IETF Logo Mail Archive

Re: [Uta] ALPN recommendations in draft-ietf-uta-rfc7525bis-01

John R Levine <johnl@taugh.com> Sun, 01 August 2021 19:16 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74B913A07BE for <uta@ietfa.amsl.com>; Sun, 1 Aug 2021 12:16:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.4
X-Spam-Level:
X-Spam-Status: No, score=-4.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=n3IxWav6; dkim=pass (2048-bit key) header.d=taugh.com header.b=Sc/Bbfdo
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a1xeJTuYi53G for <uta@ietfa.amsl.com>; Sun, 1 Aug 2021 12:16:13 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23C673A07BC for <uta@ietf.org>; Sun, 1 Aug 2021 12:16:12 -0700 (PDT)
Received: (qmail 97397 invoked from network); 1 Aug 2021 19:16:08 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type; s=17c72.6106f2f8.k2108; bh=eBLpHwNyjcDD2/LS3NOn5L2AeqC509qjrwN7wY4woTU=; b=n3IxWav6k1n3ZA2IbAHZ76ZNbr+rqPlDQ8rBO31guMMDPetATZH8pKsq9m/1BMu0q49EG9fuSYSz/EcJXHo5wisbCxr+KbAvbyt3M6+RsAMh8QII46isYzAZbF5CKf7QYg3yuLc7TIQuUJp6P2fFh5iK4e7vZciFk7zKblxXnbP0UFa4nHArUz7s6WK+dTiRxILGcwhgEYBTIOQ/lT+JHR2khu+0R18QNCBOyKFcnajPDMg1bliBhg+YXb+vzW1e4fFZty3A6egcKRs9BJep5ppqE5DnBHGZjeOqrbNbZb9Y38I4qll7qlnq2iJ2YQr0si/VUQWiuBXaDcU0OULY9Q==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type; s=17c72.6106f2f8.k2108; bh=eBLpHwNyjcDD2/LS3NOn5L2AeqC509qjrwN7wY4woTU=; b=Sc/BbfdoB6WKE4JaCRL0J6CnFpTdbXBB8oH7j/bq75Gh05wgJUs6RzJ92Nu3jDa1kGYkalCmHCqc2fze7gVRKLU3K8jdLIRYXRFeYBSM0dowlOzcG7XhTb125tjoBHbClQU8JTpGmMFqhlGFJuy9EGgNKicVr9uFS2e+uDL/8nbMouArkt9OZO8soYR9nRPLren7Htn/qwNYC3NjFnaJBp0vkC3JG9kyNelTUIaipgBTMIpJg/XN0AYqMaQllMMEhQfhvkuoIYmgwvGmNwUp+Z1IoQWC6FiQm458mfVfDb2PbKeMf9Ey2f+GkFtdoNCv+rmw70xFX5Zeo2RwgUlJtQ==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 01 Aug 2021 19:16:08 -0000
Received: by ary.qy (Postfix, from userid 501) id B5CBD2570D31; Sun, 1 Aug 2021 15:16:07 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id 2099D2570D13; Sun, 1 Aug 2021 15:16:07 -0400 (EDT)
Date: Sun, 01 Aug 2021 15:16:07 -0400
Message-ID: <8fb5e52f-91ac-fcec-8f9f-c7db3d5d3dd0@taugh.com>
From: John R Levine <johnl@taugh.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>, uta@ietf.org
X-X-Sender: johnl@ary.qy
In-Reply-To: <CC8C60E3-B6E1-43BC-BF5B-36E76548FEF0@gmail.com>
References: <b7abf0eb-0ba9-4ab9-90df-910a3391a830@beta.fastmail.com> <20210801005846.190B82568BF1@ary.qy> <48B82EAB-D059-4C81-B14D-8D1D10EBB78B@gmail.com> <a12f7ad1-61c8-a6ef-da91-77c86766822c@taugh.com> <CC8C60E3-B6E1-43BC-BF5B-36E76548FEF0@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/lQ0Sj7_qoqahvRD99NH-RwgSzw8>
Subject: Re: [Uta] ALPN recommendations in draft-ietf-uta-rfc7525bis-01
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Aug 2021 19:16:18 -0000

> YS: some of the attacks do not depend on the client executing JavaScript, but rather on the use of cookies (bearer tokens) which can be intercepted/logged/uploaded on the server side. I don't know of bearer tokens being used in SMTP, but it doesn't look like an HTTP-only notion.

Mail sessions have very little context, and none from one session to the 
next.  You can send multiple messages in a session but the only thing the 
session remembers is the set of features offered by the server at the 
start of the session.

POP, IMAP, and SUBMIT all use SASL authentication before you can do 
anything interesting, but I don't immedately see how ALPACA would take 
advantage of that.

> YS: I don't know how to implement "great scepticism"... Specifically, if 
> you have a human in front of a web browser maybe you could use UI 
> indicators, but what do you do if the client is a script calling a REST 
> API?

Beats me.  What happens if the REST API uses a server that only speaks SSLv3?

> YS: Agreed. My own expectation is that the TLS BCP (like other 
> non-urgent security upgrades) will be applied during routine upgrades. 
> Compare enterprise-wide SHA-1-to-SHA-256 migration projects.

OK, but don't get your hopes up.  DKIM mail authentication has been 
telling people to use SHA-256 since we published the original DKIM spec in 
2007, and we formally deprecated SHA-1 in RFC 8301 in January 2018.  I 
just counted the signatures on mail I've gotten since the beginning of the 
year:

sha-256 9141
sha-1 1479

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

v2.23.0 | Report a Bug | By Email