Re: [Uta] Comments on STS Strict Transport Security
Daniel Margolis <dmargolis@google.com> Tue, 22 March 2016 11:46 UTC
Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F1CA12D1C9 for <uta@ietfa.amsl.com>; Tue, 22 Mar 2016 04:46:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9p51nsXbgKEM for <uta@ietfa.amsl.com>; Tue, 22 Mar 2016 04:46:41 -0700 (PDT)
Received: from mail-ig0-x231.google.com (mail-ig0-x231.google.com [IPv6:2607:f8b0:4001:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D75912D1D3 for <uta@ietf.org>; Tue, 22 Mar 2016 04:46:41 -0700 (PDT)
Received: by mail-ig0-x231.google.com with SMTP id ig19so103764212igb.0 for <uta@ietf.org>; Tue, 22 Mar 2016 04:46:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=NW882D0Sj8FZNbsE1cBLFBftZ3qdxgULcD+DC9/c4g0=; b=AEcbuES4NWXSxgLVTCktv6+7+vjKKyla/ItjCrh30wbsRUQQa9M9R+CrsH/VgyVE1u YEyAZb2Tq3+fM//ijFTY/m+toRsIRU3E2GhBNWafsgql5Amb3qV+MkVotDRw5A4UFnQm p1j1E8zwAUAdJCPbc+GR7EcewXMJbXubKxKqtLgjc+xTYAimqaAH/m8S6zsrDTipp3oh AOyuF62Z55Ecv52yXoHw41YspGGg7EtHJdjnXqlCxH/CqTB1QzXVJNqCJJVXOffzwDYy XksnH8Fda4nciiiIwn1+onvjvHQWcgKUBAVxod2IYBfDMlqq8wYlVMPeiJY2fDFERXHg XAbQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=NW882D0Sj8FZNbsE1cBLFBftZ3qdxgULcD+DC9/c4g0=; b=AJJX3Ez/omo47w5lJcJy8w2LmU8HSxQZ/h3+X9Nah+A+jsFRxz2EZ5jSBnwjQBe2v7 VFazXbPIyNvmnWAjzc/AIubvdKpHnRm/g+O4lUReY47/DdIplQOqMYfrrbQJZh/zZZ/o C8H3pViuM6BMPMsC4PkXUWCsUYGxQA5wLoSV3m4D/10WIDYxfCmpSYYJ3TWxkRxSQcCV m2rB7Py4QNNapKCVORK/ZwQ951mIFGfk13LpG3xFqWMJNNlLom8HDB7MFLDp9J8L6DbM NSybwEcM77oADbuPW+/pGR2s9pR6hLOWmb567F3NFnL8nNOCUvcpgGDLEwwT8VTqtcw/ af2Q==
X-Gm-Message-State: AD7BkJL9M0z5R1Ca2sw97u9gIO25kqi1Ei19y7oJxXbHXKF7I8e06ELuaRB0JRlxMXyCBroBzkNO0xODdXaU9d5G
MIME-Version: 1.0
X-Received: by 10.50.79.135 with SMTP id j7mr18109839igx.84.1458647200438; Tue, 22 Mar 2016 04:46:40 -0700 (PDT)
Received: by 10.64.251.136 with HTTP; Tue, 22 Mar 2016 04:46:40 -0700 (PDT)
In-Reply-To: <656BD8D0-E792-4DC5-9BF1-C60DA0B9476E@noware.co.uk>
References: <4ED52982-CB5A-434F-A9F5-ED652486436D@noware.co.uk> <CANtKdUfLEqc-Mf76U0eZ82pMmLMsYqANPyK9Jh2MsEpZr+E96w@mail.gmail.com> <656BD8D0-E792-4DC5-9BF1-C60DA0B9476E@noware.co.uk>
Date: Tue, 22 Mar 2016 12:46:40 +0100
Message-ID: <CANtKdUcRgmmjk+YEbXG=MfW79mt4t6h6V0bLzaNcZDyWvBmbZg@mail.gmail.com>
From: Daniel Margolis <dmargolis@google.com>
To: Neil Cook <neil.cook@noware.co.uk>
Content-Type: multipart/alternative; boundary="089e0122a7543c94cf052ea1c4b1"
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/Gp3ARdFF58OrFsLWAHPZaiCyeSE>
Cc: uta@ietf.org
Subject: Re: [Uta] Comments on STS Strict Transport Security
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2016 11:46:44 -0000
Right. to=true is what we mean by "reject." We should probably clarify this. (As you can imagine, there have been a lot of revisions to the syntax, so, you know, my apologies for old terminology that was not updated adequately and so forth! A fresh set of eyes really helps here.) We should be explicit that reports can be sent even when "to" is "true." I will add this to my to-do list. ;) Thanks again. On Tue, Mar 22, 2016 at 11:56 AM, Neil Cook <neil.cook@noware.co.uk> wrote: > Thanks for the clarification on step 4. > > However I’m still confused by the language "Enforced: In this mode, > sending MTAs SHOULD treat STS policy failures, in which the policy action > is “reject”" > > I may be missing something obvious, but I don’t see any way to specify a > policy action of “reject” in the draft. The only thing I see is the “to” > field, which I guess implicitly sets the policy action to “reject” if it is > set to “true". If so, then the draft language should just refer to the “to” > field being true rather than refer to a policy action of “reject”. > > Also, “to: TLS-Only (plain-text, required). If "true," the receiving MTA > requests that messages be delivered only if they conform to the > STS policy. If "false," the receiving MTA requests that failure > reports be delivered, as specified by the "rua" parameter." > > Although the above doesn’t explicitly state it, I presume reports can be > sent