IETF Logo Mail Archive

Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-email-deep-09: (with COMMENT)

Keith Moore <moore@network-heretics.com> Tue, 31 October 2017 02:30 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A74D13374A; Mon, 30 Oct 2017 19:30:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.618
X-Spam-Level:
X-Spam-Status: No, score=-2.618 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, TVD_PH_BODY_ACCOUNTS_PRE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MaQpfdJMWaiu; Mon, 30 Oct 2017 19:30:22 -0700 (PDT)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56D8F139203; Mon, 30 Oct 2017 19:30:22 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 946B5209BF; Mon, 30 Oct 2017 22:30:21 -0400 (EDT)
Received: from frontend2 ([10.202.2.161]) by compute6.internal (MEProxy); Mon, 30 Oct 2017 22:30:21 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=KAVwUqIukecUeGD98I96BZLDZgmpr d9SlsVkZnhGGEU=; b=IxIxeUuEib5/WJo91/YEurr6YgqlZcfEUcazMN1PscoDC nfpWXVmfCliPiGDQTp7vUG1+RtDcOpNFkLCVplFQOJ+SVtORW6fFDaXF4Y4iMNZR M32Inaz0XEUftKQMj47NMXKpTnGdDuZjwdOVEWu/fScQPEznBOas74zKN50uH37g y7T9UiOOOYvimjXtqVX2a8iLDxrs/zS6bePnYEtawOHu9ksmPfXYenDsBIOFS7ba NBRtISiRggEoLda3n+AaWm9L5F1QP6nAKlFdoA9/Tvgfry/EhnPXPSHI+9hlOU60 daVb/ie9QfaZ3rDcpsB0ThBTEzaXak9Bj6IRPbWRw==
X-ME-Sender: <xms:PeD3WYeLwdpnHXBD1IXdrjkY3uFv2Y5DiF-v5yriGUCl1K-zCmH-HQ>
Received: from [192.168.1.66] (108-221-180-15.lightspeed.knvltn.sbcglobal.net [108.221.180.15]) by mail.messagingengine.com (Postfix) with ESMTPA id 4B333242CF; Mon, 30 Oct 2017 22:30:20 -0400 (EDT)
From: Keith Moore <moore@network-heretics.com>
To: Chris Newman <chris.newman@oracle.com>, Eric Rescorla <ekr@rtfm.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-uta-email-deep@ietf.org, uta-chairs@ietf.org, Leif Johansson <leifj@sunet.se>, "uta@ietf.org" <uta@ietf.org>
References: <150852235551.15416.1247335476327491501.idtracker@ietfa.amsl.com> <98fddd93-a0a8-efa3-ce2e-530449ae536c@network-heretics.com> <8B20BC5A-A60A-4A31-9345-E970B31BC2C3@oracle.com> <a67ef1d0-1637-fe48-9fb1-664ad8b3172d@network-heretics.com> <D5ED7737-D201-41A2-B24D-661D10D19EE0@oracle.com> <CABcZeBPx2zS8Wr5179wkcmv-_=KeQSfCi91tb0OpSax7QbETPg@mail.gmail.com> <412F718C-F4C9-427C-8D07-3561F374C804@oracle.com> <29ec2879-c811-ef64-46e9-b19adb7fef8e@network-heretics.com>
Message-ID: <8b2d406e-0d08-40e0-ee32-28c97367ac74@network-heretics.com>
Date: Mon, 30 Oct 2017 22:30:19 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <29ec2879-c811-ef64-46e9-b19adb7fef8e@network-heretics.com>
Content-Type: multipart/alternative; boundary="------------C43EECB1B92F3AB36E432124"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/cC0pggoGyE-_sOhokw3K0Kj87pI>
Subject: Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-email-deep-09: (with COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Oct 2017 02:30:26 -0000

After a bit more thought on this, I've concluded that using the mail 
server's server certificates to verify authenticity of SRV records 
probably isn't a good idea - or at least there are more considerations 
and pitfalls than can reasonably be thought through in the context of 
this document.

