IETF Logo Mail Archive

Re: [Uta] MTA-STS-03 review

Daniel Margolis <dmargolis@google.com> Mon, 03 April 2017 19:00 UTC

Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BA941294E1 for <uta@ietfa.amsl.com>; Mon, 3 Apr 2017 12:00:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id udtuxWx9bFWQ for <uta@ietfa.amsl.com>; Mon, 3 Apr 2017 12:00:53 -0700 (PDT)
Received: from mail-io0-x230.google.com (mail-io0-x230.google.com [IPv6:2607:f8b0:4001:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26D78129505 for <uta@ietf.org>; Mon, 3 Apr 2017 12:00:48 -0700 (PDT)
Received: by mail-io0-x230.google.com with SMTP id l7so81685109ioe.3 for <uta@ietf.org>; Mon, 03 Apr 2017 12:00:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=cy3JiQnXT4wXvZotWLjGHvFSRqVqrJrSV4j0iFu0cL8=; b=bnJfFHsMzXdAjk8l3/VVqY5We0lexU51Y8bhmXd5zLP/zb7LD6n0JYJEJVz+nwXhKO 8/Ae0ZvNcx3TowGXBIA42TgMMi90GlM/HuALEIAkxsu6dWPQNQitSoe5phpP4Q6iKgb4 72aZPTKGvk9SHzd7GFF0+DLk60K2GpzKmc1MKdJD1Cth2pu26DVsDAAUXa5WChzIqr1j vPdLnHeGPcfkJWyCtG9Uz11lo3GOlaEleR+KCQJvTuSBHG56omaavp3YW4El5DzG059j DAR1CMZFv9XmDHZVQp6pzyXzQOHv1L5uGxJlOujrXgbjIYXeje8ig8X6efebdXwvIeNi 1EYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=cy3JiQnXT4wXvZotWLjGHvFSRqVqrJrSV4j0iFu0cL8=; b=S3Auird2nwh6Q6dX50u/+3iGYPDNm6rC6kLdyP8RetFr9ab3OloupAxU68r4Ptflg9 6PPDqosbSHE76KgIJvCg9dim4l2fZHOpKFhvwz6njD2EgPGTcOuBpVsOWeBB3TXKNYeZ HwGm+KE6aoQn0uwG4FWy4JnAmKKslFYD+cZlJcBUg8N+Huf++WhQAdkdtryarwwHa9v9 E41ZmiPwyFZKWSlAtvAVJshBdQVnW9ZCB47Dc2uKg87JjjKGT13oUM6jNDBM1ZLB+nCQ xCPmhRwn1GYIWLwR6NZwpER3W8nyQ/LM5Yj2YTT8QmVqMVDt/RQsNloC+tWKwUwb6ETQ Qevg==
X-Gm-Message-State: AFeK/H2ofXKJ/NRtag73g6A0oUxi6GpzpX231XI+Xytc2kfp4UR0tX4TzariOLfRILYq37w8PsGHyg7xAhUrAZ0E
X-Received: by 10.107.172.134 with SMTP id v128mr19947246ioe.49.1491246046795; Mon, 03 Apr 2017 12:00:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.39.215 with HTTP; Mon, 3 Apr 2017 12:00:45 -0700 (PDT)
In-Reply-To: <20170330105556.GR11426@blitiri.com.ar>
References: <4C0807DA-4852-4DAC-80ED-8A25371CFFAA@dukhovni.org> <CANtKdUfOZYSr_SuGHdDHHgrF8J5VjEWwVw_7KC2xS5DrCKhu-w@mail.gmail.com> <20170326205218.GN11426@blitiri.com.ar> <92500952-2A50-4508-8686-03CDBF72485D@dukhovni.org> <CANtKdUfL+RT05KSqj5i4YeoRa=gHywNosou2VPF6acPDpRhG0g@mail.gmail.com> <20170330105556.GR11426@blitiri.com.ar>
From: Daniel Margolis <dmargolis@google.com>
Date: Mon, 03 Apr 2017 21:00:45 +0200
Message-ID: <CANtKdUeNX+vdx0paGzE4t3KvZJT0qGV+AFcyfwtk5k6gZjHhZg@mail.gmail.com>
To: Alberto Bertogli <albertito@blitiri.com.ar>
Cc: uta@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a1148d5d4f1a594054c47c6b2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/tFNBMh-PIbt8PjkxXr-PrcYW8J8>
Subject: Re: [Uta] MTA-STS-03 review
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Apr 2017 19:00:57 -0000

Very fair points. I may be overstating the significance of being able to
use a non-matching certificate (and I don't think it's awful to force
implementors to have a cert that matches their hostname, either; this seems
to me to not be a terribly painful prerequisite).

