Re: [Uta] I-D Action: draft-ietf-uta-email-tls-certs-03.txt
Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 18 June 2015 16:02 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 962781A8756 for <uta@ietfa.amsl.com>; Thu, 18 Jun 2015 09:02:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GRPl1DXrXyyA for <uta@ietfa.amsl.com>; Thu, 18 Jun 2015 09:02:29 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76DD51A004A for <uta@ietf.org>; Thu, 18 Jun 2015 09:02:29 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 0D5A6282FD0; Thu, 18 Jun 2015 16:02:28 +0000 (UTC)
Date: Thu, 18 Jun 2015 16:02:28 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: uta@ietf.org
Message-ID: <20150618160227.GY14121@mournblade.imrryr.org>
References: <20150617103908.12052.62338.idtracker@ietfa.amsl.com> <5581518E.9090105@isode.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <5581518E.9090105@isode.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/m-6FWlipsynLV-ZCmqDjaRgykFI>
Subject: Re: [Uta] I-D Action: draft-ietf-uta-email-tls-certs-03.txt
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: uta@ietf.org
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jun 2015 16:02:31 -0000
On Wed, Jun 17, 2015 at 11:53:02AM +0100, Alexey Melnikov wrote: > > Filename : draft-ietf-uta-email-tls-certs-03.txt > > I believe this version addresses WGLC comments. Let me know if I've missed > anything. Sorry, I've been away from the UTA list for a while, too few cycles to keep up with everything. So while I did not raise this during WG LC (which may be over), I am concerned about the first example in Section 6, namely: Consider an IMAP-accessible email server which supports both IMAP and IMAPS (IMAP-over-TLS) at the host "mail.example.net" servicing email addresses of the form "user@example.net" and discoverable via DNS SRV lookups in domain "example.net" (DNS SRV records "_imap._tcp.example.net" and "_imaps._tcp.example.net"). A certificate for this service needs to include SRV-IDs of "_imap.example.net" (when STARTTLS is used on the IMAP port) and "_imaps.example.net" (when TLS is used on IMAPS port). See [RFC6186] for more details. (Note that unlike DNS SRV there is no "_tcp" component in SRV-IDs) along with DNS-IDs of "example.net" and "mail.example.net". It might also include CN-IDs of "mail.example.net" for backward compatibility with deployed infrastructure. The concern is that when this service is "discovered" via ordinary DNS (i.e. no DNSSEC) the server name is not obtained securely, and and any use of TLS authentication based on an insecurely obtained reference identifier is "too late" to protect the user against MiTM attacks. This is not discussed in sufficient detail. In my view the "Security Considerations" section (6 coincidentally) of RFC6186 places an unreasonable burden on the user to make subtle security decisions: A malicious attacker with access to the DNS server data, or able to get spoofed answers cached in a recursive resolver, can potentially cause MUAs to connect to any IMAP, POP3, or submission server chosen by the attacker. In the absence of a secure DNS option, MUAs SHOULD check that the target FQDN returned in the SRV record matches the original service domain that was queried. If the target FQDN is not in the queried domain, MUAs SHOULD verify with the user that the SRV target FQDN is suitable for use before executing any connections to the host. Alternatively, if TLS [RFC5246] is being used for the email service, MUAs MUST use the procedure outlined in Section 6 of [RFC6125] to verify the service. In the "SMTP security via opportunistic DANE TLS" draft, in section 7 https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-19#section-7 I note that when SRV records are used to locate submission services, similar conclusions to those reached in the MTA-to-MTA documention ought to apply and DANE may well be the right security model once one trusts DNS to handle service indirection: We note that the SMTP protocol is also used between Message User Agents (MUAs) and Message Submission Agents (MSAs) [RFC6409]. In [RFC6186] a protocol is specified that enables an MUA to dynamically locate the MSA based on the user's email address. SMTP connection security considerations for MUAs implementing [RFC6186] are largely analogous to connection security requirements for MTAs, and this specification could be applied largely verbatim with DNS MX records replaced by corresponding DNS Service (SRV) records [I-D.ietf-dane-srv]. However, until MUAs begin to adopt the dynamic configuration mechanisms of [RFC6186] they are adequately served by more traditional static TLS security policies. Specification of DANE TLS for Message User Agent (MUA) to Message Submission Agent (MSA) SMTP is left to future documents that focus specifically on SMTP security between MUAs and MSAs. So now that you're specifically advocating support for RFC6186 and DNS based dynamic configuration/redirection, perhaps it is time to flesh out the discussion with a more complete security model (i.e. DANE). At the very least, more text is needed to explain that just forging ahead and trusting insecure SRV records is problematic, but once DNSSEC *is* trusted, then there no downside to "in for a penny for a pound" and using DANE keying also, and I believe there are real advantages to doing so. -- Viktor.
- [Uta] I-D Action: draft-ietf-uta-email-tls-certs-… internet-drafts
- Re: [Uta] I-D Action: draft-ietf-uta-email-tls-ce… Alexey Melnikov
- Re: [Uta] I-D Action: draft-ietf-uta-email-tls-ce… Viktor Dukhovni
- Re: [Uta] I-D Action: draft-ietf-uta-email-tls-ce… Alexey Melnikov
- Re: [Uta] I-D Action: draft-ietf-uta-email-tls-ce… Leif Johansson