Re: [Uta] MTA-STS-03 review

Daniel Margolis <dmargolis@google.com> Tue, 18 April 2017 15:05 UTC

Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD40612EC9E for <uta@ietfa.amsl.com>; Tue, 18 Apr 2017 08:05:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id io0MEEy79iVu for <uta@ietfa.amsl.com>; Tue, 18 Apr 2017 08:05:36 -0700 (PDT)
Received: from mail-io0-x231.google.com (mail-io0-x231.google.com [IPv6:2607:f8b0:4001:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13C7B12EC0C for <uta@ietf.org>; Tue, 18 Apr 2017 08:05:36 -0700 (PDT)
Received: by mail-io0-x231.google.com with SMTP id k87so169692566ioi.0 for <uta@ietf.org>; Tue, 18 Apr 2017 08:05:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=J0fHW2SWWqjLQ1Shm12CF3LOQ3uz31ek0kMIweSAO/k=; b=l48424BWfoHChCJRiAIC14p0fxcoOn+WdxHtzQ7ihMkZAwLmYfbUKNIM2nig2Su8Zb oIf/UunoFDUZbUQ+J64m/6lAvb9PG2lVhXcqY3ibABBayzsOrsQZ+dgJ6t5dJDhcUMEJ S/jbQyZAV37r1DOTQZD7DQQ0RuSa6hmMKR0zVJC2xC4CwkUhoMElcBcc4JhvbAd//XTS gEuxbdClIzbn4a3Bpv4Y8w0Y3JvdvYxsA6T/65UQ9F6Wb/lfl0CxjloG0Rv4tgd/kE4c rpAbLxfiNhkYHJ6hIo+yVflnSOish5Y8pejBZ7a9IKCFxe3KYuvyrdHKs8Km9uv1KOcz xhTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=J0fHW2SWWqjLQ1Shm12CF3LOQ3uz31ek0kMIweSAO/k=; b=Q/fJVuUNMuluznkIM0FRsWP0h9X6d0VzYNiyFaJKY5jartoIRemhqC2COGPyBuyBKB PzYD9jTWWUQzFyG/DoF5zCXzTa/Gusvx242jb98VAn9wvAKQaBCx1Q4Gxa8qrcPMI8QM 7ThtdekjCWogJkWlbW2p3Bu5cRdnksijjBwxZGEdQOU8DB6a/ZEFqGOczSclIHLMrOLf 2sGPM+hrKrYMSw8x8pe7ee7IlrP1LiO+IxU/ZX1xS/hIybUL09BGelYBD+SFhPKysKMA rS1D8wU0pG4QMEBJvVnlXrAaut0DX1KL0cbrrSPeGWNlqB7npg8tucOSGYvDxDnnx0Ox mcaw==
X-Gm-Message-State: AN3rC/6n2/+uyeX3i86NSE4rC+5xw/jeLpb3a1HsMvd8vVcwkXVJjMnZ vaRTvmNJDwX70TS742ncb4jfqMFyMpa+
X-Received: by 10.107.172.134 with SMTP id v128mr15738689ioe.49.1492527921289; Tue, 18 Apr 2017 08:05:21 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.39.215 with HTTP; Tue, 18 Apr 2017 08:05:20 -0700 (PDT)
In-Reply-To: <01QCS20RB8W400ZAK8@mauve.mrochek.com>
References: <CAHUgVDDDL6+4gyvL1c0-bLsi2yL2JEzJ73C3F-To2K4y8UEDvw@mail.gmail.com> <CANtKdUec-sSHgLu_tu+h+tugU0F=n435OiXgeFTwrWKNNKQRNg@mail.gmail.com> <20170404182123.GR25754@mournblade.imrryr.org> <01QCS20RB8W400ZAK8@mauve.mrochek.com>
From: Daniel Margolis <dmargolis@google.com>
Date: Tue, 18 Apr 2017 17:05:20 +0200
Message-ID: <CANtKdUdi5g2-gTy20atEDUiik1pqO+FQtMp50oonR821ybR65A@mail.gmail.com>
To: ned+uta@mrochek.com
Cc: Viktor Dukhovni <ietf-dane@dukhovni.org>, uta@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="001a1148d5d49c58b1054d723ce1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/UzQXOuxt_Ar2HCohjYuT2F5LzFY>
Subject: Re: [Uta] MTA-STS-03 review
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2017 15:05:43 -0000

Thanks for the feedback. I think we were not sure how careful we should be
about posting frequently vs spamming people with intermediate drafts. ;)

What text do you find confusing? You mean this?

Similarly, we consider the possibility of domains that deliberately
>    allow untrusted users to serve untrusted content on user-specified
>    subdomains.  In some cases (e.g. the service Tumblr.com) this takes
>    the form of providing HTTPS hosting of user-registered subdomains; in
>    other cases (e.g. dynamic DNS providers) this takes the form of
>    allowing untrusted users to register custom DNS records at the
>    provider's domain.
>


>    In these cases, there is a risk that untrusted users would be able to
>    serve custom content at the "mta-sts" host, including serving an
>    illegitimate MTA-STS policy.




On Tue, Apr 4, 2017 at 9:32 PM, <ned+uta@mrochek.com>; wrote:

> > On Tue, Apr 04, 2017 at 04:20:59PM +0200, Daniel Margolis wrote:
>
> > > Can you explain a little more what you mean? The mitigation is to
> publish a
> > > new policy with the correct values, so certainly anyone who does so
> > > pre-emptively is not likely to fall victim to a DoS attack.  More
> > > specifically, anyone who is _aware_ of this risk should simply ensure
> > > untrusted individuals cannot publish content with a certificate for *.
> > > example.com on "mta-sts.example.com"; the risk is for domains like
> (say)
> > > tumblr.com who may inadvertently allow that.
>
> > I too found the text in question confusing.  It makes no mention
> > the attacker is presumed able to obtain certificates for
> > "mta-sts.example.com", but otherwise the description does not make
> > much sense.  The DNS TXT record does indeed facilitate recovery
> > after the fact by signalling the availability of an updated policy.
>
> > I would also like to encourage the authors to post revised drafts
> > more frequently.  Please see:
>
> >     https://www.ietf.org/mail-archive/web/ietf/current/
> threads.html#101804
>
> +1000.
>
>                                 Ned
>
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://www.ietf.org/mailman/listinfo/uta
>