IETF Logo Mail Archive

Re: [Uta] draft-martin-authentication-results-tls-00.txt

Chris Newman <chris.newman@oracle.com> Tue, 04 March 2014 09:56 UTC

Return-Path: <chris.newman@oracle.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D815C1A04A6 for <uta@ietfa.amsl.com>; Tue, 4 Mar 2014 01:56:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.148
X-Spam-Level:
X-Spam-Status: No, score=-4.148 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_44=0.6, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qo64EPgEpl7u for <uta@ietfa.amsl.com>; Tue, 4 Mar 2014 01:56:14 -0800 (PST)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 3A6681A0496 for <uta@ietf.org>; Tue, 4 Mar 2014 01:56:14 -0800 (PST)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s249u8g4015271 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 4 Mar 2014 09:56:10 GMT
Received: from gotmail.us.oracle.com (gotmail.us.oracle.com [10.133.152.174]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s249u603027827; Tue, 4 Mar 2014 09:56:07 GMT
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-disposition: inline
Content-type: text/plain; CHARSET="US-ASCII"; format="flowed"
Received: from [10.175.6.72] (dhcp-uk-twvpn-2-vpnpool-10-175-34-17.vpn.oracle.com [10.175.34.17]) by gotmail.us.oracle.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built Jan 22 2014)) with ESMTPA id <0N1W00264OXF9J00@gotmail.us.oracle.com>; Tue, 04 Mar 2014 01:56:06 -0800 (PST)
Date: Tue, 04 Mar 2014 09:54:49 +0000
From: Chris Newman <chris.newman@oracle.com>
To: Franck Martin <franck@peachymango.org>
Message-id: <7CECD3FCE5409A78D39ADA82@96B2F16665FF96BAE59E9B90>
In-reply-to: <734017123.17922.1393866825369.JavaMail.zimbra@peachymango.org>
References: <233559187.7077.1393833441181.JavaMail.zimbra@peachymango.org> <WM!28c70c1d46516949cf7f9bf8cde9cd85c4e619555a8dbb69689f5c7317bc85fef4f03b79fffcd6368f70a1fbccb8b85a!@asav-2.01.com> <335401184.8514.1393846443039.JavaMail.zimbra@peachymango.org> <D80D263EF16870240BAF05B3@96B2F16665FF96BAE59E9B90> <WM!2ea8674794a8a16ccd1546352f43a1f292798c9f2c8b534665af46bf0f5045655a024bbf3c8a52e303f82dfb4fc338b5!@asav-1.01.com> <734017123.17922.1393866825369.JavaMail.zimbra@peachymango.org>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Archived-At: http://mailarchive.ietf.org/arch/msg/uta/F5TCei7KUNz5R2jiUd2eaAq4A4Y
Cc: uta@ietf.org
Subject: Re: [Uta] draft-martin-authentication-results-tls-00.txt
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Mar 2014 09:56:17 -0000

I'm now thinking our proposals have two different goals and should be kept 
separate.

The goal of my received-header proposal is to record a trace of TLS usage 
for every hop of email transfer. This allows the recipient to get a sense 
of the level of privacy from undetectable passive attacks achieved during 
transfer. I believe this information can be leveraged in various ways to 
improve deployed cipher suites as well as to identify transfer connections 
where protection from passive attacks is missing and needs to be added.

If I understand correctly, I think you're trying to introduce a new 
TLS-based anti-spam weighting factor that raises the cost for spammers 
somewhat. That's actually a goal I had not considered prior to this 
discussion. It's an interesting goal, but there are a number of highly 
problematic details that would need to be corrected to achieve it. Today's 
TLS in SMTP today does not work the way TLS does for other protocols; it is 
completely unauthenticated and the client and server certificates have no 
meaning unless an additional protocol, such as DANE+SMTP is also required.

So before it's useful to put anything related to TLS in an authentication 
results header, you need to actually write down the rules and requirements 
for the form of TLS authentication necessary to achieve the goal you're 
pursuing.

If I've correctly identified your goal, I can try to provide suggestions on 
how to achieve it. Please let me know if you'd like that.

A few brief comments below:

--On March 3, 2014 11:13:45 -0600 Franck Martin <franck@peachymango.org> 
wrote:
> ----- Original Message -----
>> From: "Chris Newman" <chris.newman@oracle.com>
>> To: "Franck Martin" <franck@peachymango.org>, uta@ietf.org
>> Sent: Monday, March 3, 2014 2:39:06 PM
>> Subject: Re: [Uta] draft-martin-authentication-results-tls-00.txt
>>
>> --On March 3, 2014 5:34:03 -0600 Franck Martin <franck@peachymango.org>
>> wrote:
>> > Following a suggestion at last IETF meeting to codify TLS results in
>> > email please find the following:
>> >
>> > A new version of I-D, draft-martin-authentication-results-tls-00.txt
>> > has been successfully submitted by Franck Martin and posted to the
>> > IETF repository.
>> >
>> > Name: draft-martin-authentication-results-tls
>> > Revision: 00
>> > Title: Authentication-Results Registration for TLS
>> > Document date: 2014-03-03
>> > Group: Individual Submission
>> > Pages: 6
>> > URL:
>> >
>> http://www.ietf.org/internet-drafts/draft-martin-authentication-results-
>> tls-00.txt Status:
>> > https://datatracker.ietf.org/doc/draft-martin-authentication-results-t
>> > ls/ Htmlized:
>> > http://tools.ietf.org/html/draft-martin-authentication-results-tls-00
>> >
>> >
>> > Abstract:
>> > This memo updates the registry of properties in Authentication-
>> > Results: message header fields to allow relaying of the results of an
>> > email sent using STARTTLS [RFC3207] or not.
>>
>> I reviewed this draft and have several concerns.
>>
>> I believe the "tls.client" field is harmful. It includes information that
>> appears to have value but has none in practice due to lack of
>> standardized client certificate validation rules and thus may be misused
>> by spam filters. If you have an argument about why this information is
>> useful, I'd be interested in hearing it.
>>
>> The same complaint applies "tls.server", but it is additionally
>> problematic absent information about whether the client claims to have
>> verified the server's identity (such information could be gathered by
>> the SMTP CLIENT command described in draft-newman-email-deep).
>
> I fail to understand how it can be misused, by definition the receiving
> server is "trusted" and is reporting the result of the message reception
> via this header.
>
> The received headers are commonly forged, and it is quite difficult to
> know which ones are real, at the difference of the Authentication-Results
> header which cannot be forged, as the receiving MTA must delete this
> header on reception.

The top received header and the Authentication-Results header have the same 
level of trust.

> The Authentication-Results header is only useful within a trusted
> environment, it is not meant to be added to a message to be sent over the
> Internet: MTA--->MUA

I question the degree to which such "trusted environments" exist.

> The presence of the CN= part in the Subject, which usually contains a
> domain name, allows in the same fashion as SPF or DKIM to tie an email to
> a domain. Therefore provides an extra identifier for a wide variety of
> reputation mechanisms.

FYI, that use of CN= is deprecated by the PKIX specification (RFC 5280) 
that sets the rules for TLS certificates. You'd also need to record the 
relevant subjectAltNames. But none of that's useful if no TLS 
authentication is performed.

		- Chris

v2.23.0 | Report a Bug | By Email