Re: [Uta] New proposal: SMTP Strict Transport Security
Mark Risher <risher@google.com> Thu, 24 March 2016 16:16 UTC
Return-Path: <risher@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED10912DC4F for <uta@ietfa.amsl.com>; Thu, 24 Mar 2016 09:16:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lFVj3gwHlC0j for <uta@ietfa.amsl.com>; Thu, 24 Mar 2016 09:16:14 -0700 (PDT)
Received: from mail-vk0-x231.google.com (mail-vk0-x231.google.com [IPv6:2607:f8b0:400c:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EEE512DCC4 for <uta@ietf.org>; Thu, 24 Mar 2016 09:07:45 -0700 (PDT)
Received: by mail-vk0-x231.google.com with SMTP id k1so65325660vkb.0 for <uta@ietf.org>; Thu, 24 Mar 2016 09:07:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=gLuw7nQydEgd19iNyfSqNFIvyl2BSfzH300IFkyl/Kk=; b=e1bBD7A6iOqPNOkwjZcJrYs8TEHvSl6dj4QO7DWVVD0Bclf3eRzNnqUXr1FQ6p7c7G GM/znrxoCLRltB7nIdJpsevv/iYP2fMIl5ppddunPwRTxlSr7OOQyoNUxmqmIngz+4Gf ZnIYb2g4sFcLD4QK+VN2GhPNi9x//cGhRlCL/cGqxjlitmYxja/1pqMuEUFjYlS3AuH5 kVkeND0/cW6cs45PQ4VSKdnYhvysKqKhqI1Ve5OKkcxGq4UmUY0vj2vQ4UhjyaxgR6M4 hBpoPLq3g2+HSN1Ax+hP8FifP7TGAkrVchf21AmDy01/FAx4qgZowETUo9IJK7k2/uSe CcAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=gLuw7nQydEgd19iNyfSqNFIvyl2BSfzH300IFkyl/Kk=; b=k7xDmjeZxxaFb9P00ocEMB+CewFsdijeEBdroelzhybpgRjnD4oqCmzsLwD7Dk9jVb eaQWkOuHdWcHhgLQ4gYINwc/1Qqtk2Rdpq/83/7ZJ31aKMv3IfT9prAeJJi29RrE+7ve TGaQKW3FYN6HR/P69tCzVwgJNvvNwK9o+oZmEpM+ncqbOOGcsBMlJV5x9mKlwG9cjSi1 KW5iLOn0YjChUdO6AYKdE/tAzWJXbouVVb0k9+OnufGvGRU86nobQmftjPleb3pWCLhb H4XFLBp0X/6LV4t+2+hwEJN0cYoeCymLABdj0WMyFko14INbU1DJNSjABXG/0tJZy1rd 5YQA==
X-Gm-Message-State: AD7BkJLFwdSNv0B7DIdKIIPd91044XGl+dz5njfnDBwfxefVD3MjpZwoSNRHzNs4F4pldhigA0I50DGqdYvRVxw4
MIME-Version: 1.0
X-Received: by 10.31.0.198 with SMTP id 189mr4952184vka.133.1458835664416; Thu, 24 Mar 2016 09:07:44 -0700 (PDT)
Received: by 10.176.3.201 with HTTP; Thu, 24 Mar 2016 09:07:44 -0700 (PDT)
In-Reply-To: <CANtKdUePH0cTQgx2UUpTuw43ONAP_1OwaOjbhnQOQATdzYD2-g@mail.gmail.com>
References: <CAB0W=GS2PXF-divC+SNs+A-jH1-_BBA889-TbQXHvrVsrbKLEA@mail.gmail.com> <CAB0W=GSQ4oTLT+qepMi7Pj5=UmBD70D_uW7c193RY-gw818ORA@mail.gmail.com> <CAB0W=GRB_6LhqEGYzeYq-srnM99wqwZrdjUEm=vJ7+oFiKbYoA@mail.gmail.com> <CAB0W=GTGja5JtxGuCzhD6O3B2Ow-wLN-B6WQ8XUDyvQRqdFZxw@mail.gmail.com> <20160322063527.GD6602@mournblade.imrryr.org> <CANtKdUeh8LV1uaWAyRqQ2ou4pdTNvKgzuJ5kKsQLwPFORqrDQA@mail.gmail.com> <20160322084859.GF6602@mournblade.imrryr.org> <D31BCFDF-5926-413A-8624-26B65F741A75@noware.co.uk> <CANtKdUdLiLDE5s2Exj4eh+o1Fob2-bDXWCpJM87mHKBa+aQkYQ@mail.gmail.com> <etPan.56f362b3.79dcbcbc.6bf@Nifty.local> <CANtKdUePH0cTQgx2UUpTuw43ONAP_1OwaOjbhnQOQATdzYD2-g@mail.gmail.com>
Date: Thu, 24 Mar 2016 09:07:44 -0700
Message-ID: <CAB0W=GRcp11ajOS6XCdf0pSCSZc55-5D2XrbLWDM4hqiO8pbxA@mail.gmail.com>
From: Mark Risher <risher@google.com>
To: Daniel Margolis <dmargolis@google.com>
Content-Type: multipart/alternative; boundary="001a113db788909586052ecda5ce"
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/Lbx2pvccIUYVFn5gj6UMXr6gssw>
Cc: Neil Cook <neil.cook@noware.co.uk>, Chris Newman <chris.newman@oracle.com>, uta@ietf.org
Subject: Re: [Uta] New proposal: SMTP Strict Transport Security
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Mar 2016 16:16:19 -0000
Hi, Chris: Thanks for the comments. > 1. I personally dislike using DNS records for any of this proposal. I > believe SMTP security policy is best communicated within SMTP as this > minimizes attack surface, eliminates the need for TOFU in some scenarios, > and puts the policy configuration closer to the server operator. In addition to the possible difficulty in migrating a domain off of a server (particularly in a multi-tenant config), we also felt that introducing a new SMTP verb might be dramatically more complicated than deploying in parallel, because at least the DNS/webpki reporting can be added offline without changes to the core MTA. Was that not a concern in DEEP? Or simply unavoidable? /m -- Mark E. Risher | Group Product Manager | risher@google.com | 650-253-3123 On Thu, Mar 24, 2016 at 1:45 AM, Daniel Margolis <dmargolis@google.com> wrote: > Hey, > > Of course we reviewed DEEP