But I think the cost of doing custom matching is low, too. You're right
that there's some cognitive load in having it match in a non-standard way,
but in fact in practice it will almost always be the same: because most
people will use certs that have a SAN that matches the hostname, writing an
'mx' pattern to match the hostname will inherently match the cert, too! So
for deployers this is not all that easy to get wrong, and for MTA
developers they should just read the pseudocode in the appendix of the RFC,
I think.

What I said at the UTA meeting in person was that we seem to be haggling
over things (this, the JSON-vs-key-value-pair thing) which, while not
insignificant, are somewhat less critical than major architectural or
fundamental questions, which makes me think we should just decide
these--some of them perhaps somewhat arbitrarily--and move ahead.

I don't have strong opinions on either of these points, but the consensus
seemed to be mostly in favor of the SAN approach at UTA.



On Thu, Mar 30, 2017 at 12:55 PM, Alberto Bertogli <albertito@blitiri.com.ar
> wrote:

> On Mon, Mar 27, 2017 at 10:55:06PM +0200, Daniel Margolis wrote:
> > To the matching point, I share the concern about people having to write
> > their own cert matching code, but I think there are a few arguments for
> it:
> >
> > 1. I believe if we restrict wildcards to the "full" leftmost label (i.e.
> *.
> > example.com is valid, but mail*.example.com or mail.*.example.com are
> not)
> > and we do the same in the certs (which RFC6125 seems to allow us to
> > define), wildcard matching is a simple "x ends with y or y ends with x"
> > comparison, so is in fact trivial to implement.
>
> Agreed, but it still carries some hidden complexity.
>
> For example, how does this interact with SNI? e.g what name would the
> client pick to give to the server in the TLS negotiation?
>
>
> > 2. It seems (and I suspect this was part of Viktor's motivation) to match
> > nicely with https://tools.ietf.org/html/rfc7672#section-3.2.2, which if
> I
> > read it correctly leaves the door open to a certificate matching the
> > nexthop domain rather than the MX hostname; by requiring MX hostname
> > matches in STS we would break that behavior.
>
> Yes, my reading from that reference is that the nexthop domain can be
> used to match as well.
>
>
> > I think #2 is a pretty compelling point.
>
> It is definitely a point, but I'm not sure it's that compelling (sorry
> Viktor!).
>
> There's, AFAIK, no very clear and well defined way to do certificate
> matching for MTA-to-MTA TLS connections, and this RFC is a chance to fix
> that.
>
> For better or worse, HTTPS is the most widely deployed TLS usage in the
> world, and has gone through years of all kinds of production exposure.
> The certificates are validated has been thoroughly reviewed and is well
> documented and understood.
>
> Differring from that, and adding complexity to how SMTP does TLS
> validation based on a particular section of RFC 7672 which, as far as I
> know (and please correct me if I'm wrong) is not widely deployed and
> hasn't got nearly as much production exposure, seems to me to be risky,
> and is IMHO not worth it.
>
> Bringing SMTP certificate validation in line with how HTTPS does it
> would not only simplify (some) implementations, but make deployments
> easier, reduce the cognitive load and learning curve for folks running
> their own servers, and benefit from all the existing analysis and also
> the future improvements in the area (e.g. certificate revocation,
> certificate transparency improvements, etc.).
>
> Very few existing deployments would be affected, as I don't think many
> are relying on using [DANE+certificate for the next hop but not the MX
> name].
>
>
> Note, in case it's not clear, that I'm not advocating for the removal of
> the MX list from the policy, but to keep it as in the current draft
> (i.e. use it as a filter mechanism, and then do TLS validation on the
> resulting MX name).
>
> All this said, I don't want to drag my point along or interfere with the
> normal flow of things. I much appreciate your thoughtful replies, and if
> you don't find my arguments convicing, I understand :)
>
> Thanks a lot!
>                 Alberto
>
>
> PS: As an example of a related RFC that is AFAIK not widely deployed,
> and which I think most popular deployments violate, is RFC 7817 "Updated
> TLS Server Identity Check Procedure for Email-Related Protocols".
>
> It applies to POP3, IMAP and SMTP submission (excludes MTA-to-MTA), and
> specifies that servers must have certificates not only for the host name
> used to access them (e.g. imap.example.net) but also to the top level
> domain used for email addresses (example.net in this case):
> https://tools.ietf.org/html/rfc7817#section-6
>
> Neither gmail.com, yahoo.com, live.com or outlook.com imap, pop3 or smtp
> submission do this (but in fairness, hotmail.com does).
>

v2.23.0 | Report a Bug | By Email