Re: [websec] [saag] Pinning

Tony Finch <dot@dotat.at> Mon, 13 August 2012 14:08 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3329721F8754; Mon, 13 Aug 2012 07:08:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.257
X-Spam-Level:
X-Spam-Status: No, score=-6.257 tagged_above=-999 required=5 tests=[AWL=0.342, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xs04g9Jc444H; Mon, 13 Aug 2012 07:08:36 -0700 (PDT)
Received: from ppsw-50.csi.cam.ac.uk (ppsw-50.csi.cam.ac.uk [131.111.8.150]) by ietfa.amsl.com (Postfix) with ESMTP id 0971221F8752; Mon, 13 Aug 2012 07:08:35 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-SpamDetails: not scanned
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-2.csi.cam.ac.uk ([131.111.8.54]:35222) by ppsw-50.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.157]:25) with esmtpa (EXTERNAL:fanf2) id 1T0vJn-0003Hk-s4 (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Mon, 13 Aug 2012 15:08:31 +0100
Received: from fanf2 (helo=localhost) by hermes-2.csi.cam.ac.uk (hermes.cam.ac.uk) with local-esmtp id 1T0vJn-00069I-LW (Exim 4.67) (return-path <fanf2@hermes.cam.ac.uk>); Mon, 13 Aug 2012 15:08:31 +0100
Date: Mon, 13 Aug 2012 15:08:31 +0100
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-2.csi.cam.ac.uk
To: Chris Palmer <palmer@google.com>
In-Reply-To: <CAOuvq20iC817T-9U3zWG7S2Z=uU=G0i6usOT915ky+9FO8_Zwg@mail.gmail.com>
Message-ID: <alpine.LSU.2.00.1208131503550.16775@hermes-2.csi.cam.ac.uk>
References: <31946C2A-4ACD-46D7-8977-49B681204A7B@checkpoint.com> <8E52CEC5-4FEB-4464-AB11-21F1B9208C5C@checkpoint.com> <38489744-05A9-45F0-A752-7F0B9E96E641@vpnc.org> <4FCF894B.8080002@gondrom.org> <CAOuvq20iC817T-9U3zWG7S2Z=uU=G0i6usOT915ky+9FO8_Zwg@mail.gmail.com>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
X-Mailman-Approved-At: Mon, 13 Aug 2012 07:40:23 -0700
Cc: Chris Evans <cevans@google.com>, websec@ietf.org, paul.hoffman@vpnc.org, saag@ietf.org, Moxie Marlinspike <moxie@thoughtcrime.org>
Subject: Re: [websec] [saag] Pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Aug 2012 14:08:37 -0000

Chris Palmer <palmer@google.com> wrote:
>
> * It's not clear that SMTP over TLS is very beneficial,

It is not beneficial at the moment because it is underspecified - there is
no specification that says which identity to check against the
certificate (mail domain vs. host name), and there are significant
problems with either choice. In practice this has led to most SMTP server
certificates being unvalidatable or containing the wrong name.

See also draft-fanf-dane-smtp for a possible way to sort out this mess.

> because you can't stop delivery due to pin validation failure (or really
> even regular old X.509 failure).

I disagree. You can (and usually have to) stop delivery for DNS failures;
there is no reason why you can't do the same for authentication errors.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Northwest FitzRoy, Sole, Lundy, Fastnet: Southwesterly backing southerly 4 or
5. Moderate, occasionally rough in northwest Fitzroy and west Sole. Rain or
thundery showers. Moderate or good.