even when “to” is set to “true”? If so the draft should be explicit > about this. If not, why not? > > Neil > > On 22 Mar 2016, at 11:24, Daniel Margolis <dmargolis@google.com> wrote: > > Heh, thanks for the feedback. > > I will try to make sure we used consistent language. In specifics, my > intended meanings: > > * authentication: determining that the policy is published by the domain > owner (either because it was delivered over DNSSEC or because it was > delivered over HTTPS with a trusted cert) > * validation: on a given mail delivery attempt, determining that the MX is > the "right" MX (i.e. that its identity and certificate match what the > authenticated policy specifies) > * application: determining what to do when a policy validates or does not > validate (the latter of course being the interesting case) > > "Application" is more than just "validation" for two reasons. First, > because a policy might be "report only" and thus a failure to validate does > not result in a delivery failure. Second, because of this slightly > complicated dance to get the latest policy in the case of a failure. > > The central idea here is that if a policy fails to validate on a given > delivery attempt, the sender should try to get a new *authenticated* policy > to ensure it's using the most up-to-date revision. This allows recipients > to set a long expiration on the policy without chaining themselves to their > current MX records, provider, etc. So this answers your question of when > senders will see the new policy: they will refresh the policy if the old > policy is no longer valid. > > An attacker who can present a valid policy (by e.g. controlling both DNS > and a valid CA-signed cert for the recipient domain) can typically do a lot > of other nasty things as well, like MITM client connections to the IMAP or > webmail server, so we consider this attack out of scope for now (though > potentially a good application of public key pinning, CT, or similar). > > In the section you quote from 3.3, I think that should refer to > "authentication", not "validation." :) > > Dan > > On Tue, Mar 22, 2016 at 10:12 AM, Neil Cook <neil.cook@noware.co.uk> > wrote: > >> Some feedback on this draft: >> >> 1) The language around policy authentication vs validation vs application >> is very confusing to me. The terms “authentication” and “validation” seem >> to be used in a variety of contexts with different meanings. >> >> For example in "3.3. Policy Authentication" >> >> The security of a domain implementing an SMTP STS policy against an >> active man-in-the-middle depends primarily upon the long-lived >> caching of policies. However, to allow recipient domains to safely >> serve new policies _prior_ to the expiration of a cached policy, and >> to prevent long-term (either malicious or active) denials of service, >> it is important that senders are able to validate a new policy >> retrieved for a recipient domain. There are two supported mechanisms >> for policy validation: >> >> So the draft talks about authentication, and then immediately starts >> talking about being able to “validate” new policies. I think this should >> be “authenticate”. >> >> When fetching a new policy when one is not already known, or when >> fetching a policy for a domain with an expired policy, >> unauthenticated policies MUST be trusted and honoured. >> >> Back to the use of “unauthenticated” here. Even though authentication >> hasn’t really been defined yet, or least distinguished from validation. >> >> When fetching a policy and authenticating it, as described in detail in >> _Policy_ >> _Application_, policies will be authenticated using the mechanism >> specified by the existing cached policy. >> >> And here. >> >> Note, however, as described in detail in _Policy_ _Application_, that >> new policies MUST NOT be considered as valid if they do not validate >> on first application. That is, a freshly fetched (and unused) policy >> that has not successfully been applied MUST be disregarded. >> >> Here validation seems be being used as meaning “parsing and