One consideration is that TLS "reverse proxies" can (and likely do/will) 
use SNI to dispatch to different hosts on the back end, as one way to 
implement "virtual hosting" of mail services.   So if joe@example.com 
needs to be able to authenticate to mailserver.example.net after 
presenting "example.com" in SNI, in addition to being able to 
authenticate to "mailserver.example.net" after presenting 
"mailserver.example.net", that's essentially going to constrain mail 
service providers to configure such reverse proxies to map "example.com" 
and "mailserver.example.net" to the same internal hosts, or at least 
have both of those hosts consult the same servers for authentication.  
This would in some cases make such reverse proxies essentially useless 
as a means to dispatch different traffic to different servers.

Also, of course, being able to authenticate to two different servers 
(even if both present valid certificates for their respective domain 
names) is not the same thing as those two servers being the same.

So now I'm inclined to add a simple sentence or two along the lines of 
Chris's suggestion.   I think that's the best we can do in a short time 
without additional review cycles.

Keith


On 10/28/2017 06:45 AM, Keith Moore wrote:
>
> I've taken a stab at writing a non-normative appendix explaining this.
>
> -------------------------
> Appendix.  Use of Server Name Indication (SNI) in conjunction with SRV 
> records
>
> This section attempts to explain the considerations involved when 
> using SNI in conjunction with SRV records, because they do not seem to 
> be adequately explained elsewhere.  This section is not normative.
>
> There are two scenarios:
>
> 1. When an MUA contacts a mail server using configuration information 
> derived from an SRV record.
>
> This case is very similar to the case in which an MUA contacts a mail 
> server using configuration explicitly supplied by the user.   In 
> either case the server name that the MUA uses to obtain the server's 
> IP address(es), the server name which is compared with the server 
> certificate, and the server name presented in the SNI extension, 
> should all be the server's DNS name - i.e. the target of the SRV 
> record when SRV is used to discover it.
>
> For a concrete example, assume that a user has address joe@example.com 
> and the mail service for example.com is hosted at 
> mailserver.example.net. The SRV record that Joe's MUA uses to learn 
> its configuration information might be
>
> _imaps._tcp.example.com.        SRV  0 1 993 mailserver.example.net.
>
> When attempting to access Joe's message store, Joe's MUA would connect 
> to an IP address associated with mailserver.example.net on port 993, 
> and begin negotiating TLS, sending an SNI extension with HostName = 
> mailserver.example.net.   Joe's MUA would then expect the certificate 
> returned to have CN-ID or DNS-ID matching mailserver.example.net.   
> Per section X.Y of this document, if the server's certificate doesn't 
> match mailserver.example.net, Joe's MUA must abandon the connection.
>
> 2. When a MUA derives, or refreshes, account configuration information 
> from the user's email address using an SRV record.
>
> When initially configuring Joe's mail account, and perhaps 
> occasionally thereafter (say when the TTL from the SRV record returned 
> from the previous query for that information has expired or is nearing 
> expiration), Joe's MUA may repeat the SRV query for 
> _imaps._tcp.example.com.   One way for Joe's MUA to verify that the 
> SRV record were authentically issued by example.com would be to verify 
> a DNSSEC signature on the SRV record; however, DNSSEC is deploying 
> very slowly and therefore might not be available.   An alternate way 
> for Joe's MUA to verify that the SRV record were authentically issued 
> by example.com would be for Joe's MUA to contact 
> mailserver.example.net on port 993, negotiate TLS and include an SNI 
> extension with HostName == example.com, and expect a server 
> certificate with either a DNS-ID or an SRV-ID matching example.com.
>
> If the target of the current SRV record differs from the server name 
> in the MUA's previous configuration for that account and server, the 
> MUA must not attempt to authenticate to the server on Joe's behalf as 
> joe@example.com unless the server presents a certificate which 
> contains an DNS-ID or SRV-ID matching example.com.   If, however, the 
> server certificate returned does match example.com, and the 
> authentication succeeds, the MUA can then tentatively use the 
> configuration information for that account and server based on the new 
