IETF Logo Mail Archive

Re: [Uta] draft-ietf-uta-mta-sts-07 STS policy removal.

Daniel Margolis <dmargolis@google.com> Wed, 09 August 2017 18:14 UTC

Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B3B6132474 for <uta@ietfa.amsl.com>; Wed, 9 Aug 2017 11:14:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X4Vb36Gt5RYS for <uta@ietfa.amsl.com>; Wed, 9 Aug 2017 11:14:19 -0700 (PDT)
Received: from mail-it0-x22a.google.com (mail-it0-x22a.google.com [IPv6:2607:f8b0:4001:c0b::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7ABE6132448 for <uta@ietf.org>; Wed, 9 Aug 2017 11:14:19 -0700 (PDT)
Received: by mail-it0-x22a.google.com with SMTP id 76so1845485ith.0 for <uta@ietf.org>; Wed, 09 Aug 2017 11:14:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=JYCEKWOOHEnIlIskS8l2dvLnEGqwVjCMhwOsrQ+r0nM=; b=GXXDsaLKZKQB+kFlZxaO3e/U/Z3JCcU0GW8xZdyiJRVFMwMEraELI9Wdj4P5LcboQ7 qJXV6gnCj7n5QfoWpWL/QQHgh288fLTYdkTGbroGBdMMUrEv2eeI9L4+J1v0/byMQUEQ 9dQLLTYeStt0YnOpN/HYqf9gayr7H/6xJYiwEh1icDtftkwM6LsCgCRjI0KNFK1yjw9W vUPSiTHlN8/B6FfkSng1lBSI4ZUY0B10SV7k+7wLqa+84IDJHoZNpgW+FiwJKHH4cb4Y kdiT7kKJnoQHiyl/dYCAy3PKaMxYHGQkSCee80Npf9AITlpbnFYO3PA5pxiS6kk4cIMN oWcA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=JYCEKWOOHEnIlIskS8l2dvLnEGqwVjCMhwOsrQ+r0nM=; b=Tio+DtNqJZxMXoIAxWpUJVoByRRrp45kC0d+vgvI8nu3FUSNLd095JvKJLflF7zMIo TaeCAQVBA+Xy6kDEdWWZmIDoOOSKMi2qyvJzeGv38FZePDHdICAIi4vDOUxlbPbXSYnR pq1O+lIQwmMbEJ+tBwi5z97Xi15GOsgNUCsUxlZdMewOA2GqAc8JkcwMq7URSRVqoo3Y qRjIlrSDN/xGKuk83KsK7QSHXwCMLFG5KV7QhUKmNQmt04uhw/W3X+z/Po7iekcDMRK4 UfRhMOB8tzTuQSICksydq2nNePJqWSUVFF5Zgy5XWeyBa8C1ZIdySyXya5moQxovmIbM UdRg==
X-Gm-Message-State: AHYfb5gjoHUDbBYr8MiLcaoH1x3VtQMJvKyHy8NE5mdFx46ff5wA9cKQ E3/mu+KtIciHnmNlRo/c30Z8aEtuICAFRTM=
X-Received: by 10.36.211.201 with SMTP id n192mr8111475itg.96.1502302458170; Wed, 09 Aug 2017 11:14:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.133.159 with HTTP; Wed, 9 Aug 2017 11:14:16 -0700 (PDT)
In-Reply-To: <20170809174827.GQ8146@mournblade.imrryr.org>
References: <149874228049.6468.6647983832951662733@ietfa.amsl.com> <20170807215520.GM8146@mournblade.imrryr.org> <CANtKdUfJs=p-jiZ-QQ6Mk=iKh_2h6=596SYWLJ=mJsf61R0=9g@mail.gmail.com> <20170808143018.m6zqnapcnkiushfq@LK-Perkele-VII> <20170808172002.GN8146@mournblade.imrryr.org> <CANtKdUcmqsRG7aV8poqOCe=qMAk5qAkw2WY3JZqvnf1WVAknUw@mail.gmail.com> <20170808210631.GO8146@mournblade.imrryr.org> <CANtKdUfcn=Z73pxXTov70e2+-0kc9Q6PGTchS=aUhRR0V+RNMw@mail.gmail.com> <9408F973-F6F0-41CD-9A81-82185686E24C@dukhovni.org> <CANtKdUc6PaDyBOcG_LhvezbnZ8JEv=xFf=MosQWSY8dg4MxjLg@mail.gmail.com> <20170809174827.GQ8146@mournblade.imrryr.org>
From: Daniel Margolis <dmargolis@google.com>
Date: Wed, 09 Aug 2017 11:14:16 -0700
Message-ID: <CANtKdUdqHM-bu_Z_GVcCN_Jca9SNNNdBkQKPOOtX_a=zW_EJZA@mail.gmail.com>
To: uta@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a11499ff6655f050556560cc6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/sv1P9yzNh3COgRjFPgw10QUdwP0>
Subject: Re: [Uta] draft-ietf-uta-mta-sts-07 STS policy removal.
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Aug 2017 18:14:22 -0000

