>      (client determined safe || certificate configured)) {
>>      can use
>> } else {
>>      can't use
>> }
>>
>
> reworded text in -10 to try to make this clearer.
>
> Line 781
>>     or interception; this is not intended to mitigate active attackers
>>     who have compromised service provider systems.
>> IMPORTANT: Client auth with TLS 1.2 reveals the user's identity. This is a
>> privacy issue, and so we need to note it. The options here are not great
>> with <
>> 1.3 because renegotiation is also bad, so I'm not suggesting a normative
>> change, but I think the doc needs to be clear.
>>
>
> Added a paragraph:
>
> Implementors should be aware that use of client certificates with TLS
> 1.2 likely reveals the user's identity to the server and therefore may
> compromise the user's privacy.  There seems to be no easy fix other
> than to avoid presenting client certificates except when specifically
> configured to do so.


The issue here is that it exposes it not to the  server (though it does)
but to anyone on the
wire. This is actually better with TLS 1.3.

-Ekr



Line 959
>>     in RFC 6186 resolves that critique for email.  The second bullet is
>>     correct as well, but not very important because useful deployment of
>>     security layers other than TLS in email is small enough to be
>> The second bullet is less correct than it used to be because we no longer
>> support export suites. Ordinarily I wouldn't bother to make this point,
>> but if
>> we're revisiting this point by point, I think we should note that.
>>
>
> added a note for this.
>
> Keith
>
>
>