Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.txt> (SMTP MTA Strict Transport Security (MTA-STS)) to Proposed Standard
Dave Cridland <dave@cridland.net> Wed, 11 April 2018 23:17 UTC
Return-Path: <dave@cridland.net>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8522612D7F2 for <uta@ietfa.amsl.com>; Wed, 11 Apr 2018 16:17:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cridland.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xSEsrZCfqKqK for <uta@ietfa.amsl.com>; Wed, 11 Apr 2018 16:17:46 -0700 (PDT)
Received: from mail-lf0-x22b.google.com (mail-lf0-x22b.google.com [IPv6:2a00:1450:4010:c07::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF2B712D7F1 for <uta@ietf.org>; Wed, 11 Apr 2018 16:17:45 -0700 (PDT)
Received: by mail-lf0-x22b.google.com with SMTP id p142-v6so4991134lfd.6 for <uta@ietf.org>; Wed, 11 Apr 2018 16:17:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cridland.net; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=WYqe5Om+27lAuLj2k5UOIcBkm7QuzTscgNiKTWSaNpk=; b=Azlmt836pKn7PN37HKsk8KaZu/XG781NOUfkElFC2Y+WgFleNyVzDLOgDoKFbG7e37 3ehCHtW0/sqVDqRwjkSVNGGh9CH12Ka69fuwhjlE5gN87G22ZcdkUqerzC947HHKIMy8 AnN6FU2a6bOFiUsNiDMIPMKR/QJHyd4pIU/20=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=WYqe5Om+27lAuLj2k5UOIcBkm7QuzTscgNiKTWSaNpk=; b=HY3OHpMKB2elmkiK+/kR9JDSnMA+rBSuZ8KjtRnBP7upSM6tTRGXCq8NbaaPT7KYs1 +RwFM/kaDkJ2J5TglM3zHKhomfhtVrHl1ic+OWUA+q8S/mg9e1KkbgP9IlXcdGSjEfDK FMaqoFgJiXKCOHaPMr6pKN5w1BCedCvmW92F5uLtAj6LGMhqJ55adMNjsYjesdanOiP5 mGxNYa8opSAiBBhCm6peL9y14JFa93sq2nlqSyK4U2tuOLoX9eptIGRFiFmbnoY5eN4d iw2/89FtDBOq7vK76OL8lEm/QDj1shHeWVkVEE8PJjeDJnI+LJ7OoWXcmhf2vUWUbst0 qpFg==
X-Gm-Message-State: ALQs6tB2knGw1DtdU6d8lae6ebbeUmRXAWEhzs3qfvhBjKkAFqEiuqhY W8LOOY5VoihmlmympXV+6DWclNtvj4qdm5p8oH8X+A==
X-Google-Smtp-Source: AIpwx49RNfjnbjYcYKrcUeGzJmF7SZZJBWTIUprogN5bKRLdrlwRMbmZZ+lthn/bg1f3p/x0/4CcXsaFJJTCPHcDOS4=
X-Received: by 2002:a19:e418:: with SMTP id b24-v6mr3797819lfh.61.1523488664088; Wed, 11 Apr 2018 16:17:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.179.71.202 with HTTP; Wed, 11 Apr 2018 16:17:43 -0700 (PDT)
In-Reply-To: <01QR7KDO3D96000051@mauve.mrochek.com>
References: <CAKHUCzwes5vHjBSDqYXkvGRCGPeSPnqNgsJ2J_tDzF2FG+RuMg@mail.gmail.com> <01QR7KDO3D96000051@mauve.mrochek.com>
From: Dave Cridland <dave@cridland.net>
Date: Thu, 12 Apr 2018 00:17:43 +0100
Message-ID: <CAKHUCzzLWNQqPbgh7iGraJqviFuSP_A4i2-qKKfNS5fypKbZzQ@mail.gmail.com>
To: Ned Freed <ned.freed@mrochek.com>
Cc: "ietf@ietf.org Discussion" <ietf@ietf.org>, uta@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a48b1d05699ad83f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/wNx_91MiTkH9o_mKujVd4bwjoK0>
Subject: Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.txt> (SMTP MTA Strict Transport Security (MTA-STS)) to Proposed Standard
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Apr 2018 23:17:50 -0000
On 11 April 2018 at 16:40, Ned Freed <ned.freed@mrochek.com> wrote: > > > However, it surprises me that the MTA-STS draft does not appear to note > > this prior art at all, and this makes me wonder whether it was even on > the > > radar. > > The relevance of POSH was discussed as recently as March on the UTA list. > I believe it has come up in previously discussions as well. > Good to know it's come up at least. > > > Importantly, POSH was never deployed very heavily - I can find only one > > deployment (and "most users opt to just give us the cert"). This was in > > part because of Google's withdrawal from standards-based IM, which > > liberated the community from having to support a use-case only Google > > really felt important, and also the rise of free CAs, which avoided the > > cost issue associated with traditional PKIX. > > The situation here is very different. First, Google is one of the players > behind this proposal and their withdrawl from standards-based email > seems... > unlikely. As far as SMTP is concerned, at least, I'd agree. > Second, the primary problem MTA-STS solves - added security against > active attacks on existing email infrastructure - is quite different than > the > XMPP situation. > > I'm not entirely sure that statement is accurate. The exact same list of requirements is what drove POSH in my memory - an inability to authenticate the certificates used in many cases and a (perceived) unwillingness to share private keys, alongside a difficulty in certificate management when hosting many domains. Yes, XMPP has the advantage of less cruft and a simpler deployment model, but I think that's largely irrelevant. > > 2) HTTPS Call-out > > > Given the policy is essentially trust-on-first-use, it's not clear to me > > why much of the STS policy cannot be transferred within SMTP itself, > > perhaps in response to the EHLO issued after STARTTLS completes. This is > > good enough for HTTPS's STS variant, and feels intuitively simpler for > MTAs > > to implement. > > I'm afraid you have this exactly backwards. Even if the SMTP server > approach > provided comparable security - and it doesn't - deploying a new SMTP > extension > is quite difficult; we have an abundance of fully worked examples > demonstrating > this point. Whereas throwing up an A record, certificate, and