Re: [Uta] Ben Campbell's Discuss on draft-ietf-uta-smtp-tlsrpt-18: (with DISCUSS and COMMENT)
Daniel Margolis <dmargolis@google.com> Wed, 18 April 2018 15:46 UTC
Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 845CE1243F3 for <uta@ietfa.amsl.com>; Wed, 18 Apr 2018 08:46:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RcCqgn8OFwLL for <uta@ietfa.amsl.com>; Wed, 18 Apr 2018 08:46:05 -0700 (PDT)
Received: from mail-it0-x236.google.com (mail-it0-x236.google.com [IPv6:2607:f8b0:4001:c0b::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1ADE4120727 for <uta@ietf.org>; Wed, 18 Apr 2018 08:46:05 -0700 (PDT)
Received: by mail-it0-x236.google.com with SMTP id m134-v6so3152517itb.3 for <uta@ietf.org>; Wed, 18 Apr 2018 08:46:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qkG4lS+SJMF1L8IYlP5GJW8Q2o/e8+GQTQ1HPdoB5wI=; b=oIHAb7BbZ7EOZD/PJPVUS6lw+uEJ+qKVBP+IEzOGQBFqwpiH11cfftEtWGu/iAZJ1F niVJN5RZJKyCwIP88LpdHZCapvmAvA6LiPPXVtbMfyfVfGgZuGCnN9SPWcel9+NeLF9z 3l7dUfXlz+3W3fe4xdgmY8xl+wCzJES/KJ+er8tStgzFAYG+WZWSXxkTshnbGNI/MllJ QYt9Txmt4ssmEW1cqtwVU2MYqGBh+Mm3LGVs2H3bZLhlOaj05/vfrcKTsxyo9aZPkM6r wR3Ghb4lUqoYMRdK09PdK6qrnPtL4P24bPvUlGP8lTG7SWWiTR3qZlMbXC/kHZ3FUoco eW7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qkG4lS+SJMF1L8IYlP5GJW8Q2o/e8+GQTQ1HPdoB5wI=; b=bMCdeHhPM1gNbqWyocwjBzamC6vdXvJ6VjHQ2NojXOxqD9xqKaY6xff32ruwbq7RTt E/No9ozpsXnNGJvJnd4lkpSzvGw0U7182JAvxwO/MJFNzAssbBtsUVXsGjX/e4wCIYKT FgR2xWeb5g7M+UcQGwWOZ764xdjSacyFkAwuhdmdQVo6XnGyf5PRBLNgqO0fZ80SE1K6 J8EUX4ufJQoxtX2ZP5qD+CsrE10ryr7YGq8LJAT49mrSbG2XH+AI5oxV2y5yVEDbaaDi 1rBskkabU4A20khLtPT5tdXQ9/gV4HMoZNpp0eLLiXepK5XJJz92o8fNHJ+8S/VO7Hgj RKdg==
X-Gm-Message-State: ALQs6tCLPIGW/BeRA6NfPa6wM8x5k8yn/XZR1K52Pk+MmuKb4+eqMK5n K0Hz20LBbOV123QrW8d+rKYxIBxUFHxdL8vpNz66Gg==
X-Google-Smtp-Source: AIpwx48PAL7xy9iC/krePB73Kb0Ao2bhUcuc73LXtwd7avNfj5qslXAvvkEOxAD4w8NxozYATSAIioKdVgIUbg6ZlW0=
X-Received: by 2002:a24:4c14:: with SMTP id a20-v6mr2418509itb.10.1524066363940; Wed, 18 Apr 2018 08:46:03 -0700 (PDT)
MIME-Version: 1.0
References: <152385180418.20842.14674431902324822553.idtracker@ietfa.amsl.com>
In-Reply-To: <152385180418.20842.14674431902324822553.idtracker@ietfa.amsl.com>
From: Daniel Margolis <dmargolis@google.com>
Date: Wed, 18 Apr 2018 15:45:50 +0000
Message-ID: <CANtKdUduOTmgqB03DYObHjmm8uRjDHZxK4COo20yawUt3exVUQ@mail.gmail.com>
To: ben@nostrum.com
Cc: iesg@ietf.org, draft-ietf-uta-smtp-tlsrpt@ietf.org, valery@smyslov.net, Leif Johansson <leifj@sunet.se>, uta-chairs@ietf.org, uta@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000478e30056a215a46"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/FiMvIXIRfVpM22s3RQNXYjH1KDM>
Subject: Re: [Uta] Ben Campbell's Discuss on draft-ietf-uta-smtp-tlsrpt-18: (with DISCUSS and COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Apr 2018 15:46:12 -0000
Hey. Thanks for the feedback. On Mon, Apr 16, 2018 at 6:10 AM Ben Campbell <ben@nostrum.com> wrote: > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > I plan to ballot "Yes" for this, but there is an issue I think needs > discussion > first. Hopefully this will be easy to address: > > §3 says "Report submitters MAY ignore certificate validation errors when > submitting reports via https." Yet the security considerations mention how > an > attacker than can subvert SMTP security might also be able to subvert the > TLSRTP TXT records. It seems like one potential result of that could be to > redirect the reports to a hostile destination, or at least away from the > intended destination. Ignoring certificate validation errors removes a > check > against that sort of thing. > I'm sure there are good reasons to allow that; I can even guess at a few. > But I > think allowing that sort of behavior needs explicit motivation, and I > failed to > find text that did that. > I sent a somewhat related comment to the list a few minutes ago. tl;dr: * The risks we may consider if this introduces are a) information leakage (receiving someone else's reports) and b) *preventing* discovering of malicious interception. * The benefit this introduces is increasing the chance of discovering benign misconfiguration (which is likely, I posit, to coincide with validation errors in TLSRPT reporting). The second point, I trust, is fairly clear. For the first point, I believe these two risks are *mostly* spurious. a) In most cases (though not all; imagine the case of a reporting URI whose host is in a different--say, non-DNSSEC-secured--zone than the delivery domain), an attacker who can intercept the reports can probably also intercept the mail (or at least the initial SMTP EHLO) itself, and so can already glean some of the metadata visible in the report. b) An attacker who can inject a spurious reporting URI or otherwise intercept reports doesn't need to handle them properly (with valid HTTPS), but can simply inject NXDOMAIN for the TLSRPT record. As such, I believe the risks are very limited and the benefits (in the benign misconfiguration case) large. I'm not opposed to expanding on Security Considerations with more text like the above. (The ideas above are somewhat obliquely referenced already, I think, but not directly so.) > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Substantive: > > §1.1: There are at least a few lower case instances of 2119 keywords. > Please > consider using the boilerplate from RFC 8174 instead of 2119. > > §5.3, first paragraph: The paragraph claims that this document defines > "multipart/report". In fact, it does not. > > §5.4, 2nd paragraph: " A reporting entity HOULD expect a "successful" > response > from the accepting HTTPS server...": I'm not sure how to interpret a > normative > requirement to expect success. What is the real intent here? > > Editorial and Nits: > > §1, paragraph 1, 2nd sentence: The sentence is convoluted. Can it be broken > into multiple simpler sentences? > > §1.1, Policy Domain: The definition is partially circular. Please define > what > is meant by "domain". I assume that means domain in the DNS sense, but the > word > "domain" is commonly uses in other senses as well. Please be explicit. > > >
- [Uta] Ben Campbell's Discuss on draft-ietf-uta-sm… Ben Campbell
- Re: [Uta] Ben Campbell's Discuss on draft-ietf-ut… Daniel Margolis
- Re: [Uta] Ben Campbell's Discuss on draft-ietf-ut… Brotman, Alexander