Re: [Uta] Comments on STS Strict Transport Security
Daniel Margolis <dmargolis@google.com> Tue, 22 March 2016 10:24 UTC
Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63CA112D14F for <uta@ietfa.amsl.com>; Tue, 22 Mar 2016 03:24:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J4uGdMkjiai8 for <uta@ietfa.amsl.com>; Tue, 22 Mar 2016 03:24:44 -0700 (PDT)
Received: from mail-io0-x22f.google.com (mail-io0-x22f.google.com [IPv6:2607:f8b0:4001:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D00C12D1E4 for <uta@ietf.org>; Tue, 22 Mar 2016 03:24:43 -0700 (PDT)
Received: by mail-io0-x22f.google.com with SMTP id m184so238622985iof.1 for <uta@ietf.org>; Tue, 22 Mar 2016 03:24:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=ozYiO6iadvo2aO1BiR4FDMhRTaet0PsQOTDIH0CflLU=; b=G6FuGMsOVyETPF4qn03OAaBoePoU+BXPb9TW3/X7d686Yq/rSlyBoSYDtpt5Zm8vXS 4o9j+GywOM1L6iK9NpyoMLUOBis9f+A2oeOJm/bBScNViwsGpTJ33aUjmZ0y3uZPJLI4 HQV16gR3anioqDG7xIw9LVQvcBhiiyh1yCmq9w/2HTHJnp+4wy+WDDt6hDkaycMO4PE/ xu3oNpkMNGysGPr7glVTRjfz4Fof10wpGBf8jo2RMjuf9FUT4+iv/WEM/tJabTHXOty3 UTtrM6klZ9ycp9CYmT/mvADcbrI+XMNipOn0SL3wTs+8WKRQUxwceFICFS+6esJMFPna fDyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=ozYiO6iadvo2aO1BiR4FDMhRTaet0PsQOTDIH0CflLU=; b=I/ff9sdiHmOHNwvkTtYUuGXzewSM8IMJyqIrzE41q1p4OPadfuuOd534BTIEAkqRrz T9Pj+wyIHSY1SVJI3DwYAEre/BIgbfJdTNBy51n+DjbzTQJhtnejxe4B6YtF/AREMkmB k9df0EW1DRw8KiRPYK2aAvhzkk3g6iLnut6xCFTftviOOSjPXlQG0XU5XCmAzOH7DeHo 9dk64vNu9mrMjYOgywaNTWYidVJaMbcySXNvCr+uTdUj2+5tYYkoBcUOaEBufY9lB279 llfBREkpq6m88iFg7iLyRsax4vMWWyD0RoOfDFPmxXQT67hw2w00VKWgqmvoUds5JIjs omGQ==
X-Gm-Message-State: AD7BkJLJgSrGk9upAT2C8gwV2O525XuqLmqmVy7hh+pHmGyJT0dbDVcBGTo2loSQYnDHkaNglg+IwVExOTcG+N9k
MIME-Version: 1.0
X-Received: by 10.107.12.95 with SMTP id w92mr37402997ioi.114.1458642282966; Tue, 22 Mar 2016 03:24:42 -0700 (PDT)
Received: by 10.64.251.136 with HTTP; Tue, 22 Mar 2016 03:24:42 -0700 (PDT)
In-Reply-To: <4ED52982-CB5A-434F-A9F5-ED652486436D@noware.co.uk>
References: <4ED52982-CB5A-434F-A9F5-ED652486436D@noware.co.uk>
Date: Tue, 22 Mar 2016 11:24:42 +0100
Message-ID: <CANtKdUfLEqc-Mf76U0eZ82pMmLMsYqANPyK9Jh2MsEpZr+E96w@mail.gmail.com>
From: Daniel Margolis <dmargolis@google.com>
To: Neil Cook <neil.cook@noware.co.uk>
Content-Type: multipart/alternative; boundary="001a113df91221e5a2052ea09f15"
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/eFwWciz01wTI50BWDa8qVZQ0Xg4>
Cc: uta@ietf.org
Subject: Re: [Uta] Comments on STS Strict Transport Security
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2016 10:24:47 -0000
Heh, thanks for the feedback. I will try to make sure we used consistent language. In specifics, my intended meanings: * authentication: determining that the policy is published by the domain owner (either because it was delivered over DNSSEC or because it was delivered over HTTPS with a trusted cert) * validation: on a given mail delivery attempt, determining that the MX is the "right" MX (i.e. that its identity and certificate match what the authenticated policy specifies) * application: determining what to do when a policy validates or does not validate (the latter of course being the interesting case) "Application" is more than just "validation" for two reasons. First, because a policy might be "report only" and thus a failure to validate does not result in a delivery failure. Second, because of this slightly complicated dance to get the latest policy in the case of a failure. The central idea here is that if a policy fails to validate on a given delivery attempt, the sender should try to get a new *authenticated* policy to ensure it's using the most up-to-date revision. This allows recipients to set a long expiration on the policy without chaining themselves to their current MX records, provider, etc. So this answers your question of when senders will see the new policy: they will refresh the policy if the old policy is no longer valid. An attacker who can present a valid policy (by e.g. controlling both DNS and a valid CA-signed cert for the recipient domain) can typically do a lot of other nasty things as well, like MITM client connections to the IMAP or webmail server, so we consider this attack out of scope for now (though potentially a good application of public key pinning, CT, or similar). In the section you quote from 3.3, I think that should refer to "authentication", not "validation." :) Dan On Tue, Mar 22, 2016 at 10:12 AM, Neil Cook <neil.cook@noware.co.uk> wrote: > Some feedback on this draft: > > 1) The language around policy authentication vs validation vs application > is very confusing to me. The terms “authentication” and “validation” seem > to be used in a variety of contexts with different meanings. > > For example in "3.3. Policy Authentication" > > The security of a domain implementing an SMTP STS policy against an > active man-in-the-middle depends primarily upon the long-lived > caching of policies. However, to allow recipient domains to safely > serve new policies _prior_ to the expiration of a cached policy, and > to prevent long-term (either malicious or active) denials of