server that > serves out a single document is trivially easy. These days I don't rank as > an > experienced IT person, and I was able to do it for a test domain in about > 20 > minutes. > > I entirely agree that hosting a single document under HTTPS is trivial. > This is not to say that there aren't issues implementing MTA-STS. There are > significant issues, but they are all on the client side. Adding an HTTP > client > to your SMTP client significantly increases attack surface, so much so > that I'm > not willing to do it, and other folks have said they aren't willing to > either. > > The approach I'm using is to build an MTA-STS query server with integrated > caching support. I have one mostly coded, and while I haven't worked > through > all the caching and timeout issues yet, I have not found any significant > implementation obstacles. > > This workload is what I consider to be the antithesis of "intuitively simpler". > > 3) DNSSEC or not? > > > The MTA-STS problem is reasonably well-defined in the document - SMTP > > servers often do host numerous domains, and unfortunately operating one's > > own server has become a rarity, so domains are concentrated on a few > > servers. STARTTLS is, as the abstract notes, theoretically susceptible > to a > > downgrade attack - but this does require either active MITM or some > fairly > > tight hoops to jump through to actually exploit. > > > The draft then goes on to compare the solution to DANE, and notes that > > DNSSEC is not required with MTA-STS - "at a cost of risking malicious > > downgrade attacks". These would be performed by DNS spoofing, which has a > > known history of occurring. In any case, what is distinctly unclear to me > > is whether MTA-STS without DNSSEC is materially different from RFC 7672 > > without DNSSEC; if unsecured DNS is "good enough" for MTA-STS, my > immediate > > question is whether it might therefore be good enough for at least some > > cases of DANE. > > I haven't implemented the SMTP client integration part of this yet so I > may be > speaking out of turn, but I've mapped it out and it appears to be > reasonably > straightforward. > > I've also looked at implementing DANE, and IMO it's a major PITA to > implement, > so much so that it would take substantial customer interest to make me do > it - > interest that has not materialized. > > For what it's worth, I implemented DANE in XMPP, including securely deriving reference identifiers - making it slightly more complex than RFC 7672 in the end due to XMPP authenticating both ends of an S2S stream - in a couple of days. I didn't find it even a minor PITA to implement. > And that's without even considering the difficulty of getting people to > deploy > funky DNS records. Like it or not, these days throwing up a single-purpose > HTTPS server is dead easy. And keep in mind that someone using a hosted > email > solution need only deploy a single CNAME record pointing at the hosted > solution's MTA-STS server. That's about as simple as it gets. > > > I'd note that in RFC 7672, the presence of a (DNSSEC-secure) TLSA record > is > > sufficient to mandate TLS - hence my question is whether an insecure TLSA > > record stipulating a particular trust anchor and/or valid certificate > > (PKIX-TA and PKIX-EE) might be sufficient to meet the same security > > requirements here. > > Frankly, I don't care if it does or not. DANE is currently a nonstarter in > my > book, whereas while I dislike various aspects of this proposal, the > reality is > it's far easier to implement. > > Well, we agree it's simpler on the receiving side at least, but that's only because SMTP doesn't try authenticating the sending MTA. > > 4) Wildcard on Wildcard Action. > > > It is deeply unfortunate that MTA-STS mandates a name match based on > > dNSName SANs only. I would have thought that emulating an SRV, and > matching > > a corresponding sRVName, would be more useful - and overall, the idea > that > > a new matching algorithm has been included so as to match an "mx pattern" > > to a dNSName wildcard just feels like an exploit waiting to happen. It > > would feel considerably safer to do one of: > > Please explain how it would be more useful. > > > a) Make matches operate the same way as DANE, by being based on hashes of > > SubjectPublicKeyInfo and/or the complete certificate. (Similar to POSH's > > approach of a certificate hash). > > That drags in some (but not all) of the implementation isssues with DANE. I > probably would not have bothered to implement MTA-STS had this been part > of it. > > I suspect it's a lot easier than it sounds, actually. Otherwise I doubt I could do it. > > b) Make matches operate the same way as RFC 6125 (unreferenced, I note). > > Not sure what you mean about references: Section 3.2, fourth bullet point, > section 3.3, second paragraph. section 4.1, first paragraph. > > My error. I somehow missed that one. > > c) Both/either of the above. > > > I assume the logic behind allowing a wildcard-to-wildcard match is to > allow > > a Google user to simply specify ".googlemail.com" and ".l.google.com" as > > their MX identity patterns; however it feels as though Google could > simply > > use a known name within