Re: [Uta] Genart telechat review of draft-ietf-uta-smtp-tlsrpt-18
Daniel Margolis <dmargolis@google.com> Wed, 18 April 2018 15:26 UTC
Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E424D127337 for <uta@ietfa.amsl.com>; Wed, 18 Apr 2018 08:26:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WBkNerMOV3mL for <uta@ietfa.amsl.com>; Wed, 18 Apr 2018 08:26:02 -0700 (PDT)
Received: from mail-io0-x231.google.com (mail-io0-x231.google.com [IPv6:2607:f8b0:4001:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65955126B6E for <uta@ietf.org>; Wed, 18 Apr 2018 08:26:02 -0700 (PDT)
Received: by mail-io0-x231.google.com with SMTP id q84-v6so2881007iod.10 for <uta@ietf.org>; Wed, 18 Apr 2018 08:26:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=h8pVS3qoAgyEorkUYqQ1FE/851qvaO9JP1z3uhMXYJ4=; b=GdT5bDdPdQdDGwT1MO1OSmL/OTiGGzxAkmuoPlB7xHyCXtxxGUctxW7gBlGc2ecVNA iSbGTx6cMN0PUr0dJd6MnYFtn0L5vdcpbeae2wjtUydH44cWCrGA86K72nXcEGtVswrh 3O8T/vZnxR6gJcPZuenqf5upD8UjIMlzS7n1ItNdVOkUbEzvGLVXpP4/kKBkApyQVS2x JewYhGPZDDf//8uysY6F7ORqeBZcsD5p7l+vUpYbEC9QlfrZtYaSkJ1rzACTmmdlkFbJ NM7+yPm09RZF0WS5Pr0YEnE6nqeB6eZwC2sZSR1bg/m2zp6OhR2ZBcjThvNAormesaZq IzCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=h8pVS3qoAgyEorkUYqQ1FE/851qvaO9JP1z3uhMXYJ4=; b=FJ9U0e76d7d+9+pPWudxhXYegMQBHhXG8bgJOVMgB6z0CEmql+DX/dkYe7tWHSk0hb 0xHK3195EYNwvRM0ngX8TNb/pJvy8bePh00M41X+pI5RkQAwglbvE33UdZ8XGqDlreUf kTyB1tlFl6p0gcQPMg9ZKeTX784373r7YDBjvX4KK50xVpBzjSCGtchtINgBxXeyjebv cf4ZIoQWaCu3Lc6b28zkgZ9gI0rubTSy8QggF5HuIQKoHOVhVN0X/OTePNLoKH8IFxaS Ln3LqSWqsMHUPNYZWDE2XYu2AvuNEkl5U8y9+7RmPA1n3QHWE+foXF5druhJTW+WNheK ARcQ==
X-Gm-Message-State: ALQs6tA1lHWdh2ljH4g8+2ujMDROlgibNbBG/x5gxxHr4Mw601I29nDw iDMBOEHeUuqmxSP+k8zTt7MYnvIZTzCaJvq5zVYbuQ==
X-Google-Smtp-Source: AB8JxZoeZp9Be44GKnJxnLBtWxFIK1V2wNM054QMfGwxoU+lI/eC7tIQ/iuHhlp5bcnoEAoMoVpMDAqSj5K6gIJLBtA=
X-Received: by 2002:a6b:9b15:: with SMTP id d21-v6mr2599700ioe.243.1524065161240; Wed, 18 Apr 2018 08:26:01 -0700 (PDT)
MIME-Version: 1.0
References: <152293620742.25921.15349241552991574638@ietfa.amsl.com>
In-Reply-To: <152293620742.25921.15349241552991574638@ietfa.amsl.com>
From: Daniel Margolis <dmargolis@google.com>
Date: Wed, 18 Apr 2018 15:25:48 +0000
Message-ID: <CANtKdUebuDtkCRBn4s62rmmy7SewBYCab26MjHBHH5pVBPdBKQ@mail.gmail.com>
To: jmh@joelhalpern.com
Cc: gen-art@ietf.org, uta@ietf.org, draft-ietf-uta-smtp-tlsrpt.all@ietf.org, ietf@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000980252056a2112e0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/axSXGdmqtZCUZaB-6wXlAi3h0tI>
Subject: Re: [Uta] Genart telechat review of draft-ietf-uta-smtp-tlsrpt-18
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Apr 2018 15:26:06 -0000
On Thu, Apr 5, 2018 at 3:50 PM Joel Halpern <jmh@joelhalpern.com> wrote: > Reviewer: Joel Halpern > Review result: Ready > > I am the assigned Gen-ART reviewer for this draft. The General Area > Review Team (Gen-ART) reviews all IETF documents being processed > by the IESG for the IETF Chair. Please wait for direction from your > document shepherd or AD before posting a new version of the draft. > > For more information, please see the FAQ at > > <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>. > > Document: draft-ietf-uta-smtp-tlsrpt-18 > Reviewer: Joel Halpern > Review Date: 2018-04-05 > IETF LC End Date: 2018-04-02 > IESG Telechat date: 2018-04-19 > > Summary: This document is ready for publication as a Proposed Standard RFC > My thanks to the authors for addressing my major concerns and most of > my > minor concerns. > > Major issues: > > Minor issues: > There are several areas where the document would be helped by better > explanations. From my previous review: > > Section 3, bullet 3, says that submitters using POST can ignore > certificate > validation errors when using https. That seems to undermine the usage > of > https. As such, I would expect to at least see some explanation of > when > and why ignoring such errors is appropriate. > > This is sort of obliquely (but not explicitly) addressed in Security Considerations in the context of "report snooping." I would suggest (and am happy to add, if the other authors are OK with it) text to the effect that report snooping can be conducted via a bogus TLSRPT record but also by injecting a bogus response for resolving the reporting URI or otherwise MITM'ing the report. Because an attacker capable of these attacks can likely, similarly, inject themselves directly into the SMTP exchange (by injecting a bogus MX record or otherwise MITM'ing that exchange themselves), we don't believe this substantially increases attack surface. Exceptions are when the report URI points to a host in a different zone than the MX host or in some other matter is MITM'able in a way that the MX host itself is not. Hence, in the common case, MITM'ing the *report* should present no significant additional attack surface from MITM'ing the *MX*, and thus requiring certificate validation (which may interfere with the delivery of reports) would be counterproductive (though we leave it up to reporters to determine if they wish to enforce validation). Does that make sense? > It is surprising in Section 3 Bullet 4 that reporting via email > requires > that the report submitted use DKIM. Particularly while ignoring any > security errors in communicating with the recipient domain. > > In the formal definition of the txt record, shouldn't the URI format > also > indicate that semicolon needs to be encoded? > > Section 5.1 defines a report filename. This is probably a naive > question, > but what is that for? If using HTTPS, the earlier text says that the > POST > operation goes to the target URI from the txt record. When using > email, > there is no apparent need for a filename. > > Most of the security risks described in the Security section (7) do not > seem to have any mitigation. Should there not be some explanation why > deployment is acceptable with these risks? > > Nits/editorial comments: > > >
- [Uta] Genart telechat review of draft-ietf-uta-sm… Joel Halpern
- Re: [Uta] Genart telechat review of draft-ietf-ut… Daniel Margolis
- Re: [Uta] [Gen-art] Genart telechat review of dra… Alissa Cooper