> SRV record. However, the MUA should then close the connection (without 
> further interaction with the server) and reconnect to the server using 
> an IP address associated with the server's DNS name, send the server's 
> DNS name in SNI, and expect the certificate to match the server's DNS 
> name.   If that is successful, Joe's MUA can then update its 
> configuration; otherwise, it should retain its previous configuration 
> settings.[*]   (RFC7817 requires MSPs to return certificates with 
> SRV-IDs if the services are advertised using SRV records, but this is 
> relatively recent, and an MSP does not necessarily have control over 
> the DNS records advertised by its customers).
>
> If the server doesn't return a valid, trusted certificate matching the 
> main domain, it doesn't mean that the new SRV record is inauthentic, 
> but it does mean that the new SRV record cannot be assumed to be 
> authentic based on only unsigned DNS records.  Per section X.Y of this 
> document, the MUA must not automatically update its configuration 
> information based on an unsigned SRV record, but must require 
> confirmation from the user before updating it. For reasons similar to 
> those listed elsewhere in this document when an MUA encounters invalid 
> certificates, the MUA should not permit the user to simply "click 
> through" to change the configuration.  The MUA should probably not 
> even offer to change the configuration at all unless the new SRV 
> records persist over an extended period of time.
>
> In the absence of DNSSEC, and assuming that multiple services are 
> associated with an email address in the MUA's configuration, this 
> process needs to be repeated independently for each SRV record and 
> corresponding service that would alter the MUA's configuration for 
> that account.  (In other words, successful validation of one SRV 
> record using this method does not imply that other SRV records for 
> that mail domain are also valid.)
>
> This has implications for both MUAs and mail servers.
>
> MUAs supporting SNI should send SNI with the service name when 
> initially configuring an account, and send SNI with the mail server's 
> name when accessing the account normally.
>
> Mail servers supporting SNI need to be able to return certificates for 
> their own DNS names, and should also be configurable to utilize SNI to 
> return certificates containing SRV-IDs for the mail domains for which 
> they provide service. In some cases this means that a domain 
> example.com will need to supply a certificate matching a SRV-ID of 
> example.com (along with the private key corresponding to the public 
> key in the certificate) to the company or companies that provide its 
> mail service.   Note that if the certificate only contains a SRV-ID 
> for example.com, the certificate and corresponding key pair is 
> somewhat less useful to an imposter as compared to a certificate with 
> a DNS-ID.  Of course, the same key pair should not be used for both a 
> SRV-ID example.com certificate (where the private key is disclosed to 
> a mail service provider), and a normal DNS-ID and/or CN-ID certificate 
> for example.com.
>
> Mail service providers supporting SNI to verify service name 
> certificates for any particular mail domain, need to do so for all 
> services associated with that mail domain.
> -------------------------
>
> [*] I'm not sure whether this should be included or not.  It strikes 
> me as possible (and perhaps reasonable) that an MSP could provision 
> different servers for customers using SRV records than for customers 
> not doing so, so an MUA should not automatically update its 
> configuration based on a changed SRV record if the configuration was 
> not originally derived from SRV records.  It also strikes me as 
> possible (and perhaps reasonable) that the server could behave 
> differently when given an SNI of example.com than when given an SNI of 
> mailserver.example.net, much as an HTTP server can behave differently 
> when given a Host request header of example.com than a Host request 
> header of mailserver.example.net.   So my sense is that when actually 
> reading or sending mail, the MUA should behave consistently each time 
> and always present the server's name in SNI.   (And if I were writing 
> an MUA and the SRV record pointing to a user's IMAP or POP server 
> changed, I'd want to be sure that the new server actually had the 
> user's mail before committing the change to the configuration.)
>
> Anyway, given the length of the above and the difficulty of explaining 
> it I can see why Chris would like to keep it to one sentence.
>
> Keith
>
>

v2.23.0 | Report a Bug | By Email