the certificate for all their receiving MTAs, > > irrespective of the DNS records involved. This, of course, presupposes > that > > the administrator of the mail domain somehow does not know the precise > > names of the MTAs used in their own DNS records. > > > I further assume the logic in mandating matches against dNSName SANs is > > because these are readily available; however sRVName SANs, by restricting > > their use to a particular service, have the advantage that customers > giving > > these to their service provider might be deemed more acceptable. > > A comparable effect can be achieved by using a subdomain root reserved for > email server use. > > So it's a choice between an easily implemented naming convention and a > bunch > of PKIX esoterica. This does not strike me as a difficult choice. > > Well, being *able* to use sRVName would be nice at least. The specification as written prevents it, which seems unfortunate. Being able to use dNSName is a given, of course. For one thing, it already has support directly in OpenSSL's API - unless you're matching one wildcard against another of course, when you have to do it yourself. > > 5) Terminology and Nomenclature. > > > It is well-known that naming things remains the hardest problem in > > technology. > > > However, this draft appears to have taken bold strides in demonstrating > > that coming up with new names for things needn't be so challenging. > > > Take §7.1, for example, which dictates that the SNI extension MUST > contain > > the "MX hostname" - this latter term does not appear anywhere else in the > > document. I'm going to guess that it means the RHS of the MX record, as > > defined in RFC 7672 (and informative reference), which is the same as RFC > > 7672. "MX host", which appears once in RFC 5321, also appears elsewhere > in > > this draft, including in §1.1, where it is in this definition: > > I missed the "MX hostname" thing and agree it should be fixed. I also agree > that "MX host" is misleading and should be replaced, but I could not come > up with a useful replacement and so didn't suggest making that change in > my review. > > > o MTA-STS Policy: A commitment by the Policy Domain to support PKIX > > [RFC5280] authenticated TLS for the specified MX hosts. > > > Impressively, by my reading, the commitment is for the Policy Domain to > > support PKIX for all SMTP; and not just for specified hosts. > > Of course that's the commitment. How could it be otherwise? > Then that needs rephrasing, because I didn't see any "Of course" about it. A commitment by the Policy Domain to support PKIX [RFC 5280] authenticated TLS, using reference identifiers as listed. (I'm trying to guess what was meant by "for the specified MX hosts".) > > > Using more common - and more uniform - terminology would be of huge > > benefit: "Sending MTA", "Receiving MTA", and so on are well-known terms. > > Except those terms don't match up with anything that needs naming here > AFAICT. > > "Sending MTA" is used a fair amount (15 times). But they're sending to a "receiving MX" (4.1), or a "SMTP server" (curiously, some "SMTP servers" are sending email, though). > > If > > a new term is needed, please do define it. If you mean to use terms from > > other RFCs, these need to be Normative References and noted in the > > Terminology section. > > > 6) Reference Identifiers and derivation. > > > RFC 6125 provides a slew of terminology and best practise - from the same > > UTA working group, as I recall. RFC 7672 also provides terminology and > much > > behaviour. > > > It feels as though this draft should at least attempt to use the same > > terminology, and ideally the same behaviour, as RFC 7672 (and RFC 6125). > > > This is particularly noticeable in the difference between the reference > > identifiers used within RFC 7672 (and used within the SNI discussed > there) > > compared with this draft, see for example this draft's §7.1, compared > with > > RFC 7672 §8.1 > > I haven't gone through the sections on SNI yet so I'm not going to > comment on this. > The main difference (from memory now) is that RFC 7672 uses a "TLSA base name", which is either the "MX hostname" before or after following CNAMEs. Dave.
- [Uta] Last Call: <draft-ietf-uta-mta-sts-15.txt> … The IESG
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… ned+uta
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Dave Cridland
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… ned+uta
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Viktor Dukhovni
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Viktor Dukhovni
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Dave Cridland
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Dave Cridland
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… ned+uta
- [Uta] Digression on DANE for MTAs implementation … Viktor Dukhovni
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Viktor Dukhovni
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Dave Cridland
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Dave Cridland
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Viktor Dukhovni
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Daniel Margolis