IETF Logo Mail Archive

Re: [Uta] Warren Kumari's Discuss on draft-ietf-uta-mta-sts-17: (with DISCUSS)

ned+uta@mrochek.com Tue, 15 May 2018 15:14 UTC

Return-Path: <ned+uta@mrochek.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4374C12D87D for <uta@ietfa.amsl.com>; Tue, 15 May 2018 08:14:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mrochek.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vnPlPEE2UIn7 for <uta@ietfa.amsl.com>; Tue, 15 May 2018 08:14:55 -0700 (PDT)
Received: from mauve.mrochek.com (mauve.mrochek.com [68.183.62.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2204912D942 for <uta@ietf.org>; Tue, 15 May 2018 08:14:54 -0700 (PDT)
Received: from dkim-sign.mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01QSIZ4GDCS000SGU7@mauve.mrochek.com> for uta@ietf.org; Tue, 15 May 2018 08:09:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mrochek.com; s=201712; t=1526396990; bh=mis18hbek//8xOfDi4QPBT7ogWSglc3n71IqKBYli88=; h=From:Cc:Date:Subject:In-reply-to:References:To:From; b=SqKunJCtNe6JPt/BDvH8iyYhSdqAh0yaW8nmkNP+CH5jX1zqWi6YTPHOGjpAIeIlf ccLVMrSslFhKprxuPOTpElD0VzrY0TvhsuQP/CfOVzkPdcID0CF3dKmwG4TYRtIssR Sw1wmAE+WGC3YD7O7Q5rNESUO2h2yNVFsRbSnJLY=
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: TEXT/PLAIN; CHARSET="US-ASCII"
Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01QSE284NYTC000051@mauve.mrochek.com> (original mail from NED@mauve.mrochek.com) for uta@ietf.org; Tue, 15 May 2018 08:09:47 -0700 (PDT)
From: ned+uta@mrochek.com
Cc: Viktor Dukhovni <ietf-dane@dukhovni.org>, uta@ietf.org, draft-ietf-uta-mta-sts@ietf.org, uta-chairs@ietf.org, iesg@ietf.org, Leif Johansson <leifj@sunet.se>
Message-id: <01QSIZ4DNXDI000051@mauve.mrochek.com>
Date: Tue, 15 May 2018 07:51:33 -0700
In-reply-to: "Your message dated Tue, 15 May 2018 15:30:19 +0200" <CANtKdUfMUHx64QL6TqW_nxyU90iJ0ncuc0GLsUUsQJFxN=hS7A@mail.gmail.com>
References: <152596326580.10463.6089243508315402813.idtracker@ietfa.amsl.com> <BB1C8DC3-7EF4-4872-97DF-417C216F2988@dukhovni.org> <CANtKdUfebTbhzkUUxRMRZmmaCO8daR+UE6mj7R9wLmCoSDARUw@mail.gmail.com> <CAHw9_iJ=EpzECkfaVWaoXbBVKO25o+Npvu_uh+tZv8EbXbZ7KQ@mail.gmail.com> <6EF69D7A-930E-46B8-94DD-E99428BFEEB1@dukhovni.org> <129319db-ab27-13d9-c884-17b008cf4e80@nostrum.com> <CANtKdUei37oWzZd9Zqrjm5R343PdysdWGC-eo68bzw-B=dpQ_A@mail.gmail.com> <20180514120836.GY3322@mournblade.imrryr.org> <38e0dc42-54d9-e59f-af3d-e32b96d60f41@nostrum.com> <CANtKdUdABkC3aCHjfRd2gekbskbGg3ZdDdNqJ+cR_YbMy-y1Hw@mail.gmail.com> <020F66CA-B0A4-4F2A-AD19-186C6DC86458@dukhovni.org> <CANtKdUfMUHx64QL6TqW_nxyU90iJ0ncuc0GLsUUsQJFxN=hS7A@mail.gmail.com>
To: Daniel Margolis <dmargolis@google.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/OK9re1J7WepBdyJjik9foieTx9w>
Subject: Re: [Uta] Warren Kumari's Discuss on draft-ietf-uta-mta-sts-17: (with DISCUSS)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 May 2018 15:14:56 -0000

> Put slightly differently, allowing TXT-based indirection can at best be as
> secure as the current design, and at worse introduce some unknown
> vulnerability (depending on DNS architecture for a zone, etc). So I think
> that's really the main reason we wanted to keep it fixed.

Given the ability to redirect, there's going to be a temptation to piggyback
the handing out of mta-sts policies on some existing web service. It's unlikely
that doing this will result in a security win.

> In all likelihood it does not introduce a vulnerability nor does it
> introduce operational issues for anyone, but, valid concerns about
> "reserved" (even if just by convention) names notwithstanding, I'd rather
> accept any operational risks that poses than take the risk of a
> vulnerability. So I think you and I are on the same page here.

Since what's reserved is a single URI, not the domain, a conflicting use of the
domain actually reduces to a service combination scenario similar to what
indirection can lead to.

However, I think the liklihood of a domain conflict is a hell of a lot smaller
than the liklihood of administrators over-optimizing things, so independent of
the possibiltiy of a vulnerability we're not seeing, not allowing indirection
seems to be the better operational approach.

> Anyway, in the short run, there *is* at least the .well-known registry to
> ensure the full URI is reserved; in the long run I thought I recalled
> someone was looking into a registry for "reserved" DNS names. (But from the
> perspective of STS, if someone else uses "mta-sts" for anything else, it
> doesn't really affect the operation of the system.)

Exactly. And I think we can safely ignore the possibility of there
being a URI conflict.

				Ned

v2.23.0 | Report a Bug | By Email