Re: [Uta] Ben Campbell's Yes on draft-ietf-uta-email-deep-09: (with COMMENT)
"Chris Newman" <chris.newman@oracle.com> Thu, 26 October 2017 22:45 UTC
Return-Path: <chris.newman@oracle.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FD4813A296; Thu, 26 Oct 2017 15:45:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.001
X-Spam-Level:
X-Spam-Status: No, score=-7.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KCMaYJhJzcfW; Thu, 26 Oct 2017 15:45:07 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 864C6139F44; Thu, 26 Oct 2017 15:45:07 -0700 (PDT)
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v9QMj59a002996 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 26 Oct 2017 22:45:05 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id v9QMj4he004456 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 26 Oct 2017 22:45:04 GMT
Received: from abhmp0002.oracle.com (abhmp0002.oracle.com [141.146.116.8]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id v9QMj1Rt029425; Thu, 26 Oct 2017 22:45:01 GMT
Received: from [10.0.1.80] (/108.178.137.188) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 26 Oct 2017 15:45:00 -0700
From: Chris Newman <chris.newman@oracle.com>
To: Keith Moore <moore@network-heretics.com>
Cc: Ben Campbell <ben@nostrum.com>, The IESG <iesg@ietf.org>, draft-ietf-uta-email-deep@ietf.org, uta-chairs@ietf.org, leifj@sunet.se, uta@ietf.org
Date: Thu, 26 Oct 2017 15:44:58 -0700
Message-ID: <4C69A185-64DF-4582-85F5-4042AB4011A1@oracle.com>
In-Reply-To: <8777cf4c-499f-71b2-7da6-02f08d208bde@network-heretics.com>
References: <150890043943.4826.1231789714314673059.idtracker@ietfa.amsl.com> <8777cf4c-499f-71b2-7da6-02f08d208bde@network-heretics.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Mailer: MailMate (1.9.7r5425)
X-Source-IP: aserv0021.oracle.com [141.146.126.233]
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/n9vs3WvcSMG8tAoZH92Zk4HNnqg>
Subject: Re: [Uta] Ben Campbell's Yes on draft-ietf-uta-email-deep-09: (with COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Oct 2017 22:45:09 -0000
On 25 Oct 2017, at 3:48, Keith Moore wrote:
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>>
>> I am balloting YES because I believe it is important to publish this.
>> But there
>> are a few issues I think should be resolved first:
>>
>> Substantive:
>>
>> -2: There are several instances of lower case versions of 2119
>> keywords. If
>> those are intentional, then please use the updated boilerplate from
>> 8174.
>
> fixed in my draft of -10.
>
>> -4.1, last paragraph: "It is RECOMMENDED that new users be required
>> to use TLS
>> version 1.1
>> or greater from the start."
>> Is 1.1 correct? Why not start with 1.2?
>
> TLS 1.1 was a deliberate choice. Reality is that some new users will
> still be using old mail user agents, and there are often other factors
> that impair users' ability to upgrade. If new users were
> _required_ to use TLS 1.2, that would essentially prevent them from
> getting new email service, or maybe force them to spend large amounts
> of money for new hardware and/or software in order to do so. Either
> that or mail service providers might legitimately claim that they had
> good reason to take exception to the RECOMMENDED keyword and the
> paragraph would have no beneficial effect.
>
> It's basically a judgment call - what policy on the part of mail
> service providers results in the best security overall? It appears
> possible to err on the side of either too strict or too loose.
>
> That said, some of the text in this draft is three years old, and
> conditions have changed somewhat in that interval. If 99% of
> deployed user agents implement TLS 1.2, requiring 1.2 for new users
> would probably not bother me. But if the figure were closer to 90%,
> it would bother me. Maybe someone has actual figures, but I
> suspect the actual level of deployment is still well less than 90%.
>
>> -5, bullet starting with: MUAs SHOULD provide a prominent visual
>> indication "
>> This section seems to merit a MUST NOT level requirement about
>> displaying the
>> visual indication without sufficient evidence of confidentiality.
>
> Hmm. I'm probably okay with that in principle. The problem I
> have with it is that the draft (appropriately IMO) gives MUA
> implementors latitude as to what indications to assign to what levels
> of confidentiality. I am not immediately sure how to reconcile
> that decision with a MUST NOT requirement that denies implementors
> that latitude. But I took a stab at it:
>
> <t>MUAs SHOULD provide a prominent indication of the level of
> confidentiality associated with an account configuration that
> is
> appropriate for the user interface (for example, a "lock" icon
> or
> changed background color for a visual interface, or some sort
> of
> audible indication for an audio user interace), at appropriate
> times and/or locations in order to inform the user of the
> confidentiality of the communications associated with that
> account. For example, this might be done whenever (a)
> prompting
> the user for authentication credentials, (b) the user is
> composing
> mail that will be sent to a particular submission server, (c) a
> list of accounts is displayed (particularly if the user can
> select
> from that list to read mail), or (d) the user is requesting to
> view or update any configuration data that will be stored on a
> remote server. If, however, an MUA provides such an
> indication,
> it MUST NOT indicate confidentiality for any connection that
> does
> not at least use TLS 1.1 with certificate verification and also
> meet the minimum confidentiality requirements configured for
> that
> account.</t>
>> -5.4: I'm confused at why certificate pinning is okay for explicitly
>> invalid
>> certificates, when click-through overrides were previously
>> recommended against.
>> It seems like the same level of abuse is likely. (It's one thing to
>> allow a
>> user to set policy for an invalid cert; it's another to prompt them
>> to do so.)
>
> I don't believe the current language allows for click-through
> overrides for invalid certificates - the text explicitly says :
>
> Certificate pinning is only appropriate during mail account
> setup and MUST NOT be offered as an option in response to a
> failed
> certificate validation for an existing mail account.
>
> Offhand, the current compromise seems about right to me - yes, you can
> tell your MUA to use a certificate that is self-signed, expired, or
> has a name that doesn't match the DNS name used during account
> configuration; but the MUA isn't allowed (MUST NOT) to prompt you to
> let you access your account anyway if the certificate is invalid and
> the account wasn't already explicitly configured to permit such
> access.
>
>> -5.5: How would a client determine that a client cert could be safely
>> used with
>> a particular server? (What does "safely" mean in this context?)
> Good point. This is Chris's text so I'm not entirely sure what his
> concern was. My guesses are: (a) there's a privacy risk associated
> with disclosing a client cert with one identity to a server that might
> know the user by a different identity; and (b) if for whatever reason
> the server doesn't like the client cert, it might deny access to the
> mail account even though it would have granted access based on the
> other credentials presented by the user in POP/IMAP/Submission
> authentication. But offhand I don't know how the client could know
> when using the client cert is "safe" other than by having been
> explicitly configured to do so. Even "it has worked in the past"
> might not be good enough because the cert could have expired or been
> revoked, or the server changed its policies, since then.
>
> My inclination is to remove the "client has determined that the
> certificate can be safely used" clause, but I'd like to see what Chris
> suggests here.
Here's an attempt to reword without using the term "safely" which I
agree is not ideal:
... An MUA MUST NOT provide a client certificate during the
TLS handshake unless the server requests one and the MUA has
been authorized to use that client certificate with that account.
Having the end-user explicitly configure a client certificate for
use
with a given account is sufficient to meet this requirement.
However,
installing a client certificate for use with one account MUST NOT
automatically authorize use of that certificate with other accounts.
This is not intended to prohibit site-specific authorization
mechanisms,
such as a site-administrator-controlled mechanism to authorize use
of a
client certificate with a given account, or a domain-name matching
mechanism.
The issue is that some TLS libraries have a general pool of client
certificates visible to the library (Mozilla NSS works this way, and I
happen to like this design). Use of a client certificate with the wrong
server causes both privacy and interoperability problems. There's
presently no standardized mechanism that an TLS client library can use
to identify a particular client certificate as authorized for use with a
given server. On the flip site, requiring explicit end-user
configuration of a client certificate with each account adds to the
already user-hostile experience of client certificates. We really want
to allow more user-friendly mechanisms to authorize use of a client
certificate with a given account, so we need a rule that protects
privacy/interoperability but doesn't prohibit UI innovation. I'm open to
suggestions for better wording.
- Chris
>> Editorial:
>>
>> - Abstract: Please mention the updated RFCs
> is it conventional to do so, given that the Updates: heading should be
> present?
>> -4: "The following practices are recommended "
>> There are some MUSTs in those practices. That makes them required,
>> not merely
>> recommended.
>
> ok
>> -4, first and third bullets: s/ which / that
> ok
>> -4.1, first paragraph: The two "MAYs" seem more like statements of
>> fact.
>
> Uppercase MAY is deliberate. Those statements are intended to
> explicitly give latitude to operators.
>> -5, 3rd bullet: "MUAs MUST NOT consider "
>> s/consider/treat (unless we are talking about humans are AIs :-) )
> ok
>
> Thanks for the careful review.
>
> Keith
- [Uta] Ben Campbell's Yes on draft-ietf-uta-email-… Ben Campbell
- Re: [Uta] Ben Campbell's Yes on draft-ietf-uta-em… Keith Moore
- Re: [Uta] Ben Campbell's Yes on draft-ietf-uta-em… Ben Campbell
- Re: [Uta] Ben Campbell's Yes on draft-ietf-uta-em… Chris Newman
- Re: [Uta] Ben Campbell's Yes on draft-ietf-uta-em… Ben Campbell