IETF Logo Mail Archive

[Uta] Comments on STS Strict Transport Security

Neil Cook <neil.cook@noware.co.uk> Tue, 22 March 2016 09:12 UTC

Return-Path: <neil.cook@noware.co.uk>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6ADD712D6E1 for <uta@ietfa.amsl.com>; Tue, 22 Mar 2016 02:12:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WBLeV18S0KgS for <uta@ietfa.amsl.com>; Tue, 22 Mar 2016 02:12:50 -0700 (PDT)
Received: from mail.noware.co.uk (mail.noware.co.uk [192.241.243.54]) by ietfa.amsl.com (Postfix) with ESMTP id 0E5EF12D66E for <uta@ietf.org>; Tue, 22 Mar 2016 02:12:46 -0700 (PDT)
Received: from [10.20.80.132] (unknown [217.110.50.170]) by mail.noware.co.uk (Postfix) with ESMTPSA id 466DA1C0942 for <uta@ietf.org>; Tue, 22 Mar 2016 09:12:44 +0000 (UTC)
From: Neil Cook <neil.cook@noware.co.uk>
X-Pgp-Agent: GPGMail 2.6b2
Content-Type: multipart/signed; boundary="Apple-Mail=_C7BB2AFF-848A-4F67-A86F-3CF7B4994328"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Date: Tue, 22 Mar 2016 09:12:53 +0000
Message-Id: <4ED52982-CB5A-434F-A9F5-ED652486436D@noware.co.uk>
To: uta@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
X-Mailer: Apple Mail (2.3112)
X-CMAE-Score: 0
X-CMAE-Analysis: v=2.1 cv=TdMYtHgh c=1 sm=1 tr=0 a=wkG2kGxmeUQp3kYqFDvb7A==:117 a=wkG2kGxmeUQp3kYqFDvb7A==:17 a=L9H7d07YOLsA:10:nop_no_from_header a=9cW_t1CCXrUA:10:nop_no_to_header a=s5jvgZ67dGcA:10:nop_no_subject_header a=IU-Nb1bLflAjIaonL9oA:9 a=QEXdDO2ut3YA:10:nop_charset_2 a=qRUNjxU_tACeRhu76EIA:9
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/HmnHp2kEJP2SpJwYTOrqGVOI0zw>
Subject: [Uta] Comments on STS Strict Transport Security
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2016 09:12:52 -0000

Some feedback on this draft:

1) The language around policy authentication vs validation vs application is very confusing to me. The terms “authentication” and “validation” seem to be used in a variety of contexts with different meanings.

For example in "3.3.  Policy Authentication"

   The security of a domain implementing an SMTP STS policy against an
   active man-in-the-middle depends primarily upon the long-lived
   caching of policies.  However, to allow recipient domains to safely
   serve new policies _prior_ to the expiration of a cached policy, and
   to prevent long-term (either malicious or active) denials of service,
   it is important that senders are able to validate a new policy
   retrieved for a recipient domain.  There are two supported mechanisms
   for policy validation:

So the draft talks about authentication, and then immediately starts talking about being able  to “validate” new policies. I think this should be “authenticate”.

   When fetching a new policy when one is not already known, or when
   fetching a policy for a domain with an expired policy,
   unauthenticated policies MUST be trusted and honoured.

Back to the use of “unauthenticated” here. Even though authentication hasn’t really been defined yet, or least distinguished from validation.

When fetching  a policy and authenticating it, as described in detail in _Policy_
   _Application_, policies will be authenticated using the mechanism
   specified by the existing cached policy.

And here.

   Note, however, as described in detail in _Policy_ _Application_, that
   new policies MUST NOT be considered as valid if they do not validate
   on first application.  That is, a freshly fetched (and unused) policy
   that has not successfully been applied MUST be disregarded.

Here validation seems be being used as meaning “parsing and applying successfully”.

Also, it’s confusing to me that this paragraph talk about policy validation, but instead refers the reader to the “Policy Application” section, rather than the “Policy Validation” section.

I think the terms should be used as follows (and please correct me if I’m misunderstanding the draft):

- “authentication” refers to the concept of “trusting” that a retrieved policy is the policy actually intended by the remote domain and not a malicious policy inserted through DNS spoofing or whatever, and should be used in the this context. Since STS is ‘trust-on-first-use’, this means that authentication is normally a no-op, except in the case of retrieving a new policy when a cached policy is already in operation.
I’d like to see the section on Policy Authentication reworded so that this is clearer, by moving the language "When fetching a new policy when one is not already known…” to the start of this section, and stating that such policies are thus implicitly authenticated. Explicit authentication happens when a new policy is retrieved and authenticated according to the two mechanisms shown in “Policy Authentication”, based on the “a" field from the already cached policy.

- The section “Policy Validation” actually refers to certificate validation, based on the “c” field in the cache policy. This seems to be different to policy validation to me, which should mean a well-formed and parseable policy. The section “Policy Validation” actually seems to me to just be the first step in policy “application”.

- “application” should refer to the process of applying an authenticated and valid policy.

2) The logic as to when to use the “authentication” mechanism as described by the “a” field seems strange to me. The draft states that policies should be cached until the expiration time (which is implicitly the longer of the TTL and the “e” field). It also states that the only time the authentication method specified in the “a” field should be used is when the applied policy is invalid and the policy specifies rejection (step 4 of Policy Application).
The draft also states:
   With these two mechanisms and the procedure specified in step 4,
   recipients who publish a policy have, in effect, a means of updating
   a cached policy at arbitrary intervals

I don’t get this, because it seems to me that if a domain with a valid policy wishes to change their policy *before* the end of the expiration period, then nobody will see that new policy until *after* the expiration period because sending MTAs will cache the policy until after the expiration period, and should never invoke step 4 because they shouldn’t see a validation failure and/or reject action. This doesn’t seem consistent with “updating a cache policy at arbitrary intervals”?

"Understanding the details of step 4 is critical to understanding the behaviour of the system as a whole.”

I have to say I don’t understand step 4 at all, so maybe someone can explain it to me? :) The whole authentication system seems designed for a tiny use-case, i.e. validation failure and reject action. If this is designed to stop malicious behaviour, why only concentrate on non-validating policies, surely there are use-cases where an attacker has spoofed the recipient DNS records (cache poisoning etc.) and thus has control over both the DNS STS record and the DNS record for the HTTPS server, and thus could present a valid policy?

Neil

v2.23.0 | Report a Bug | By Email