during the drafting process, but as you say, > the targets are slightly different. I've responded to some individual > points inline; in summary, though, I think you raise some actionable points > about using the DEEP policy framework (which I will read up on), changing > the reporting syntax, and recording cipher usage. I have questions for you > below on some of the other points. > > Thanks. > > On Thu, Mar 24, 2016 at 4:44 AM, Chris Newman <chris.newman@oracle.com> > wrote: > >> This document is providing STS functionality for SMTP relay, while DEEP >> is providing STS functionality for SMTP submission (plus IMAP & POP). I >> believe it’s important to align these two proposals and am open to changing >> DEEP to do so (https://tools.ietf.org/html/draft-ietf-uta-email-deep-04). >> > > Agreed that there's some overlap. One rather obvious observation, to frame > the discussion, though, is that DEEP addresses a case where clients connect > to relatively few *novel* servers (you rarely configure a new IMAP or SMTP > MSA server) and have user-facing UIs, so some of the challenges around > discovering and remembering policies and handling failures are a bit > different. But we should certainly try to align the proposals nonetheless. > > >> Note that early versions of DEEP also provided STS for SMTP relay but >> solving the STS problem for MUAs is sufficiently difficult and different >> that I think it’s good to have a separate document for SMTP relay STS. If >> you are open to editing this as a WG document with rough consensus changes, >> I would welcome the collaboration. >> >> I agree with most of Viktor’s comments so I won’t repeat them. Here are >> some new comments: >> >> 1. I personally dislike using DNS records for any of this proposal. I >> believe SMTP security policy is best communicated within SMTP as this >> minimizes attack surface, eliminates the need for TOFU in some scenarios, >> and puts the policy configuration closer to the server operator. We can use >> the PKIX trust model with SMTP/STARTTLS just as we use it with HTTPS (with >> Viktor’s notable caveats) so HTTPS is not needed and shouldn’t be used to >> validate SMTP security policy. >> > > If I read correctly, you're making two different comments here: > > a. We should communicate the STS policies within SMTP, not using DNS. > b. We should authenticate the STS policies directly using the SMTP-TLS > server certificate, not some HTTPS side-channel. (Of course this follows > from (a), for the most part.) > > Those are spot-on comments. We had initially proposed solely extending > SMTP for policy exchange, similarly to Jim's proposal in "REQUIRETLS" but > in reverse (https://tools.ietf.org/html/draft-fenton-smtp-require-tls-01). > However, for our proposed semantics (i.e. "always require TLS for my domain > in the future, unless I give you a signed change of policy"), this is > tricky in a very specific case: if changing the policy requires serving a > new signed policy, and serving policies is done via SMTP, then users of > hosted mail services who turn on "require TLS" will be unable to revoke > their published policy if they move to a hosted provider who doesn't > support the protocol to begin with. > > (It also means these domains' SMTP servers will have to support SNI and > serve a server certificate that actually matches the recipient domain, > whereas the current mechanism allows one to run a separate HTTPS server > with client.com's cert but to "bless" SMTP connections to mailhost.com's > cert.) > > So as far as I can see, to satisfy this scenario, the policy exchange > *must* be some out-of-band protocol. HTTPS is purely a choice of > convenience; I had originally proposed signed blobs stuck in DNS RR, but > big resource records seem problematic in practice (even if the RFC supports > them) and the whole thing gets ugly fast. > > Can you think of a way to handle the hosted scenario with SMTP, or some > other more elegant solution? > > >> 2. I think using HTTPS to validate MX records in the non-DNSSEC scenario >> is a very interesting idea. But MX records are routing rather than policy >> and thus don’t belong in a policy record. How