Re: [Uta] MTA-STS-03 review
Alberto Bertogli <albertito@blitiri.com.ar> Thu, 30 March 2017 10:56 UTC
Return-Path: <albertito@blitiri.com.ar>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 774951294A3 for <uta@ietfa.amsl.com>; Thu, 30 Mar 2017 03:56:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o5rzC-LojPlo for <uta@ietfa.amsl.com>; Thu, 30 Mar 2017 03:55:59 -0700 (PDT)
Received: from blitiri.com.ar (cdt.blitiri.com.ar [IPv6:2001:41d0:401:3100::2c1a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 193EF1293F5 for <uta@ietf.org>; Thu, 30 Mar 2017 03:55:58 -0700 (PDT)
Received: from blitiri.com.ar (authenticated as alb@blitiri.com.ar) by cdt.blitiri.com.ar (chasquid) (over submission TLS-1.2-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) (envelope from "albertito@blitiri.com.ar") ; Thu, 30 Mar 2017 12:55:57 +0200
Date: Thu, 30 Mar 2017 11:55:56 +0100
From: Alberto Bertogli <albertito@blitiri.com.ar>
To: Daniel Margolis <dmargolis@google.com>
Cc: uta@ietf.org
Message-ID: <20170330105556.GR11426@blitiri.com.ar>
References: <4C0807DA-4852-4DAC-80ED-8A25371CFFAA@dukhovni.org> <CANtKdUfOZYSr_SuGHdDHHgrF8J5VjEWwVw_7KC2xS5DrCKhu-w@mail.gmail.com> <20170326205218.GN11426@blitiri.com.ar> <92500952-2A50-4508-8686-03CDBF72485D@dukhovni.org> <CANtKdUfL+RT05KSqj5i4YeoRa=gHywNosou2VPF6acPDpRhG0g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CANtKdUfL+RT05KSqj5i4YeoRa=gHywNosou2VPF6acPDpRhG0g@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/oKOABD6GgAYtYL2W_JJlykXZvzA>
Subject: Re: [Uta] MTA-STS-03 review
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2017 10:56:01 -0000
On Mon, Mar 27, 2017 at 10:55:06PM +0200, Daniel Margolis wrote: > To the matching point, I share the concern about people having to write > their own cert matching code, but I think there are a few arguments for it: > > 1. I believe if we restrict wildcards to the "full" leftmost label (i.e. *. > example.com is valid, but mail*.example.com or mail.*.example.com are not) > and we do the same in the certs (which RFC6125 seems to allow us to > define), wildcard matching is a simple "x ends with y or y ends with x" > comparison, so is in fact trivial to implement. Agreed, but it still carries some hidden complexity. For example, how does this interact with SNI? e.g what name would the client pick to give to the server in the TLS negotiation? > 2. It seems (and I suspect this was part of Viktor's motivation) to match > nicely with https://tools.ietf.org/html/rfc7672#section-3.2.2, which if I > read it correctly leaves the door open to a certificate matching the > nexthop domain rather than the MX hostname; by requiring MX hostname > matches in STS we would break that behavior. Yes, my reading from that reference is that the nexthop domain can be used to match as well. > I think #2 is a pretty compelling point. It is definitely a point, but I'm not sure it's that compelling (sorry Viktor!). There's, AFAIK, no very clear and well defined way to do certificate matching for MTA-to-MTA TLS connections, and this RFC is a chance to fix that. For better or worse, HTTPS is the most widely deployed TLS usage in the world, and has gone through years of all kinds of production exposure. The certificates are validated has been thoroughly reviewed and is well documented and understood. Differring from that, and adding complexity to how SMTP does TLS validation based on a particular section of RFC 7672 which, as far as I know (and please correct me if I'm wrong) is not widely deployed and hasn't got nearly as much production exposure, seems to me to be risky, and is IMHO not worth it. Bringing SMTP certificate validation in line with how HTTPS does it would not only simplify (some) implementations, but make deployments easier, reduce the cognitive load and learning curve for folks running their own servers, and benefit from all the existing analysis and also the future improvements in the area (e.g. certificate revocation, certificate transparency improvements, etc.). Very few existing deployments would be affected, as I don't think many are relying on using [DANE+certificate for the next hop but not the MX name]. Note, in case it's not clear, that I'm not advocating for the removal of the MX list from the policy, but to keep it as in the current draft (i.e. use it as a filter mechanism, and then do TLS validation on the resulting MX name). All this said, I don't want to drag my point along or interfere with the normal flow of things. I much appreciate your thoughtful replies, and if you don't find my arguments convicing, I understand :) Thanks a lot! Alberto PS: As an example of a related RFC that is AFAIK not widely deployed, and which I think most popular deployments violate, is RFC 7817 "Updated TLS Server Identity Check Procedure for Email-Related Protocols". It applies to POP3, IMAP and SMTP submission (excludes MTA-to-MTA), and specifies that servers must have certificates not only for the host name used to access them (e.g. imap.example.net) but also to the top level domain used for email addresses (example.net in this case): https://tools.ietf.org/html/rfc7817#section-6 Neither gmail.com, yahoo.com, live.com or outlook.com imap, pop3 or smtp submission do this (but in fairness, hotmail.com does).
- [Uta] MTA-STS-03 review Viktor Dukhovni
- Re: [Uta] MTA-STS-03 review Daniel Margolis
- Re: [Uta] MTA-STS-03 review Viktor Dukhovni
- Re: [Uta] MTA-STS-03 review Daniel Margolis
- Re: [Uta] MTA-STS-03 review Jeremy Harris
- Re: [Uta] MTA-STS-03 review Daniel Margolis
- Re: [Uta] MTA-STS-03 review David Illsley
- Re: [Uta] MTA-STS-03 review Viktor Dukhovni
- Re: [Uta] MTA-STS-03 review Alberto Bertogli
- Re: [Uta] MTA-STS-03 review Viktor Dukhovni
- Re: [Uta] MTA-STS-03 review Daniel Margolis
- Re: [Uta] MTA-STS-03 review Alberto Bertogli
- Re: [Uta] MTA-STS-03 review Viktor Dukhovni
- Re: [Uta] MTA-STS-03 review Daniel Margolis
- Re: [Uta] MTA-STS-03 review Viktor Dukhovni
- Re: [Uta] MTA-STS-03 review Daniel Margolis
- Re: [Uta] MTA-STS-03 review Viktor Dukhovni
- Re: [Uta] MTA-STS-03 review Daniel Margolis