Re: [Uta] New proposal: SMTP Strict Transport Security
Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 22 March 2016 06:35 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DB2B12D67C for <uta@ietfa.amsl.com>; Mon, 21 Mar 2016 23:35:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id laWCYW4W6rRS for <uta@ietfa.amsl.com>; Mon, 21 Mar 2016 23:35:29 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FACB12D191 for <uta@ietf.org>; Mon, 21 Mar 2016 23:35:28 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id EA742284F45; Tue, 22 Mar 2016 06:35:27 +0000 (UTC)
Date: Tue, 22 Mar 2016 06:35:27 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: uta@ietf.org
Message-ID: <20160322063527.GD6602@mournblade.imrryr.org>
References: <CAB0W=GS2PXF-divC+SNs+A-jH1-_BBA889-TbQXHvrVsrbKLEA@mail.gmail.com> <CAB0W=GSQ4oTLT+qepMi7Pj5=UmBD70D_uW7c193RY-gw818ORA@mail.gmail.com> <CAB0W=GRB_6LhqEGYzeYq-srnM99wqwZrdjUEm=vJ7+oFiKbYoA@mail.gmail.com> <CAB0W=GTGja5JtxGuCzhD6O3B2Ow-wLN-B6WQ8XUDyvQRqdFZxw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAB0W=GTGja5JtxGuCzhD6O3B2Ow-wLN-B6WQ8XUDyvQRqdFZxw@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/Sna_Va0qNNTCpfEe6KeUfbdoKv4>
Subject: Re: [Uta] New proposal: SMTP Strict Transport Security
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: uta@ietf.org
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2016 06:35:32 -0000
On Sat, Mar 19, 2016 at 11:20:23AM +0100, Mark Risher wrote: > The initial draft is at > https://datatracker.ietf.org/doc/draft-margolis-smtp-sts/ and we hope to > discuss this at the Buenos Aires meeting next month. While we have deployed > a prototype/reference implementation among the authors, we are very open to > feedback and suggestions from the broader group and look forward to your > input. I have some feedback. Section 1. Introduction <quote> The STARTTLS extension to SMTP [RFC3207] allows SMTP clients and hosts to establish secure SMTP sessions over TLS. In its current form, however, it fails to provide (a) message confidentiality -- because opportunistic STARTTLS is subject to downgrade attacks -- and </quote> More accurately, STARTTLS provides confidentiality only against passive attacks, not in the face of active downgrade or MiTM attacks. <quote> While such "opportunistic" encryption protocols provide a high barrier against passive man-in-the-middle traffic interception, any attacker who can delete parts of the SMTP session (such as the "250 STARTTLS" response) or who can redirect the entire SMTP session (perhaps by overwriting the resolved MX record of the delivery domain) can perform such a downgrade or interception attack. </quote> Better to say: While such Opportunistic Security (OS) protocols [RFC7435] protocols ... (such as the "STARTTLS" keyword from the server's EHLO response) ... (or perhaps by forging responses to DNS MX lookups) ... Section 2.1. Differences from DANE <quote> In addition, SMTP STS introduces a mechanism for failure reporting and a report-only mode, enabling progressive rollout and auditing for compliance. </quote> Note that DANE definitely supports "progressive rollout", senders who enable DANE will only attempt DANE authentication for domains that have deployed DNSSEC and published TLSA records. When a sender enables DANE, the use or non-use of TLS remains unaltered for the vast majority of domains. This is of course also the case for STS. There is no flag day in either case. More critically, when a receiving domain publishes TLSA records, it can do so progressively by publishing TLSA records for one MX host at at a time, leaving some of the MX hosts unprotected. Problems with authentication of the protected hosts will trigger retries via the unprotected MX hosts. This is actually more flexible than STS, which as defined cannot express a policy that protects only a subset of the MX hosts. Once a domain has published DANE TLSA RRs for all its MX hosts, then authentication becomes mandatory. Of the ~11600 domains with DANE TLSA records, around 200 have such "partial deployments" in which some, but not all the MX hosts have TLSA records. This is I believe an honest mistake resulting from a natural focus on STS, and not a detailed analysis of DANE. <quote> In addition, SMTP STS introduces a mechanism for failure reporting and a report-only mode, enabling progressive rollout and auditing for compliance. </quote> More on this below, but I should note that I am looking forward to an authentication-neutral definition reporting mechanism, which can be used by either DANE or STS. Below I will propose changes to the draft that will simplify and focus STS, and at the same make the reporting feature equally usable with DANE. Section 2.2. Advantages When Used with DANE <quote> SMTP STS can be deployed