service, > it is important that senders are able to validate a new policy > retrieved for a recipient domain. There are two supported mechanisms > for policy validation: > > So the draft talks about authentication, and then immediately starts > talking about being able to “validate” new policies. I think this should > be “authenticate”. > > When fetching a new policy when one is not already known, or when > fetching a policy for a domain with an expired policy, > unauthenticated policies MUST be trusted and honoured. > > Back to the use of “unauthenticated” here. Even though authentication > hasn’t really been defined yet, or least distinguished from validation. > > When fetching a policy and authenticating it, as described in detail in > _Policy_ > _Application_, policies will be authenticated using the mechanism > specified by the existing cached policy. > > And here. > > Note, however, as described in detail in _Policy_ _Application_, that > new policies MUST NOT be considered as valid if they do not validate > on first application. That is, a freshly fetched (and unused) policy > that has not successfully been applied MUST be disregarded. > > Here validation seems be being used as meaning “parsing and applying > successfully”. > > Also, it’s confusing to me that this paragraph talk about policy > validation, but instead refers the reader to the “Policy Application” > section, rather than the “Policy Validation” section. > > I think the terms should be used as follows (and please correct me if I’m > misunderstanding the draft): > > - “authentication” refers to the concept of “trusting” that a retrieved > policy is the policy actually intended by the remote domain and not a > malicious policy inserted through DNS spoofing or whatever, and should be > used in the this context. Since STS is ‘trust-on-first-use’, this means > that authentication is normally a no-op, except in the case of retrieving a > new policy when a cached policy is already in operation. > I’d like to see the section on Policy Authentication reworded so that this > is clearer, by moving the language "When fetching a new policy when one is > not already known…” to the start of this section, and stating that such > policies are thus implicitly authenticated. Explicit authentication happens > when a new policy is retrieved and authenticated according to the two > mechanisms shown in “Policy Authentication”, based on the “a" field from > the already cached policy. > > - The section “Policy Validation” actually refers to certificate > validation, based on the “c” field in the cache policy. This seems to be > different to policy validation to me, which should mean a well-formed and > parseable policy. The section “Policy Validation” actually seems to me to > just be the first step in policy “application”. > > - “application” should refer to the process of applying an authenticated > and valid policy. > > 2) The logic as to when to use the “authentication” mechanism as described > by the “a” field seems strange to me. The draft states that policies should > be cached until the expiration time (which is implicitly the longer of the > TTL and the “e” field). It also states that the only time the > authentication method specified in the “a” field should be used is when the > applied policy is invalid and the policy specifies rejection (step 4 of > Policy Application). > The draft also states: > With these two mechanisms and the procedure specified in step 4, > recipients who publish a policy have, in effect, a means of updating > a cached policy at arbitrary intervals > > I don’t get this, because it seems to me that if a domain with a valid > policy wishes to change their policy *before* the end of the expiration > period, then nobody will see that new policy until *after* the expiration > period because sending MTAs will cache the policy until after the > expiration period, and should never invoke step 4 because they shouldn’t > see a validation failure and/or reject action. This doesn’t seem consistent > with “updating a cache policy at arbitrary intervals”? > > "Understanding the details of step 4 is critical to understanding the > behaviour of the system as a whole.” > > I have to say I don’t understand step 4 at all, so maybe someone can > explain it to me? :) The whole authentication system seems designed for a > tiny use-case, i.e. validation failure and reject action. If this is > designed to stop malicious behaviour, why only concentrate on > non-validating policies, surely there are use-cases where an attacker has > spoofed the recipient DNS records (cache poisoning etc.) and thus has > control over both the DNS STS record and the DNS record for the HTTPS > server, and thus could present a valid policy? > > Neil > > > > > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta > >
- [Uta] Comments on STS Strict Transport Security Neil Cook
- Re: [Uta] Comments on STS Strict Transport Securi… Daniel Margolis
- Re: [Uta] Comments on STS Strict Transport Securi… Neil Cook
- Re: [Uta] Comments on STS Strict Transport Securi… Daniel Margolis