Extensions to ACME for (TLS, S/MIME)

Similar documents
Internet Engineering Task Force (IETF) Request for Comments: 7817 Updates: 2595, 3207, 3501, 5804 March 2016 Category: Standards Track ISSN:

Session initiation protocol & TLS

Intended status: Informational October 27, 2014 Expires: April 30, 2015

Firmware Updates for Internet of Things Devices

DANE Best Current Practice

Security by Any Other Name:

SMTP Extension for Alternate Recipient Delivery Option (draft-melnikov-smtp-altrecip-on-error-00.txt)

October 4, 2000 Expires in six months. SMTP Service Extension for Secure SMTP over TLS. Status of this Memo

Request for Comments: 7912 Category: Informational June 2016 ISSN:

DANE Demonstration! Duane Wessels, Verisign! ICANN 49 DNSSEC Workshop! March 26, 2014!

SA46T-AT SA46T Address Translator draft-matsuhira-sa46t-at-01.txt

WHITEPAPER Rewrite Services. Power365 Integration Pro

CLOUD STRIFE. Mitigating the Security Risks of Domain-Validated Certificates

Ondřej Caletka. November 2015

Internet Engineering Task Force (IETF) Request for Comments: ISSN: October 2012

Encrypted SNI IETF 102

Securing, Protecting, and Managing the Flow of Corporate Communications

April 24, 1998 Expires in six months. SMTP Service Extension for Secure SMTP over TLS. Status of this memo

RTCWEB Working Group. Media Security: A chat about RTP, SRTP, Security Descriptions, DTLS-SRTP, EKT, the past and the future

DRAFT REVISIONS BR DOMAIN VALIDATION

To Setup your Business id in MacOS X El Capitan Mail (POP) To find MacOS version please visit: Apple Support macos version

CS 356 Internet Security Protocols. Fall 2013

Key Management and Distribution

A Federal Agency Guide to Complying with Binding Operational Directive (BOD) 18-01

Technical Overview. Version March 2018 Author: Vittorio Bertola

Intended Category: Standards Track Expires March 2006 September 2005

Instructions Microsoft Outlook 2003 Page 1

Overview! Automated Certificate Management (ACME) Protocol! IP-NNI Task Force! Mary Barnes - iconectiv!

CIT 470: Advanced Network and System Administration. Topics. Mail Policies.

How to get a trustworthy DNS Privacy enabling recursive resolver

stir-certs-02 IETF 93 (Prague) STIR WG Jon

Instructions Microsoft Outlook 2007 Page 1

Developing DNS-over-HTTPS clients and servers

IHE Change Proposal. Tracking information: Change Proposal Status: Date of last update: Sep 13, 2018 Charles Parisot, Vassil Peytchev, John Moehrke

Internet Engineering Task Force. Intended status: Standards Track November 20, 2018 Expires: May 24, 2019

Owner of the content within this article is Written by Marc Grote

Who s Marcus? mail() 2008 Marcus Bointon

Distributed Systems 26. Mobile Ad Hoc Mesh Networks

is still the most used Internet app. According to some studies around 85% of Internet users still use for communication.

Based on material produced by among others: Sanjay Pol, Ashok Ramaswami, Jim Fenton and Eric Allman

Internet Engineering Task Force (IETF) Request for Comments: 8336 Category: Standards Track. March 2018

Services: Monitoring and Logging. 9/16/2018 IST346: Info Tech Management & Administration 1

Request for Comments: 5178 Category: Standards Track Isode Ltd. May 2008

COSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS

Internet Engineering Task Force. Intended status: Standards Track January 22, 2019 Expires: July 26, 2019

Instructions Microsoft Outlook 2010 Page 1

Introduction to the DANE Protocol And Updates From IETF 88

Mail Assure. Quick Start Guide

Network Working Group Internet Draft: SMTP Authentication Document: draft-myers-smtp-auth-00.txt April SMTP Service Extension for Authentication

Brand Indicators for Message Identification

DKIM Implementation How

CS 355. Computer Networking. Wei Lu, Ph.D., P.Eng.

