IETF Logo Mail Archive

Re: [Uta] I-D Action: draft-ietf-uta-email-tls-certs-03.txt

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 18 June 2015 16:02 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 962781A8756 for <uta@ietfa.amsl.com>; Thu, 18 Jun 2015 09:02:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GRPl1DXrXyyA for <uta@ietfa.amsl.com>; Thu, 18 Jun 2015 09:02:29 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76DD51A004A for <uta@ietf.org>; Thu, 18 Jun 2015 09:02:29 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 0D5A6282FD0; Thu, 18 Jun 2015 16:02:28 +0000 (UTC)
Date: Thu, 18 Jun 2015 16:02:28 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: uta@ietf.org
Message-ID: <20150618160227.GY14121@mournblade.imrryr.org>
References: <20150617103908.12052.62338.idtracker@ietfa.amsl.com> <5581518E.9090105@isode.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <5581518E.9090105@isode.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/m-6FWlipsynLV-ZCmqDjaRgykFI>
Subject: Re: [Uta] I-D Action: draft-ietf-uta-email-tls-certs-03.txt
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: uta@ietf.org
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jun 2015 16:02:31 -0000

On Wed, Jun 17, 2015 at 11:53:02AM +0100, Alexey Melnikov wrote:

> >	Filename        : draft-ietf-uta-email-tls-certs-03.txt
>
> I believe this version addresses WGLC comments. Let me know if I've missed
> anything.

Sorry, I've been away from the UTA list for a while, too few cycles
to keep up with everything.

So while I did not raise this during WG LC (which may be over), I am
concerned about the first example in Section 6, namely:

   Consider an IMAP-accessible email server which supports both
   IMAP and IMAPS (IMAP-over-TLS) at the host "mail.example.net"
   servicing email addresses of the form "user@example.net" and
   discoverable via DNS SRV lookups in domain "example.net" (DNS
   SRV records "_imap._tcp.example.net" and "_imaps._tcp.example.net").
   A certificate for this service needs to include SRV-IDs of
   "_imap.example.net" (when STARTTLS is used on the IMAP port)
   and "_imaps.example.net" (when TLS is used on IMAPS port).  See
   [RFC6186] for more details.  (Note that unlike DNS SRV there is
   no "_tcp" component in SRV-IDs) along with DNS-IDs of "example.net"
   and "mail.example.net".  It might also include CN-IDs of
   "mail.example.net" for backward compatibility with deployed
   infrastructure.

The concern is that when this service is "discovered" via ordinary
DNS (i.e. no DNSSEC) the server name is not obtained securely, and
and any use of TLS authentication based on an insecurely obtained
reference identifier is "too late" to protect the user against MiTM
attacks.  This is not discussed in sufficient detail.

In my view the "Security Considerations" section (6 coincidentally)
of RFC6186 places an unreasonable burden on the user to make subtle
security decisions:

   A malicious attacker with access to the DNS server data, or able
   to get spoofed answers cached in a recursive resolver, can
   potentially cause MUAs to connect to any IMAP, POP3, or submission
   server chosen by the attacker.  In the absence of a secure DNS
   option, MUAs SHOULD check that the target FQDN returned in the
   SRV record matches the original service domain that was queried.
   If the target FQDN is not in the queried domain, MUAs SHOULD
   verify with the user that the SRV target FQDN is suitable for
   use before executing any connections to the host.  Alternatively,
   if TLS [RFC5246] is being used for the email service, MUAs MUST
   use the procedure outlined in Section 6 of [RFC6125] to verify
   the service.

In the "SMTP security via opportunistic DANE TLS" draft, in section 7

    https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-19#section-7

I note that when SRV records are used to locate submission services,
similar conclusions to those reached in the MTA-to-MTA documention
ought to apply and DANE may well be the right security model once
one trusts DNS to handle service indirection:

   We note that the SMTP protocol is also used between Message User
   Agents (MUAs) and Message Submission Agents (MSAs) [RFC6409].  In
   [RFC6186] a protocol is specified that enables an MUA to dynamically
   locate the MSA based on the user's email address.  SMTP connection
   security considerations for MUAs implementing [RFC6186] are largely
   analogous to connection security requirements for MTAs, and this
   specification could be applied largely verbatim with DNS MX records
   replaced by corresponding DNS Service (SRV) records
   [I-D.ietf-dane-srv].

   However, until MUAs begin to adopt the dynamic configuration
   mechanisms of [RFC6186] they are adequately served by more
   traditional static TLS security policies.  Specification of DANE TLS
   for Message User Agent (MUA) to Message Submission Agent (MSA) SMTP
   is left to future documents that focus specifically on SMTP security
   between MUAs and MSAs.

So now that you're specifically advocating support for RFC6186 and
DNS based dynamic configuration/redirection, perhaps it is time to
flesh out the discussion with a more complete security model (i.e.
DANE).

At the very least, more text is needed to explain that just forging
ahead and trusting insecure SRV records is problematic, but once
DNSSEC *is* trusted, then there no downside to "in for a penny for
a pound" and using DANE keying also, and I believe there are real
advantages to doing so.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email