IETF Logo Mail Archive

Re: [Uta] Multi-Server Deployments (was: Re: I-D Action: draft-ietf-uta-rfc7525bis-07.txt)

Martin Thomson <mt@lowentropy.net> Thu, 23 June 2022 22:33 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6BAFC157B5B for <uta@ietfa.amsl.com>; Thu, 23 Jun 2022 15:33:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=rqPcDdij; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=vC8YcZzS
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LN9SSnW32oKT for <uta@ietfa.amsl.com>; Thu, 23 Jun 2022 15:33:51 -0700 (PDT)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BBD5C14F730 for <uta@ietf.org>; Thu, 23 Jun 2022 15:33:51 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id F0B543200971; Thu, 23 Jun 2022 18:33:43 -0400 (EDT)
Received: from imap41 ([10.202.2.91]) by compute3.internal (MEProxy); Thu, 23 Jun 2022 18:33:44 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm3; t=1656023623; x=1656110023; bh=GDuVudCVUf OikHysEn8PEFBjKt791pUYUsM35UW5l9c=; b=rqPcDdijLFdFL+sQ9LK48hIsWk 20ag/jXgpj/C7GKGm+k4wa/oWsC9AflP6My/agvTtSLuh504ZWTPyO1ZpoJKR2P4 Tebw9Z4izptYde4tmEI1erKMB9gWRpo6V3epEfSfc4Vg4ec+CTb48JZeIiCSsKaC c8a0BegWfcCQbLsjxOHan0d9cPeFkgSBg8snhn0sKQxLTHfX/goCg4Ze7y55Gbvs YrbQXStOonXrg+3+UJ4NJBac6ceEdfhFdJcKmPAFb5SRkEPD9XSvWZLY2LssL9M8 YClpd5Gk2nNCh5qGCkknQchYnZD7tZhzh3OLw77paqrZLdSKqm4urqR/SLDw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1656023623; x=1656110023; bh=GDuVudCVUfOikHysEn8PEFBjKt79 1pUYUsM35UW5l9c=; b=vC8YcZzSbKPWM+nRUTEeIO0PYq3rKkdXyHshEj327S0Z xH9hgUhd0gY57R0DgltUbU1gBIfCbUJ32ufriOWc+3rFSTYrNf0tfhRj4y2cFdeS FngEf2ywxdios891Gvv3+Jw3LnDNukIR9ytDG9gSix5oC8aG5YkqLVNuYjjbWfpf wDaHI7u2me3Ity9YRe50yQPpYjKpYYji26zv2BZ0QxVVv33pJjdLc9rn64o+MORP QGoq+Jhr0n1hK5cdO9vJ1cyr94vMBPAth5xq+HN+QNsYjOeaid+8hR2X4ADAm/pn h/zBVWJ9sPaLnV3pbdZp17fQEY17RCVWuhb+EvwGJA==
X-ME-Sender: <xms:R-q0YomUvJqyoh715JkW5WQ3UrUOpQglSh-pWedIBPqUjqX4RaKR6A> <xme:R-q0Yn1wAFSXU1IHsUlhJQ-TjihBjhPcjivs6ritipVpbSutNR4zk9eqKguAinxQA PZzyiRqw0cTpQndkgk>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrudefkedgudduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgesthdtredtreertdenucfhrhhomhepfdforghr thhinhcuvfhhohhmshhonhdfuceomhhtsehlohifvghnthhrohhphidrnhgvtheqnecugg ftrfgrthhtvghrnheptdehtdduvdetueetjeeutdekteeufeefudevgfeileegtdfgtdej vdevgffhgedvnecuffhomhgrihhnpegvgigrmhhplhgvrdhorhhgpdhhthhtphgrnhguih hmrghprdhinhenucevlhhushhtvghrufhiiigvpedunecurfgrrhgrmhepmhgrihhlfhhr ohhmpehmtheslhhofigvnhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:R-q0YmqL3Dl5LE9B45D9Ybri9AIoqk7ySER8wr1OnP5ruPFg1Ur-zA> <xmx:R-q0YkkExH5AWJlT-UmSWWJhfwI2m47JfEDo-6a-E7X15RrNiSviKQ> <xmx:R-q0Ym0t35KDrNksAHWV83qM8XpNRtfaBwpySMllfKK0nYNuXSMklw> <xmx:R-q0Yr_ro5TK81EzDmyKjgBnST2rtdgIh9K2Le7WrnfWQIq-yXiq5g>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 4A7882340077; Thu, 23 Jun 2022 18:33:43 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.7.0-alpha0-713-g1f035dc716-fm-20220617.001-g1f035dc7
Mime-Version: 1.0
Message-Id: <0a3e5df9-3fdc-491c-9724-ee78b22ebe3a@beta.fastmail.com>
In-Reply-To: <5a0086d2-8979-10aa-a9d5-61c6812f8ff7@stpeter.im>
References: <165360014937.7348.791812490092301727@ietfa.amsl.com> <CC2019E7-BD6A-4F65-A59F-42B9E79468B0@gmail.com> <02b1cdfa-02f2-43cd-8066-fb36f9e30164@beta.fastmail.com> <4295216E-E7A5-4A73-B292-E5E46A88EFCB@gmail.com> <5a0086d2-8979-10aa-a9d5-61c6812f8ff7@stpeter.im>
Date: Fri, 24 Jun 2022 08:33:24 +1000
From: Martin Thomson <mt@lowentropy.net>
To: Peter Saint-Andre <stpeter@stpeter.im>, Yaron Sheffer <yaronf.ietf@gmail.com>, uta@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/pb8z9fhf7rn9xXMMortYKPoi6Ag>
Subject: Re: [Uta] Multi-Server Deployments (was: Re: I-D Action: draft-ietf-uta-rfc7525bis-07.txt)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jun 2022 22:33:55 -0000

Hi Peter,

This looks good overall.

Do you need the (e.g., example.com) parentheticals?  They don't seem to add anything.

On Fri, Jun 24, 2022, at 07:03, Peter Saint-Andre wrote:
> 1. Deployments in which multiple services handle the same domain name 
> (e.g., foo.example.org) via different protocols (e.g., HTTP and IMAP). 
> In this case an attacker might be able to direct a connecting endpoint 
> to the service offering a protocol that provides weaker security or that 
> is more easily exploitable (see [ALPACA] for more detailed information 
> about this class of attacks). 

The attack in question isn't so much about weaker security (that's true, but a little abstract), so I might instead say:

> In this case an attacker might be able to direct a connecting endpoint 
> to the service offering a different protocol and mount a cross-protocol
> attack. In a cross-protocol attack, the client and server believe they are 
> using different protocols, which the attacker might exploit if messages
> sent in one protocol are interpreted as messages in the other protocol
> with undesirable effects (see [ALPACA] for more detailed information
> about this class of attacks).

(Sending to everyone this time...)

Cheers,
Martin

v2.23.0 | Report a Bug | By Email