Re: [Uta] Review of draft-ietf-uta-email-deep-08
Alexey Melnikov <alexey.melnikov@isode.com> Tue, 25 July 2017 06:56 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F4F8126DC2 for <uta@ietfa.amsl.com>; Mon, 24 Jul 2017 23:56:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S6C9BYE3TMmm for <uta@ietfa.amsl.com>; Mon, 24 Jul 2017 23:56:11 -0700 (PDT)
Received: from statler.isode.com (Statler.isode.com [62.232.206.189]) by ietfa.amsl.com (Postfix) with ESMTP id 725DA1200F3 for <uta@ietf.org>; Mon, 24 Jul 2017 23:56:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1500965770; d=isode.com; s=june2016; i=@isode.com; bh=Nv4PkQC8pJbuIGg6uXOlOS8pzA4vEVQte1lR04nM0aI=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=YUBcEU/Q7BvpM5dwI1/9PtPxfIb8v0DpnjFzDH9ttP53236ViPx1JxDnMESE7B7ZA8+gTG rj3tseyjYB6CHIacMZqo8d+s81J950b8/4+4gFWeQH9RrsCnCWPpqRrhBOa3zcv7MVx9Jm uBIH3tHwdUpUpJjILdWcPWu7ZOj5F3M=;
Received: from [192.168.0.3] (cpc121086-nmal24-2-0-cust54.19-2.cable.virginm.net [77.97.145.55]) by statler.isode.com (submission channel) via TCP with ESMTPSA id <WXbriQBf=rTu@statler.isode.com>; Tue, 25 Jul 2017 07:56:10 +0100
To: Keith Moore <moore@network-heretics.com>, uta@ietf.org
References: <c0868a3a-be39-a971-02cc-18c550138a9f@isode.com> <ef041be4-8c98-5339-68d2-6d6b26233459@network-heretics.com>
From: Alexey Melnikov <alexey.melnikov@isode.com>
Message-ID: <5976EB8A.9090802@isode.com>
Date: Tue, 25 Jul 2017 07:56:10 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.0
In-Reply-To: <ef041be4-8c98-5339-68d2-6d6b26233459@network-heretics.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/XpkRoFOSp4S3twUGtKyYDJs4VlI>
Subject: Re: [Uta] Review of draft-ietf-uta-email-deep-08
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jul 2017 06:56:13 -0000
Hi Keith, Quickly answering to a few easy ones: On 25/07/2017 05:18, Keith Moore wrote: > Hi Alexey, > > Thanks for the review! Some responses: > > > On 07/24/2017 12:04 PM, Alexey Melnikov wrote: >> I am generally very pleased with -07 and -08. >> >> A few minor comments: >> >> 1. Introduction >> >> This memo does not address use of TLS with SMTP for message relay >> (where Message Submission [RFC6409] does not apply). Improved use of >> TLS with SMTP for message relay requires a different approach. One >> approach to address that topic is described in [RFC7672]. >> >> I think you should also reference MTA STS draft informatively here. > > I'm personally okay with doing that. That would be great. >> 4.1. Deprecation of Services Using Cleartext and TLS Versions < 1.1 >> >> The specific means employed for deprecation of cleartext Mail Access >> Services and Mail Submission Services this MAY vary from one MSP to >> >> Extraneous "this" above. >> >> the next in light of their user communities' needs and constraints. >> >> >> Later in the same section: >> >> Also, users authenticating with passwords SHOULD be required to >> change those passwords when migrating from cleartext to TLS, since >> the old passwords were likely to have been compromised. >> >> Not necessarily true with something like SCRAM or GSSAPI (if PLAIN is >> also disabled), but I don't know how to word this better. I.e. >> authentication might still not expose the password without TLS. > > How about: > > Also, users previously authenticating with passwords sent as cleartext > SHOULD be required to change those passwords when migrating to TLS, > since the old passwords were likely to have been compromised. This looks good to me. (snip) >> 5.2. Minimum Confidentiality Level >> >> MUAs SHOULD NOT allow users to "click through" to access or send mail >> >> It is not clear to me whether you are recommending better UI or a UI >> that doesn't allow the user to bypass this? > > The intent is that the MUA shouldn't offer a popup or similar dialog to > allow a user to /easily/ bypass the account's minimum confidentiality > requirements. It's too easy to do this by accident, or without the > user reading or understanding the MUA's description of the situation. > And often, it's not just a few email messages that are compromised by > doing so - it's the user's credentials and by extension all of the > user's saved and future email, and potentially also any other resources > that use that same password. So it's a big deal. I agree with you. I just think that the text might need a bit clarification. > If the user wants to reconfigure a mail account to not impose the > minimum confidentiality requirement, that's up to the user, but "click > through" is just a Bad Idea. > >> >> via an connection, or to authenticate to any service using a >> password, if that account is configured to impose minimum >> confidentiality requirements and that connection does not meet all of >> those requirements. Experience indicates that users presented with >> such an option often "click through" without understanding the risks >> that they're accepting by doing so. >> >> 5.4. Certificate Pinning >> >> A pinned certificate is subject to a man-in-the-middle attack at >> account setup time, and lacks a mechanism to revoke or securely >> refresh the certificate. >> >> Isn't this a MUA UI issue? I.e., a MUA may allow users to manage >> pinned certificates. > > Use of pinned certs isn't forbidden by the draft, but pinned certs don't > meet minimum confidentiality requirements. > > I think it might be possible to adequately address the security concerns > associated with the usual implementation of pinned certificates, but > working though the details seems beyond the scope of this document. Ok, how about inserting "typically" before "lacks a mechanism to revoke ...". This way you are making an observation about state of UIs without sounding like it is a fact of nature. Best Regards, Alexey
- [Uta] Review of draft-ietf-uta-email-deep-08 Alexey Melnikov
- Re: [Uta] Review of draft-ietf-uta-email-deep-08 Keith Moore
- Re: [Uta] Review of draft-ietf-uta-email-deep-08 Alexey Melnikov
- Re: [Uta] Review of draft-ietf-uta-email-deep-08 Keith Moore