about just defining a >> well-known HTTPS URL that contains a copy of the actual binary MX record >> for the domain (or a semantically-identical syntax transformation of that >> binary record)? Then we just need the SMTP server to advertise the binary >> policy flag Viktor mentioned to get a non-DNSSEC model to reasonably >> trustworthy MX records. >> > > I think this is mostly pending the discussion for #1: if we need DNS for > the reason outlined above, it's convenient to use it for this, too. If we > don't, of course, it may not be. > > >> 3. DEEP goes through a lot of trouble to create an extensible framework >> for policy by creating a registry (while still keeping the model simple). >> Your proposal notes the need for future policy work but lacks a model to >> add new policies. I think the SMTP STS document is incomplete without an >> extensibility model and you can get it by referencing DEEP (and if we need >> to change the syntax or model in DEEP to make that more palatable, I’m open >> to that discussion). >> > > I will have to reread this part of your proposal more closely, but > unifying the policy framework certainly sounds reasonable on its face. > > >> 4. UTA already discussed the idea of timeouts for security policy in DEEP >> and reached rough consensus not to include timeouts. I doubt the SMTP relay >> use case is sufficiently different to alter that rough consensus. So I >> suspect we can drop timeouts from SMTP STS after a discussion, but if there >> is rough consensus to keep timeouts in SMTP STS then I’d like to reconsider >> that decision for DEEP on a proposal-alignment basis. >> > > Is there a particular mail thread I should read to get the context here? > Sorry... > > >> 5. DEEP’s reporting mechanism for SMTP submission (the CLIENT command) is >> an as-it-happens rather than after-the-fact mechanism. I’d like to >> investigate the idea of an after-the-fact mechanism for MUAs although I’m >> not sure it’s a good fit. Regardless, we need to use the same reporting >> syntax for submission SMTP and relay SMTP, so I’m open to changing DEEP’s >> current submission reporting syntax as needed to align them. >> >> 6. I think JSON would be a better format than XML for reporting. The >> reports are coming from an untrusted source and will be parsed. JSON has a >> much smaller attack surface than XML and as this is part of a security >> mechanism, I think that’s an important consideration. The one potential >> advantage I see to XML is the wide availability of SAX-style parsers that >> can handle large volumes of data, but I think the attack surface argument >> should win in this case. I know a number of XML parser libraries are >> insecure-by-default due to schema URI resolution. Regardless, this is an >> interesting design trade-off for a rough consensus decision. >> > > No strong feeling here on my end. XML is in theory convenient because it > supports XSD; in practice I think the XSD I wrote in the draft has some > bugs. ;) Using JSON is also quite reasonable, and *feels* like a natural > choice if we want to support reporting via HTTP/S POST as well, which we > may. > > >> 7. I think your document should reference DEEP section 6 so SMTP relay >> cipher usage is recorded for trace purposes; that’s another aspect of your >> transparency goal. >> > > Thanks, makes sense. > > >> >> 7. I note in passing that DEEP allows use of the PKIX trust model and the >> DANE trust model at the same time. I think that’s good. >> >> I’m wondering if I should rename DEEP to MUA STS? >> > > DEEP is a pretty cool acronym, but yeah, STS has this dis/advantage of > referencing a mostly known item (HSTS). Insofar as I was trying to hew as > closely to the HSTS trust model as possible (within the confines of the > protocol) I think that's a helpful analogy. But probably not the biggest > point right now. ;) > > >> >> - Chris >> >> On March 21, 2016 at 20:11:06 , Daniel Margolis (dmargolis@google.com) >> wrote: >> >> Thanks for the feedback to both of you. I don't disagree; I think Viktor >> makes a very solid point in favor of simplicity. In addition, a report-only >> protocol could be extended to support