for a recipient domain that also publishes a DANE TLSA record for SMTP. In these cases, the SMTP STS policy can additionally declare a process for failure reporting. </quote> As noted above, the reporting feature (redefined as a stand-alone component of STS below) should make a good fit for both STS and DANE. Section 2.3. Advantages When Used Without DANE <quote> When deployed without a DANE TLSA record, SMTP STS offers the following advantages compared to DANE: o _Infrastructure:_ In comparison to DANE, this proposal does not require DNSSEC be deployed on either the sending or receiving domain. (continued below) </quote> Agreed on non-requirement, with the stated security considerations... <quote> (contd.) In addition, the reporting feature of SMTP STS can be deployed to perform offline analysis of STARTTLS failures, enabling mail providers to gain insight into the security of their SMTP connections without the need to modify MTA codebases directly. </quote> Here, there is no need for any difference between DANE and STS, if STS records (see below) enable reporting, DANE sending systems will also be able to leverage said reporting. So this is a feature of this draft that pertains to both technologies, and thus would be a refinement for DANE, rather than a difference. <quote> o _Incrementalism:_ DANE does not provide a reporting mechanism and does not have a concept of "report-only" for failures; as a result, a service provider has no choice but to "flip the switch" and affect the entire mail stream at once. </quote> This is the result of a misunderstanding, see above. This claim should be removed. Section 2.4. Disadvantages When Used Without DANE <quote> o Infrastructure: DANE may be easier for some providers to deploy. In particular, for providers who already support DNSSEC, SMTP STS would additionally require they obtain a CA-signed x509 certificate for the recipient domain. </quote> A significant obstacle to a successful roll-out of WebPKI with SMTP is not such much that obtaining and deploying CA certs is onerous (enabling DNSSEC is likely more difficult at present), but rather that there is no single set of CAs that sending and receiving systems can (or perhaps should) reasonably agree on. On the one hand, because MTAs employing STS are non-interactive background processes with no human-operator in the loop to "click OK" for each exception, the set of CAs a sending system that employs STS would need to trust would need to be "comprehensive enough" to include all the CAs used by all the domains one might need to send email to. On the other hand, one's sensitive correspondence with one's business partners, health care providers, ... should not generally trust CAs operated by distant countries with a penchant for surveillance (Kazakhstan comes to mind). The real advantage of DANE is that it has baked-in name-constraints, and repressive regimes only control DNS resolution for their captive ccTLDs, and users are often free to register domains in less censorious gTLDs. <quote> o Security: DANE offers an advantage against policy-lookup DoS attacks; that is, while a DNSSEC-signed NX response to a DANE lookup authoritatively indicates the lack of a DANE record, such an option to authenticate policy non-existence does not exist when looking up a policy over plain DNS. </quote> [s/NX/NXDOMAIN/] Specifically, for domains to which a sending system sends email infrequently, cached STS data may well expire before the next message is sent. So not only 'first use', but also subsequent traffic may be compromised by active attacks, even if the first interaction (long enough in the past) was not compromised. Section 3. Policy Semantics <quote> o mx: MX patterns (comma-separated list of plain-text MX match patterns, required). One or more comma-separated patterns matching the expected MX for this domain. For example, "_.example.com,_.example.net" indicates that mail for this domain might be handled by any MX whose hostname is a subdomain of "example.com" or "example.net." </quote> This requires domains that publish STS records to duplicate their MX records in the STS RRset. It is not clear why that's useful. If the STS record itself is not DNSSEC-validated, the payload is not more secure than the MX RRset. If the payload is DNSSEC-validated, then the MX RRset in the same zone would (barring unexpected zone cuts) be equally secure. I posit that this field is both onerous and superfluous. <quote> o a: The mechanism to use to authenticate this policy itself. See the section _Policy_ _Authentication_ for more details. Possible values are: * webpki:URI, where URI points to an HTTPS resource at the recipient domain that serves the same policy text. * dnssec: Indicating that the policy is expected to be served over