On Wed, Aug 9, 2017 at 10:48 AM, Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

> On Wed, Aug 09, 2017 at 08:52:48AM -0700, Daniel Margolis wrote:
>
> > The time period during which a domain who opts out of STS must publish
> the
> > "opt out" signal--regardless of how it is expressed--is the same in all
> > possible implementations of any opt-out signal.
>
> Yes, but "report" is NOT an opt-out signal.  It is a policy that
> is subject to further cache refresh.  Please describe how you
> think one correctly phases out a "report" policy without causing
> apparent policy refresh failures at a sending domain?
>

"Report" is not an opt-out signal, but not for the reason you say: a
"report" policy still generates TLSRPT reports on failure, and thus is not
a true opt-out.

It does not, however, result in any change to refresh behavior. Whether a
sender has a cached policy has no impact on their behavior with respect to
refreshes, does it?


> > > When a "none" policy is cached, it is still a policy and still
> > > subject to periodic refresh, perhaps you're suggesting to use
> > > "none" as a synonym for "max_age=0" that still leaves us with
> > > a usable cache time, in which case are free to use NODATA/NXDOMAIN
> > > as that TTL is no longer requires.
> >
> > I'm not entirely sure I understand you. To be clear, my point was that
> > "mode=none" can be an indicator of "don't check anything against this
> > policy." The rest--policy caching--still applies as normal.
>
> No, with "none" the policy refresh can stop (and cache flushed) as
> soon as NXDOMAIN/NODATA is seen for the TXT lookup.  The same is
> not true for "report", to avoid downgrade attacks.
>

That's not true; once a policy expires, it can be flushed from the cache
(as it can no longer safely be used).


> > I don't understand this statement. If you have a cached policy which has
> > expired and there is no TXT record, why would you be refreshing the
> policy
> > at all?
>
> Because the TXT record presence/absense is *insecure* (no DNSSEC
> or else we'd be doing DANE!).  Therefore the TXT record must ONLY
> be used:
>
>     1.  To signal initial policy presence when none is cached.
>     2.  To signal expedited policy refresh when the id changes.
>     3.  [New] To signal policy removal when the policy is "none"
>         and the TXT record "disappears".
>     4.  [New] Conversely to signal policy removal when the policy
>         transitions to "none" and was cached in the absence of a
>         TXT record (still absent).
>

Can you point to what language in the current draft suggests that the
behavior with respect to policy refreshing differs if you have a cached
policy versus if you do not? I am still not understanding what difference
you see here.

Mere removal of the TXT record is *not* sufficient to stop policy
> refresh.  Recall that policy refresh will typically happen
> before the policy is expired (more robust continuity) and must
> not at that time be subject to DNS downgrade.


I believe this is your mistake. While I agree that one should try to
refresh a policy prior to expiration, "refresh a policy" means checking the
TXT record.

Your first sentence ("mere removal of the TXT record...") does not follow
from your second sentence.

There's zero security advantage in ignoring the TXT record and going
straight to HTTPS, since HTTPS also relies upon the (insecure) DNS
resolution. As a result, it makes no real sense to refresh the policy if
the TXT does not say to do it. A sender who implements this will appear to
be compliant with the draft--there's no real harm from doing this, aside
from maybe excessive HTTPS requests--but there's no great reason to do this
unless you think attackers can only attack the TXT record and not the
CNAME/A for the policy host.


> When a policy
> is refreshed.  It will be stored for the advertised max_age
> even if the TXT record is missing.
>
> If a policy just vanishes without a secure signal that it is
> being removed, that looks like an attack, unless you want to
> use 404 as a secure policy removal signal (last I asked that
> was not the case).



> --
>         Viktor.
>
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://www.ietf.org/mailman/listinfo/uta
>

v2.23.0 | Report a Bug | By Email