IETF Logo Mail Archive

Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.txt> (SMTP MTA Strict Transport Security (MTA-STS)) to Proposed Standard

Daniel Margolis <dmargolis@google.com> Wed, 18 April 2018 15:37 UTC

Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1E301275AB for <uta@ietfa.amsl.com>; Wed, 18 Apr 2018 08:37:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I-uAtp4-Xmqk for <uta@ietfa.amsl.com>; Wed, 18 Apr 2018 08:37:54 -0700 (PDT)
Received: from mail-it0-x235.google.com (mail-it0-x235.google.com [IPv6:2607:f8b0:4001:c0b::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4155B127337 for <uta@ietf.org>; Wed, 18 Apr 2018 08:37:54 -0700 (PDT)
Received: by mail-it0-x235.google.com with SMTP id m134-v6so3116562itb.3 for <uta@ietf.org>; Wed, 18 Apr 2018 08:37:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=/IeyFiw+AYouTb+394EjjnkLxF6+bEdMtlDjOQ2VTM4=; b=RPvFmhFQV+6MsG6vDUMChj3mp+YXC388JMWd1mOCj0pZZh+dNx59JDKUcbb9VXdzSJ j/JZK37DcYu27RMREBYPrhpDdfps7N2tf7KFBVF4lxwCHNz6tp5N7kdy7DGsPH7ZjAHg MrWIS3nwqVPZ96sNGa57+ErKn/17tnLgzfGmHbb6jC6sq33IUo9iRWX6rGcBVpKj4vuv 25bZQvElv6CqjN/yQ9DinfcKCi+ej6sCRSZys8YKLzN1MVBYbMKmLTC2LNyuUCwJCHJT LrZuq7cev1vBNFMAFka4/qxm03Zrdwk5hSruO9vesn5wZrGyisJGsg3DRMeO2sHw2KE8 l+VA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=/IeyFiw+AYouTb+394EjjnkLxF6+bEdMtlDjOQ2VTM4=; b=JFtgSq4V6itMPSVU6nEDLrayjUdVLqaad1WMX6WpxaL0JWzpBQpMwdjEjn7AiEXVtu KX3lp8AMo9iYjG/9nvh7XVVojxCOgpG77+Dw8dBqsYwzvzZFxtYKYGzqbbbFIyPNzx6S tUihQkTD3yTFntTbCGUqb/yG1DrrCvXMhNamL4wgLSkW529VnzvFAKcOZ5S/A7+71w7Q KlThF2WEc/dXZSD6qZzCGAUrLt6zp0YMxBwMXtabDRMjEPGNd5FwX2nl4RkIdMiZmOoN NAVFL+p9fJSjdKWM4Uj6DkLgXoseFrjl7pRbQWIMrgHb1gyBA7yA5GSojbAXK5L4bUVl YBAA==
X-Gm-Message-State: ALQs6tBsVLdmVMvoWrIUtJTBJkApX0R96WbnBJ7LjEvJENr8zZA/5GbV ZTOsiyMR9AU0OlHM5AZZtc78z5D83Dbj/4lxF7h2NpHf
X-Google-Smtp-Source: AIpwx4+wRsjo2YSGVcaZXqieOjHbWEU74e6VDRIhHCTW7NPOvzSggFtqsgJvKAyTaj1Z7rzG647CcO2viiPzBUKuaAc=
X-Received: by 2002:a24:91c4:: with SMTP id i187-v6mr3033338ite.118.1524065872614; Wed, 18 Apr 2018 08:37:52 -0700 (PDT)
MIME-Version: 1.0
References: <CAKHUCzwes5vHjBSDqYXkvGRCGPeSPnqNgsJ2J_tDzF2FG+RuMg@mail.gmail.com> <FFB5B96A-E0BA-47D6-987F-245C7243012C@dukhovni.org> <CAKHUCzyOUqsONrxSLOXk9wZrUCRiBTw6mrHPsHkYQk87DyV0HA@mail.gmail.com> <3D9206C8-925A-4993-83BA-587E1CA8E0FC@dukhovni.org> <CAKHUCzy5h6tvJMqFzDY1Ot1qFjkK=XVQTf-Q9baBnKKPOuv+cQ@mail.gmail.com> <20180412162429.GO3322@mournblade.imrryr.org>
In-Reply-To: <20180412162429.GO3322@mournblade.imrryr.org>
From: Daniel Margolis <dmargolis@google.com>
Date: Wed, 18 Apr 2018 15:37:39 +0000
Message-ID: <CANtKdUfqubXcYdiGgK0+WnOdSLgO0W4O9apQ2+JNqnFVhXOkCA@mail.gmail.com>
To: uta@ietf.org, ietf@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="00000000000003e996056a213d1e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/YKxzKdH2gWH8PV65UtvmKgUeMVU>
Subject: Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.txt> (SMTP MTA Strict Transport Security (MTA-STS)) to Proposed Standard
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Apr 2018 15:37:57 -0000

Apologies for the slow reply here. (I was on vacation.)

Ned: thanks for the clear summary. I'll start working on those issues.

Dave: thanks also for the direct feedback. To be honest, though, after all
this discussion, I'm somewhat struggling to sort out what's actionable from
what isn't, as I suspect you can understand. I'll try to read through and
come up with a priority list of compatible changes, but I may miss
things--if there are changes (to the text, versus the entire approach)
which you want to call out as priorities, I would very much appreciate any
help.

(Regarding the point about in-protocol vs HTTPS callouts, Viktor already
addressed this thoroughly, but to restate somewhat differently, we operate
with the following constraints: 1. we have to secure the domain, not the
host (since securing only the host does not achieve anything even after
first-contact in preventing downgrades) and 2. we want to allow *authenticated
migration off of an implementing service* (i.e. to allow recipient domains
to move from a hosting service that supports STS to one that does not, and
to prove to implementing senders that that move is OK with them). The
combination of those two constraints imply out-of-band policy exchange, I
believe.)

On Thu, Apr 12, 2018 at 6:25 PM Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

> On Thu, Apr 12, 2018 at 10:27:25AM +0100, Dave Cridland wrote:
>
> > > Unfortunately, per-MTA rather than per-domain policy entirely loses all
> > > protection against active attacks when the MX RRset is not secure.  The
> > > MiTM just forges the MX RRset, yielding new hosts for which no policy
> > > is stored.
> >
> > I can see I'm in the rough here, but I'm still unconvinced there's any
> real
> > difference between forging the MX RRset or forging the TXT record.
>
> Forging the TXT record is a downgrade attack (only) on *first*
> contact.  After a policy is cached and so long as it remains
> unexpired and gets refreshed periodically, forging the TXT record
> is no longer effective.  Where-as, in the absence of DNSSEC, per-MX
> policy is subject to MX RRset forgery for each and every delivery.
>
> > > Time will tell.  Either approach may yet fail to gain much traction.
> > > So, yes, we can't assume that MTA-STS is transitional, that's mostly
> how
> > > I like to think of it...
> >
> > I think the two are subtly incompatible at the moment in some cases, and
> > the flow involved means sending MTAs need to find out the policy prior to
> > connecting.
>
> Since DANE is downgrade resistant, and more resistant to mis-issuance
> than DV certs, and MTAs don't require or care about EV, when usable
> DANE TLSA records are found for the receiving SMTP server ("MX
> host"), a sending MTA that supports both should go with DANE, and
> not do STS (subject to local policy).  When no usable DANE TLSA
> records are found, any STS policy in scope for the domain should
> be used.
>
> > > There will be all kinds of implementations, and all kinds of ways for
> > > operators to mess up their deployment.  Making it easier to not mess
> up has
> > > a very high priority from my perspective.  Overly brittle security gets
> > > turned off.
> >
> > I agree; which is why I both suspect and hope these policy documents will
> > be generated by the providers.
>
> You keep assuming there's a third-party provider.  Many domains
> operate their own email servers, and these may have less sophisticated
> operational practices.  A fixed policy document is less fragile.
>
> A domain owner can specify their reference identifiers by parent
> domain if they so choose.  For some this may be less prone to
> operational tradeoff at a small trade-off in security.  Recall that
> STS is an optional upgrade from opportunistic unauthenticated
> STARTTLS, and will only gain traction if operationally reliable.
>
> I expect that STS adoption beyond the large providers will be slow,
> and that making it a bit easier is worth it.  Domains that don't
> need the wildcard feature can specify all their MX hosts explicitly
> in the policy.
>
> > >   https://www.openssl.org/docs/man1.1.0/ssl/SSL_set_hostflags.html
> > >   https://www.openssl.org/docs/man1.1.0/ssl/SSL_add1_host.html
> >
> > Well, I never knew that this API supported wildcard matching against
> > wildcards.
> >
> > I still think this is wrong, but it's wrongness that's been implemented
> > already so I'll assume it's too late to fix.
>
> <off-topic, follow-ups off-list?>
>
>     IMHO there's nothing to fix, the use of sub-domain reference
>     identifiers is entirely optional.  If the application provides
>     an explicit hostname to match (no leading ".") then it is
>     matched verbatim.
>
>     If an application *chooses* to ask OpenSSL to match a sub-domain,
>     ".mail.example.com" or similar, then it is matched as documented
>     (what you call wildcard against wildcard).  Most applications
>     don't and won't ask for sub-domain reference identifiers.  An
>     application that implements STS over OpenSSL would ask for
>     those when that's what is in the STS policy.
>
> </off-topic>
>
> --
>         Viktor.
>
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://www.ietf.org/mailman/listinfo/uta
>

v2.23.0 | Report a Bug | By Email