DNSSEC. </quote> Given that STS is primarily useful when at least one of the sending or receiving domains does not support DNSSEC, it seems clear that the "dnssec" mechanism is not needed. If both ends support DNSSEC, just use DANE, it is more secure and in fact more flexible (one MX at a time incremental deployment). Since the receiving system should not suggest "dnssec" when its own zone is unsigned, and has no information about the sending system, it makes sense to simplify STS and drop the "dnssec" mechanism. At which point, the webpki:URI becomes a mandatory component, and the "webpki" tag is unnecessary. The "a" component is always an HTTPS URI. The STS MX host patterns to cache can be retrieved at that URI, and should/need not appear in the STS record. The URI itself needs to be a "well-known" URI, and therefore it too can disappear from the STS record (STS is getting simpler and simpler by the minute). If the URI could be anywhere, an attacker could pin his own long-term cached policy authenticated via an HTTPS URL hosted at domain a of his choice. With the URI fixed at https://example.com/.well-known/smtp-sts/current/ (as suggested in section 3.1), the entire "a" component becomes redundant. <quote> o c: Constraints on the recipient MX's TLS certificate (plain-text, required). See the section _Policy_ _Validation_ for more details. Possible values are: * webpki: Indicating that the TLS certificate presented by the recipient MX will be validated according to the "web PKI" mechanism. * tlsa: Indicating that the TLS certificate presented by the recipient MX will match a (presumed to exist) DANE TLSA record. </quote> Once again, if both systems are DNSSEC-capable, they should use DANE. The receiving domain has no idea whether the sender supports DANE, and so cannot reasonably suggest that alternative. Therefore, this field is redundant and should be deleted. STS is fundamentally reliant on WebPKI as an alternative DANE in the absence of widespread DNSSEC deployment. <quote> o rua: Address to which aggregate feedback MAY be sent (comma- separated plain-text list of email addresses, optional). For example, "mailto:postmaster@example.com" from [RFC3986]. </quote> This should likely be a separate DNS record. Say: _smtp_rua.example.com IN <RRtype> <report-URI> In which case some thought should be given to the URI encoding (UTF-8?) and length considerations if a TXT RRtype is used. With this the reporting address can be used with either DANE or STS. It need not waste bandwidth in each STS lookup, it is only needed on failure. However (see below), since this is also vended via the required STS policy WebPKI URI, it should then be removed from DNS, simplifying the DNS record, to just: v=... to=... e=... An astute reader will at this point wonder why we need any fields in DNS at all? Why not just delete the DNS record in its entirety, and just go straight to the well known HTTPS URI? If you were already there, congratulations, this is basically the right idea, but there is *one bit* of information that needs to remain in DNS. And that is whether the destination domain operates an HTTPS service that vends an STS policy at the well-known URI. It would be expensive for MTAs to attempt repeated HTTPS connections that timeout trying to connect to port 443 at the majority of domains which have not deployed STS. All that's needed in DNS to support a pure WebPKI STS is a boolean value to signal the existence of the STS resource URI. This data can be obtained efficiently. If the "_smtp-sts" RR exists (pick a suitable RRtype and fixed short payload) then the HTTPS URI should be consulted, otherwise the HTTPS URI is not consulted (at first contact), or is consulted asynchronously, in parallel with the first mail delivery (with appropriate spacing between probes, ...). Thus some MTAs might compress the STS DNS record to zero bits, and just use asynchronous suitably spaced HTTPS probes to the domains for which no policy is presently known. However the 1-bit encoding is likely better. Given the above comments, I should note that the HTTPS payload would[ now be the only place where STS policy details are stored. The data would then for greater convenience be JSON encoded. Section 3.2. Policy Expirations With the DNS payload compressed to <= 1 bits, the DNS TTL is no longer especially pertinent, the policy expiration can be carried in the JSON encoding, or simply in the Cache policy headers of the HTTP response. Section 3.3. Policy Authentication <quote> o Web PKI: In this mechanism, indicated by the "webpki" value of the "a" field, the sender fetches a HTTPS resource from the URI indicated. For example, a=webpki:<https://example.com/.well- known/smtp-sts/current> indicates that the sender should fetch the resource <https://example.com/.well-known/smtp-sts/current>. In order for the policy to be valid, the HTTP response body served at this resource MUST exactly match the policy initially loaded via the DNS TXT method, and MUST be served from an HTTPS endpoint at the domain matching that of the recipient domain. (As this RFC progress, the authors intend to register .well-known/smtp-sts. See [RFC5785]. See _Future_ _Work_ for more information.) o DNSSEC: In this mechanism, indicated by the "dnssec" value of the "a" field, the sender MUST retrieve the policy via a DNSSEC signed response for the _smtp_sts TXT record. </quote> As explained above, the "dnssec" mechanism makes little sense for STS, "put all the wood behind one arrow". The example URI needs to become the fixed well-known URI required with this (STS) protocol. (I said as much to the authors at the M3AAWG meeting in October). Section 3.4. Policy Validation <quote> o Web PKI: When the "c" field is set to "webpki", the certificate presented by the receiving MX MUST be valid for the MX name and chain to a root CA that is trusted by the sending MTA. The certificate MUST have a CN or SAN matching the MX hostname (as described in [RFC6125]) and be non-expired. o DANE TLSA: When the "c" field is set to "tlsa", the receiving MX MUST be covered by a DANE TLSA record for the recipient domain, and the presented certificate MUST be valid according to that record (as described by [RFC7672]). </quote> Once again "tlsa" makes no sense. This goes away. The tricky part is "root CA that is trusted by the sending MTA". The problem with this is explained above, and also in section 1.3.4 of RFC7672. Therefore, while STS will work fairly well for sending email to the large providers represented by the authors of the draft, scaling it to the majority of domains will prove challenging. This need not prevent progress on this draft, however it is something worth noting. Section 3.5. Policy Application <quote> o Report-only: In this mode, sending MTAs merely send a report to the designated report address indicating policy application failures. This can be done "offline", i.e. based on the MTA logs, and is thus a suitable low-risk option for MTAs who wish to enhance transparency of TLS tampering without making complicated changes to production mail-handling infrastructure. </quote> While DANE does not (and likely should not) support report-only, failure reporting is useful, and if STS domains publish reporting addresses, DANE senders should be able to obtain these and use use them. In particular it should be possible to publish just a reporting address, without publishing the rest of the STS policy. This would enable domains that use private-label certificates to publish reporting addresses for DANE sending systems. This may mean that perhaps the reporting address, being not especially security-sensitive, should be its own separate DNS record after all, making it entirely neutral and separate from STS. I'll stop here for now, because the above is a substantial overhaul of the draft, and the rest substantially depends on reaching closure on the above observations. We have some work ahead of us to make STS a lean-mean fighting machine (that just happens to complement DANE in a small but useful way with the addition of reporting addresses). -- Viktor.
- [Uta] New proposal: SMTP Strict Transport Security Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Neil Cook
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Alexey Melnikov
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- [Uta] SMTP Strict Transport Security - reporting Alexey Melnikov
- Re: [Uta] SMTP Strict Transport Security - report… John Levine
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] SMTP Strict Transport Security - report… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Alexey Melnikov
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jeremy Harris
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jim Fenton
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jeremy Harris
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jim Fenton
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Binu Ramakrishnan
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jeremy Harris
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jeremy Harris
- Re: [Uta] New proposal: SMTP Strict Transport Sec… ned+uta
- Re: [Uta] New proposal: SMTP Strict Transport Sec… John Levine
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… John Levine
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… David Schweikert
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… David Schweikert
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… David Schweikert
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner