Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.txt> (SMTP MTA Strict Transport Security (MTA-STS)) to Proposed Standard
Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 12 April 2018 16:24 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6568D12E038; Thu, 12 Apr 2018 09:24:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rnCVIHGUxUoW; Thu, 12 Apr 2018 09:24:31 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C21812E887; Thu, 12 Apr 2018 09:24:30 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id B7C367A330A; Thu, 12 Apr 2018 16:24:29 +0000 (UTC)
Date: Thu, 12 Apr 2018 16:24:29 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: uta@ietf.org, ietf@ietf.org
Message-ID: <20180412162429.GO3322@mournblade.imrryr.org>
Reply-To: uta@ietf.org, ietf@ietf.org
References: <CAKHUCzwes5vHjBSDqYXkvGRCGPeSPnqNgsJ2J_tDzF2FG+RuMg@mail.gmail.com> <FFB5B96A-E0BA-47D6-987F-245C7243012C@dukhovni.org> <CAKHUCzyOUqsONrxSLOXk9wZrUCRiBTw6mrHPsHkYQk87DyV0HA@mail.gmail.com> <3D9206C8-925A-4993-83BA-587E1CA8E0FC@dukhovni.org> <CAKHUCzy5h6tvJMqFzDY1Ot1qFjkK=XVQTf-Q9baBnKKPOuv+cQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAKHUCzy5h6tvJMqFzDY1Ot1qFjkK=XVQTf-Q9baBnKKPOuv+cQ@mail.gmail.com>
User-Agent: Mutt/1.7.2 (2016-11-26)
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/_d_kicBb9EFhBz7tLKXjtVcmUdQ>
Subject: Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.txt> (SMTP MTA Strict Transport Security (MTA-STS)) to Proposed Standard
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Apr 2018 16:24:37 -0000
On Thu, Apr 12, 2018 at 10:27:25AM +0100, Dave Cridland wrote: > > Unfortunately, per-MTA rather than per-domain policy entirely loses all > > protection against active attacks when the MX RRset is not secure. The > > MiTM just forges the MX RRset, yielding new hosts for which no policy > > is stored. > > I can see I'm in the rough here, but I'm still unconvinced there's any real > difference between forging the MX RRset or forging the TXT record. Forging the TXT record is a downgrade attack (only) on *first* contact. After a policy is cached and so long as it remains unexpired and gets refreshed periodically, forging the TXT record is no longer effective. Where-as, in the absence of DNSSEC, per-MX policy is subject to MX RRset forgery for each and every delivery. > > Time will tell. Either approach may yet fail to gain much traction. > > So, yes, we can't assume that MTA-STS is transitional, that's mostly how > > I like to think of it... > > I think the two are subtly incompatible at the moment in some cases, and > the flow involved means sending MTAs need to find out the policy prior to > connecting. Since DANE is downgrade resistant, and more resistant to mis-issuance than DV certs, and MTAs don't require or care about EV, when usable DANE TLSA records are found for the receiving SMTP server ("MX host"), a sending MTA that supports both should go with DANE, and not do STS (subject to local policy). When no usable DANE TLSA records are found, any STS policy in scope for the domain should be used. > > There will be all kinds of implementations, and all kinds of ways for > > operators to mess up their deployment. Making it easier to not mess up has > > a very high priority from my perspective. Overly brittle security gets > > turned off. > > I agree; which is why I both suspect and hope these policy documents will > be generated by the providers. You keep assuming there's a third-party provider. Many domains operate their own email servers, and these may have less sophisticated operational practices. A fixed policy document is less fragile. A domain owner can specify their reference identifiers by parent domain if they so choose. For some this may be less prone to operational tradeoff at a small trade-off in security. Recall that STS is an optional upgrade from opportunistic unauthenticated STARTTLS, and will only gain traction if operationally reliable. I expect that STS adoption beyond the large providers will be slow, and that making it a bit easier is worth it. Domains that don't need the wildcard feature can specify all their MX hosts explicitly in the policy. > > https://www.openssl.org/docs/man1.1.0/ssl/SSL_set_hostflags.html > > https://www.openssl.org/docs/man1.1.0/ssl/SSL_add1_host.html > > Well, I never knew that this API supported wildcard matching against > wildcards. > > I still think this is wrong, but it's wrongness that's been implemented > already so I'll assume it's too late to fix. <off-topic, follow-ups off-list?> IMHO there's nothing to fix, the use of sub-domain reference identifiers is entirely optional. If the application provides an explicit hostname to match (no leading ".") then it is matched verbatim. If an application *chooses* to ask OpenSSL to match a sub-domain, ".mail.example.com" or similar, then it is matched as documented (what you call wildcard against wildcard). Most applications don't and won't ask for sub-domain reference identifiers. An application that implements STS over OpenSSL would ask for those when that's what is in the STS policy. </off-topic> -- Viktor.
- [Uta] Last Call: <draft-ietf-uta-mta-sts-15.txt> … The IESG
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… ned+uta
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Dave Cridland
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… ned+uta
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Viktor Dukhovni
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Viktor Dukhovni
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Dave Cridland
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Dave Cridland
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… ned+uta
- [Uta] Digression on DANE for MTAs implementation … Viktor Dukhovni
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Viktor Dukhovni
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Dave Cridland
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Dave Cridland
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Viktor Dukhovni
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Daniel Margolis