arbitrary error reporting; an >> out-of-band (e.g. HTTP) channel to share delivery failures between domains >> strikes me as useful in the general case. >> >> Separately, because we're already assuming providers (both sending and >> receiving) make a choice on implementing DANE and/or webPKI, I don't think >> actually splitting the two makes it any more or less complex to implement, >> or should discourage adoption of one or the other mechanism. >> >> So I would say I'm feeling a bit in favor of Viktor's suggestion, but I'd >> like to chat a bit more with my co-authors and think about it first. ;) >> >> Viktor, as an aside regarding the hosted mail scenario, we already had >> the suggestion to move the HTTPS endpoint to something like "_ >> smtp_sts.example.com/current". If we do that, the customer (example.com) >> can make this a CNAME for "_smtp_sts.hostingdomain.com", who can use SNI >> to serve the policy with the customer's cert (assuming the customer trusts >> the hosting provider with this; for domains that don't operate their own >> HTTPS endpoint this seems to me to be likely). For the more complex case, >> the cron setup you describe doesn't seem too onerous, I agree. >> >> Thanks again for the feedback. >> >> On Tue, Mar 22, 2016 at 10:21 AM, Neil Cook <neil.cook@noware.co.uk> >> wrote: >> >>> >>> > On 22 Mar 2016, at 08:49, Viktor Dukhovni <ietf-dane@dukhovni.org> >>> wrote: >>> > >>> > On Tue, Mar 22, 2016 at 08:58:25AM +0100, Daniel Margolis wrote: >>> > >>> > My (strong) suggestion: use DNS for just cache invalidation, and >>> > perhaps also publication (via a separate record) of the "rua" >>> > reporting URI. Do not duplicate data which one must in any case >>> > obtain and cache via HTTPS in DNS. >>> > >>> > Do not attempt to hedge your bets and support DANE/DNSSEC via STS, >>> > I don't think that makes much sense either. >>> > >>> >>> I agree with the “don’t hedge your bets” part. I was quite surprised to >>> see all the justification for STS in the first part of the document, >>> including “the mechanism described here presents a variant for systems not >>> yet supporting DNSSEC”, and yet then goes on to include DNSSEC as one of >>> the policy authentication mechanisms. >>> >>> > * Allow (DANE or other) domains to publish just the RUA, >>> > the feature is not STS-specific. >>> > >>> +1 >>> >>> Neil >>> >>> >>> _______________________________________________ >>> Uta mailing list >>> Uta@ietf.org >>> https://www.ietf.org/mailman/listinfo/uta >>> >>> >> _______________________________________________ >> Uta mailing list >> Uta@ietf.org >> https://www.ietf.org/mailman/listinfo/uta >> >> > > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta > >
- [Uta] New proposal: SMTP Strict Transport Security Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Neil Cook
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Alexey Melnikov
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- [Uta] SMTP Strict Transport Security - reporting Alexey Melnikov
- Re: [Uta] SMTP Strict Transport Security - report… John Levine
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] SMTP Strict Transport Security - report… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Alexey Melnikov
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jeremy Harris
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jim Fenton
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jeremy Harris
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jim Fenton
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Binu Ramakrishnan
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jeremy Harris
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jeremy Harris
- Re: [Uta] New proposal: SMTP Strict Transport Sec… ned+uta
- Re: [Uta] New proposal: SMTP Strict Transport Sec… John Levine
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… John Levine
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… David Schweikert
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… David Schweikert
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… David Schweikert
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner