IETF Logo Mail Archive

Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP STS Draft)

Aaron Zauner <azet@azet.org> Fri, 06 May 2016 07:14 UTC

Return-Path: <azet@azet.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AFEE12D1C9 for <uta@ietfa.amsl.com>; Fri, 6 May 2016 00:14:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=azet.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4QoaP9UZDjJ0 for <uta@ietfa.amsl.com>; Fri, 6 May 2016 00:14:46 -0700 (PDT)
Received: from mail-pa0-x22f.google.com (mail-pa0-x22f.google.com [IPv6:2607:f8b0:400e:c03::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 126EB12D7DA for <uta@ietf.org>; Fri, 6 May 2016 00:14:46 -0700 (PDT)
Received: by mail-pa0-x22f.google.com with SMTP id bt5so44362551pac.3 for <uta@ietf.org>; Fri, 06 May 2016 00:14:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=azet.org; s=gmail; h=mime-version:subject:from:in-reply-to:date:message-id:references:to; bh=fKnco6veB6Pe8P39KCRnoeh/X2bckzzQJLYHPeUoHvw=; b=GUdV0a8g/nbiecNW+jmThDCiS1gGF/mzQ8KApIvrGFomQCVUVRLERb7Do1KtVmJOuE EbnCBziswnb2udLOHhi/wOj7mXxLFqTATM4cwQMY1k0z9sRQEKkasrYynkwwRC5JHJti Ip1vFjgPM966tcfMM4qeqrigq13CHF63i+TJA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date :message-id:references:to; bh=fKnco6veB6Pe8P39KCRnoeh/X2bckzzQJLYHPeUoHvw=; b=WmrNErUAmikj2pWTwK69nEIxa/Hh7wKoWxo/ClNvzVGQIIXFzhDlK85q7fjp8fsfmL 7XC5x5YnYGIgUB7LQ1ZUEW5Lj9FDzUdp9ZX6+qT6xc29b3OweYHoyX+QC6VKhyisVap2 YgjuKTIBq0KwIEy79/aM4WxypsQwjDt6a3ujCJmK3zCwCjgFQ/x7mrUQfP4Ez0aBqyO9 3ZBEpwveicAang5HGJzpsSE2Qz6zlJzzTQSFKq5mv8tDxMQjxjdW/lphE/vV4NkyaybG ODZ+CLDIcOgEH3O9dvUi3Fr2sfvEmITKOhSFtdX4+sQ17/p5ee6b8CQpy4Rs+3j7GGuT uJVw==
X-Gm-Message-State: AOPr4FXhagCiv3YoTwBVAFX/cCa/Ir0POUzq5WN9faJxNk8gOVCIrOK4T9gXGjI52sZjjA==
X-Received: by 10.66.79.197 with SMTP id l5mr26784312pax.61.1462518885310; Fri, 06 May 2016 00:14:45 -0700 (PDT)
Received: from [192.168.100.30] (node-19kx.pool-180-180.dynamic.totbb.net. [180.180.230.193]) by smtp.gmail.com with ESMTPSA id lq10sm18480432pab.36.2016.05.06.00.14.42 for <uta@ietf.org> (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 06 May 2016 00:14:44 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_18DCFB87-D219-432F-A9D8-04EE8BF1C805"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
X-Pgp-Agent: GPGMail 2.6b2
From: Aaron Zauner <azet@azet.org>
In-Reply-To: <20160506070042.GX3300@mournblade.imrryr.org>
Date: Fri, 06 May 2016 14:14:37 +0700
Message-Id: <5520C461-43F7-403D-B6A2-2AD9A0F276D0@azet.org>
References: <alpine.OSX.2.11.1605051057310.39064@ary.lan> <5CAA2C26-D339-4BFE-8328-0B33E3652025@azet.org> <CANtKdUeU9FvR9TGWFRTaTWfr-6hBCYtYci=y857YbU-EUB0s7Q@mail.gmail.com> <D0F684BC-4824-4D0D-B286-7BCFADF6C639@azet.org> <20160505181009.GN3300@mournblade.imrryr.org> <177C95ED-B4CE-4306-B6ED-0CAD8C8D49A1@azet.org> <20160505192804.GO3300@mournblade.imrryr.org> <8B087C9C-EF27-43A9-81C1-5AD54B3FE14A@azet.org> <20160506044742.GV3300@mournblade.imrryr.org> <2E8F633E-BCC1-4FA8-8F90-F02C5D020B0C@azet.org> <20160506070042.GX3300@mournblade.imrryr.org>
To: uta@ietf.org
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/Q6a87Yu8BjSwJMyQPPaGlC2BRG4>
Subject: Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP STS Draft)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 May 2016 07:14:49 -0000

> On 06 May 2016, at 14:00, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
> 
> On Fri, May 06, 2016 at 12:57:15PM +0700, Aaron Zauner wrote:
> 
>>> You need to keep in mind that in the vast majority of cases
>>> authentication errors will be operational errors (self-DoS) on
>>> receiving systems, and the task at hand is to minimize the frequency
>>> and duration of outages, so that security is used and not just
>>> disabled as unusable.  Maximalist approaches are highly counter-productive
>>> here.
>> 
>> This is not what I understood from the draft in it's current form:
> 
> The current form is not the final form.  To the expect that the
> draft  emphasizes statistical reporting over problem alerting it
> needs to be corrected.

I'm aware of that, but if the draft turns out to be a delivery reporting system, I'm not going to support it.

> Yes!  The vast majority of the failures will not be MiTM-related,
> and if there is an MiTM, well then you can't send the report to
> the right party anyway.

There're currently multiple feedback channels proposed, if one would fail, you might fall back to the other one. Though I doubt that MITM on the HTTPS channel  will be very frequent given CT and scanning efforts.

> 
>> Confidentiality may be needed as detailed
>> information on MITM attacks can give indication as to which paths and
>> systems are affected (e.g. to 3rd party attackers, not the original MITM).
> 
> There's little need for very detailed information.  We just want
> to distinguish between a few classes of failures.
> 
>    * Lack of STARTTLS (this too is often self-inflicted!)
>    * Lack of shared protocol protocol parameters (protocol version/ciphers)
>    * Lack of shared trust anchors
>    * Reference identifier mismatch
>    * (Perhaps one or two others I'm forgetting right now)

I understand this is what you consider relevant. I'd like to know why and how attacks happen as well, if possible.

> 
>>> The key requirement as I see is *timely* delivery of focused *alerts*
>>> to operators who can fix the problem, ideally before it affects
>>> the delivery of email, while the issue is still localized to just
>>> a proper subset of the MX hosts.
>> 
>> I think that may be a reason for another draft in another working group.
>> This one is called "Utilizing TLS in Applications",..
> 
> There will first be non-IETF documents in this space, and perhaps
> ultimately some IETF BCPs once we have even more operational
> experience.

Which non-IETF documents? Where?

> 
>>> Sites that don't have the operational discipline to do this right
>>> are best off staying with opportunistic TLS and publishing neither
>>> DANE nor STS policies.  DoSing themselves periodically, and causing
>>> pain for senders trying to do the right thing helps no one.
>> 
>> Yea, we'll try to help them out separately with Let's Encrypt automation anyway.
> 
> That's still a bit shaky, the early adopters of LE for SMTP are
> where some of the most frequent DANE problems show up.  This is
> because automated LE cert rotation ignores the necessity to update
> TLSA records from time to time.  Survey says 424 MX hosts with
> stable "IN TLSA [23] 1 ?" records and 109 MX hosts with fragile,
> soon to break "IN TLSA [23] 0 ?" TLSA records.  The ratio is
> improving, over time, but needs to be much better.

No it isn't shaky, it's non-existent. People that currently deploy LE certs on their mailservers do so on their own, without guidance and without any support nor automation. And I'm sorry to say: I don't care about DNSSEC (and thus unfortunately DANE, wich is a nice standard by itself), thus will probably implement support at the very last moment possible.

> There are things LE can do to make this better:
> 
>    * More prominent documentation of best-practice for combining DANE
>      and LE certs, and monitoring their correctness:
> 
> 	; Keep server key fixed when doing automated rotation via "--csr"
> 	; option option.  Rotate server key manually, from time to time,
> 	; and update "3 1 1" record accordingly.  Do so only while the
> 	; "2 1 1" LE key is not also changing.
> 	;
> 	; Ensure MX hostname matches the certificate SAN
> 	;
> 	_25._tcp.smtp.example.org. IN TLSA 3 1 1 <sha256(server public key)>
> 
> 	; Track LE issuer public key, update TLSA RR promptly when it changes.
> 	; Stable server key above makes it possible to tolerate brief mismatches
> 	; if the LE issuer key changes unexpectedly.
> 	;
> 	; Ensure the issuer CA cert is part of server's chain file
> 	; (i.e. is sent to peer in server TLS Certificate message).
> 	; [ This is of course also necessary for STS, as the LE issuer
> 	;   CA is an intermediate CA, not a trust anchor. ]
> 	;
> 	_25._tcp.smtp.example.org. IN TLSA 2 1 1 <sha256(LE issuer public key)>

Again: there's currently neither incentive nor effort within LE to look at DANE. Nor enough man-power available. Nor is it really relevant in my opinion.

>    * Better advance notification of planned changes in the LE
>      issuer public key, not just via the blogs, but also via email sent
>      locally to the administrator by the key rotation scripts.

Agreed. Please talk to the LE-Ops team about that, I'm working on an entirely different part and have zero influence on that.

>    * Provide tools to compute the new "3 1 1" and "2 1 1" records
>      and compare them to what's in DNS.  Avoid deploying new cert
>      chain if neither match.  If just one changes, deploy, but
>      send alert to admin to update the TLSA RRs.

See above.

>    * As explained a recent post to this list (NEWSFLASH thread),
>      the "3 1 1" + "2 1 1" combination is quite resilient if
>      sensibly monitored.

See above.

>    * The "mail in a box" project has done a good job of integrating
>      LE and DANE and DNSSEC for a complete turn-key system, and
>      I see very few errors from those machines.  They just routinely
>      have correct working TLSA RRs across cert rollovers.  Kudos
>      to that project. <https://mailinabox.email/>

I like it as well.

> I've for a long time been deeply involved in the day-to-day practice
> of MTA SMTP transport security.  Designing and implementing the
> Postfix TLS interface, supporting Postfix TLS users on the mailing
> list, authoring DANE support in OpenSSL, monitoring DANE adoption.
> Monitoring and resolving DNSSEC interop issues at hosting providers,

I'm aware of that :)

> ...
> 
> So yes, I don't just view this as a pure security protocol issue.
> All the pieces have to fit together to actually create something
> that gets used.  Think systemically, optimization of the security
> of a small component of a large system can easily turn out to be
> at the expense of the security system as a whole.

We're currently trying to fix ancient (as in early 80ties) protocols, that will be around for another 20 years. I'd rather consider every detail than rush a standard through the IETF process.

Aaron

v2.23.0 | Report a Bug | By Email