applying >> successfully”. >> >> Also, it’s confusing to me that this paragraph talk about policy >> validation, but instead refers the reader to the “Policy Application” >> section, rather than the “Policy Validation” section. >> >> I think the terms should be used as follows (and please correct me if I’m >> misunderstanding the draft): >> >> - “authentication” refers to the concept of “trusting” that a retrieved >> policy is the policy actually intended by the remote domain and not a >> malicious policy inserted through DNS spoofing or whatever, and should be >> used in the this context. Since STS is ‘trust-on-first-use’, this means >> that authentication is normally a no-op, except in the case of retrieving a >> new policy when a cached policy is already in operation. >> I’d like to see the section on Policy Authentication reworded so that >> this is clearer, by moving the language "When fetching a new policy when >> one is not already known…” to the start of this section, and stating that >> such policies are thus implicitly authenticated. Explicit authentication >> happens when a new policy is retrieved and authenticated according to the >> two mechanisms shown in “Policy Authentication”, based on the “a" field >> from the already cached policy. >> >> - The section “Policy Validation” actually refers to certificate >> validation, based on the “c” field in the cache policy. This seems to be >> different to policy validation to me, which should mean a well-formed and >> parseable policy. The section “Policy Validation” actually seems to me to >> just be the first step in policy “application”. >> >> - “application” should refer to the process of applying an authenticated >> and valid policy. >> >> 2) The logic as to when to use the “authentication” mechanism as >> described by the “a” field seems strange to me. The draft states that >> policies should be cached until the expiration time (which is implicitly >> the longer of the TTL and the “e” field). It also states that the only time >> the authentication method specified in the “a” field should be used is when >> the applied policy is invalid and the policy specifies rejection (step 4 of >> Policy Application). >> The draft also states: >> With these two mechanisms and the procedure specified in step 4, >> recipients who publish a policy have, in effect, a means of updating >> a cached policy at arbitrary intervals >> >> I don’t get this, because it seems to me that if a domain with a valid >> policy wishes to change their policy *before* the end of the expiration >> period, then nobody will see that new policy until *after* the expiration >> period because sending MTAs will cache the policy until after the >> expiration period, and should never invoke step 4 because they shouldn’t >> see a validation failure and/or reject action. This doesn’t seem consistent >> with “updating a cache policy at arbitrary intervals”? >> >> "Understanding the details of step 4 is critical to understanding the >> behaviour of the system as a whole.” >> >> I have to say I don’t understand step 4 at all, so maybe someone can >> explain it to me? :) The whole authentication system seems designed for a >> tiny use-case, i.e. validation failure and reject action. If this is >> designed to stop malicious behaviour, why only concentrate on >> non-validating policies, surely there are use-cases where an attacker has >> spoofed the recipient DNS records (cache poisoning etc.) and thus has >> control over both the DNS STS record and the DNS record for the HTTPS >> server, and thus could present a valid policy? >> >> Neil >> >> >> >> >> _______________________________________________ >> Uta mailing list >> Uta@ietf.org >> https://www.ietf.org/mailman/listinfo/uta >> >> > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta > > >
- [Uta] Comments on STS Strict Transport Security Neil Cook
- Re: [Uta] Comments on STS Strict Transport Securi… Daniel Margolis
- Re: [Uta] Comments on STS Strict Transport Securi… Neil Cook
- Re: [Uta] Comments on STS Strict Transport Securi… Daniel Margolis