IETF Logo Mail Archive

Re: [Uta] Eric Rescorla's Discuss on draft-ietf-uta-smtp-require-tls-07: (with DISCUSS and COMMENT)

Eric Rescorla <ekr@rtfm.com> Wed, 13 March 2019 03:01 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B15AF12797A for <uta@ietfa.amsl.com>; Tue, 12 Mar 2019 20:01:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sqvHUc03hbc3 for <uta@ietfa.amsl.com>; Tue, 12 Mar 2019 20:01:18 -0700 (PDT)
Received: from mail-io1-xd42.google.com (mail-io1-xd42.google.com [IPv6:2607:f8b0:4864:20::d42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D01BE12705F for <uta@ietf.org>; Tue, 12 Mar 2019 20:01:15 -0700 (PDT)
Received: by mail-io1-xd42.google.com with SMTP id v10so361928iom.8 for <uta@ietf.org>; Tue, 12 Mar 2019 20:01:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=4h8WCwQ1gl4ictw431EWY/nAmXm1PFLP8uiMMF8R27M=; b=bBzI03xFVSde9HceaChMTIQvb5FgVysNEZv1XTzlMBsVlTPOlENfcwM9NnrmTyf9zl HCJDIM7nsOJBIFNY85kMYQ9awMffcBvQ3gMaP21HlIzK7w+rTi4NghqvV/wCMLtjF82B IAkjsReALsq9uUUXt+V8WRAzt7ejh/WhpzfySWWTRjiMntMIcyQ6QLiVZDGCNtzgGI/X 3XzHJ/3trg8e57JKrqSecHl6YN7PyGv4QwAn29rjcV7WGIBeD3KQdfFa4iQlmOj0mawa jvuWhQpz1xCQHPM8BfPbeTzWaJM/qSeQUp0gu/fFLEFXTlmDjuWo+XISQtHVHisTWuTi gHYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=4h8WCwQ1gl4ictw431EWY/nAmXm1PFLP8uiMMF8R27M=; b=dt0/JCLZFssXJsIJc6SxWL0O8yL42XK1EQtvYKgGs4EBKYirU+X6h7z3GkjEctOxE4 9C+or8kPyULBvoGKwkhtsYI9U+A1D8cAxydaejR8sv5M/LFueq0SMpUtkgrlzMtcKTCj hHFTfCLcmF17+IhFR56W23RYwqRb1jGHcVrr27IybO0cz+hhw5qwJPb8aq6K+VYRbI4/ sKGi3lcdg1zEGzqQlrPo7nXxIRmmZQZzxrPua6s0Cwddzk4ZVgyYC/9TfCKXcZvNZQU7 ETof8Z4olJY5QEKnfa6BsSznDhTEPTO6jqggQMXG09n8iN1MpZ4BRXtzODeM5tp4LD/O Cttg==
X-Gm-Message-State: APjAAAV2M0HIX9eSRFIQb5eWb4T79Jesz9f/6kwPeYr6qTKeeBUFd3Sm IBCTRt4kgGIfKRZnLuNO83uuLjwOBrzC8gWQxiqbQw==
X-Google-Smtp-Source: APXvYqw7ncrguXc26ZJvVG700nAhow3LYj67XS5pO8yvfgN9BS+zVRQX0rczca2vJu28Vw0O9e3VldrlaOknbO4djTw=
X-Received: by 2002:a6b:4a19:: with SMTP id w25mr20940753iob.223.1552446075124; Tue, 12 Mar 2019 20:01:15 -0700 (PDT)
MIME-Version: 1.0
References: <155076162945.8595.2671476533659571699.idtracker@ietfa.amsl.com> <554356ec-de3a-08ed-a920-0397813895e0@bluepopcorn.net> <CABcZeBPOWVhPTpBt3E8GsqH7LMtG4y04voqTCLS=PG3hZk+NaA@mail.gmail.com> <b79b4b8a-a2b9-8954-83fd-e2789b4cd3c3@bluepopcorn.net> <CABcZeBPG3HHPhwoSNJPJGgLbSSOmSWhw43U+T-tnrVTjgtzmiQ@mail.gmail.com> <20190228183553.GA916@straasha.imrryr.org> <CABcZeBPDLr9MizT3bhJzZWuZtk3S6gWtdkvPL1bOQdOXox4Zuw@mail.gmail.com> <05712735-E4EA-4212-BFC3-3DD58A09DFC9@dukhovni.org>
In-Reply-To: <05712735-E4EA-4212-BFC3-3DD58A09DFC9@dukhovni.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 12 Mar 2019 20:00:35 -0700
Message-ID: <CABcZeBOGgKCrvqu0B4Xm3LHqRJfiA682CGYnoCv7CoQvcXVfzA@mail.gmail.com>
To: IESG <iesg@ietf.org>, uta@ietf.org, draft-ietf-uta-smtp-require-tls@ietf.org, uta-chairs@ietf.org
Content-Type: multipart/alternative; boundary="000000000000d7520d0583f104fd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/yDbylSlZU37JT1kRB3GpSo5KLRI>
Subject: Re: [Uta] Eric Rescorla's Discuss on draft-ietf-uta-smtp-require-tls-07: (with DISCUSS and COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2019 03:01:20 -0000

On Tue, Mar 12, 2019 at 7:10 PM Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

> > On Mar 12, 2019, at 8:01 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> >
> > I'm sorry, but I don't see how any of this is meaningfully different
> from the
> > situation with HSTS. In both cases, the receiving system indicates that
> > the sending system ought to use secure transport, and if the sending
> > system conforms to the specification providing that indication, it is
> > required to use secure transport. See:
> > https://tools.ietf.org/html/rfc8461#section-5
>
> The difference is that MTAs with published DANE and MTA-STS policies
> nevertheless in the majority of cases still accept email not only
> from senders who don't do DANE or MTA-STS (and use unauthenticated
> opportunistic STARTLS), but also in cleartext!
>

> Unlike HSTS where the port 80 website typically only serve the HSTS
> policy and a redirect to HTTPS, the MTA's published DANE or MTA-STS
> policy is an offer of support for security delivery to the sender,
> it is NOT a mandate.
>

I'm not sure why this is relevant, given that an active attacker can simply
continue with the HTTP connection and proxy it to HTTPS with the server.
And of course in many cases the sensitive information has already been said.


The normative MUSTs in e.g. the DANE SMTP RFC are there to ensure that
> senders implement DANE correctly *when* they choose to do that, and don't
> do something half-baked leading to a false sense of security.
>

And similarly, clients can choose not to do HSTS, but when they do HSTS,
there are rules for what they do.



> There is no expectation that DANE preëmpts sender policy, and MTAs use
> whatever rules they have for a particular "envelope" to determine the
> relevant security policy.


The plain language I cited, which requires the conformant client to behave a
certain way. If there is some textual evidence to the contrary, please cite
it.
Otherwise, we just have different interpretations of the intent of this
text and I don't see a reason to adopt yours.



> My perspective on the SMTP security landscape is based on 18 years of
> Postfix development and a decade as Postmaster at Morgan Stanley where
> among other activities (email for the Google IPO) I managed mandatory
> TLS peering with many business partners, and saw first hand what it
> takes to deal with all the edge-cases.  Email is different from the Web,
> and experience learned in one doesn't always carry over to the other.
>

Surely you're familiar with the term "argument from authority".

-Ekr


> --
>         Viktor.
>
>

v2.23.0 | Report a Bug | By Email