Instructions Microsoft Outlook 2013 Page 1

DKIM Base Issue Review IETF 66 Montréal. Eric Allman

Instructions Eudora OSE Page 1

Validation & Verification Unlocking the Mystery

DNS security extensions

Settings. IP Settings. Set Up Ethernet Settings. Procedure

Let s Encrypt and DANE

DNS and SMTP. James Walden CIT 485: Advanced Cybersecurity. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 1 / 31

draft-ietf-smime-cert-06.txt December 14, 1998 Expires in six months S/MIME Version 3 Certificate Handling Status of this memo

TLS in the wild. An Internet-wide analysis of TLS-based protocols for electronic communication. Ralph Holz

Public-key Infrastructure

SECURE HOME GATEWAY PROJECT

BetterCrypto org Applied Crypto Hardening

The IETF. or Where do all those RFCs come from, anyway? Steven M. Bellovin

Transport Layer Security

Lotus Protector Interop Guide. Mail Encryption Mail Security Version 1.4

COMS3200/7201 Computer Networks 1 (Version 1.0)

Web Security Model and Applications

Internet Engineering Task Force. Intended status: Standards Track February 13, 2017 Expires: August 17, 2017

Network Working Group. Category: Standards Track December 2005

Nigori: Storing Secrets in the Cloud. Ben Laurie

Intended Category: Standards Track Expires July 2006 January 2006

DNS LLQ. IETF 91 Honolulu Tom Pusateri. Updated: 11/12/14 1

MDaemon Vs. Zimbra Network Edition Professional

Request for Comments: 5437 Category: Standards Track Isode Limited January 2009

Teach Me How: B2B Deliverability in a B2C World

MODERN WEB APPLICATION DEFENSES

Security and Privacy

MDaemon Vs. Kerio Connect

Pervasive Monitoring. June /16

CRISP: Common Registry Information Service Protocol. Leslie Daigle ARIN XI Apr. 2003

Mail Assure Quick Start Guide

Request for Comments: 5429 Obsoletes: 3028 March 2009 Updates: 5228 Category: Standards Track

MDaemon Vs. IceWarp Unified Communications Server

Experiences in Setting Up Automatic Home Networking. Jari Arkko Ericsson Research

Interoperability Challenge of Certified Communication Systems via Internet

SETUP FOR OUTLOOK (Updated October, 2018)

PROTECTION. ENCRYPTION. LARGE FILES.

Network Working Group Internet Draft: Using TLS with IMAP4, POP3 and ACAP Document: draft-newman-tls-imappop-06.txt January 1999

EAI Status & Testbed ( Address Internationalization)

Adding a POP/IMAP

Best Practices. Kevin Chege

MDaemon Vs. MailEnable Enterprise Premium

Nokia E61i support

The DNS. Application Proxies. Circuit Gateways. Personal and Distributed Firewalls The Problems with Firewalls

Deploying OAuth with Cisco Collaboration Solution Release 12.0

Application Firewalls

MDaemon Vs. MailEnable Enterprise Premium

Transcription:

Extensions to ACME for email (TLS, S/MIME) draft-ietf-acme-email-tls-02 draft-ietf-acme-email-smime-01 Alexey Melnikov, Isode Ltd 1

Changes in draft-ietf-acme-emailtls-02 since Prague Removed TLS SNI challenge, the other 2 (DNS and SMTP/IMAP capabilities) remain Added a reference to RFC 7817, which defines what email clients are looking for/cas should include in email certificates for TLS server identity verification to work The port JWS header parameter is now not required ( service still is) Fixed some typos, added missing references. Expanded the list of open issues. 2

Open issues in draft-ietf-acmeemail-tls-02 Should service (e.g. smtp, imaps ) and port values be included in ACME challenge hashes? I think yes. Might need some help from ACME specialists. Should the same ACME certificate be allowed to cover both TLS and non TLS ports? Probably not, as a single challenge can only include 1 service name and service names for the 2 are different (e.g. imap for port 143 and imaps for port 993). Support LMTP (RFC 2033) Probably yes, but need to register lmtp as a service name first. 3

Next step Have at least a couple of reviews? (Richard?) Anybody interested in implementing? 4

Changes in draft-ietf-acme-emailsmime-01 since Prague Added support for RFC 6531 (internationalized email addresses) LAMPS WG is updating X.509 certificates and we need a new identifier type anyway Clarified that both challenge and responses emails are in plain/text This provides highest degree of interoperability in email world and is also friendly to use of external tools and use of cut & paste for ACME challenges 5

Open issues in draft-ietf-acmeemail-smime-01 No fancy text/html or multipart/alternative for challenge and response messages? Probably not text/html. Multipart/alternative is more reasonable (clients can display nice HTML if capable), but adds implementation complexity The document assumes that we need to prove ability to send messages as an email address, not just read email. 6

Background slides 7

Email services running over TLS Goal: being able to get a certificate for SMTP submission, IMAP, etc servers According to RFC 7817, such certificates either contain dnsname or srvname in certificate s subjectaltname srvname is nice, because it can limit protocols a certificate can apply to. Requirement: avoid the need to run an HTTP server on the same hostname in order to get an ACME certificate One can just use base ACME protocol to get a certificate with dnsname and reuse it for email. But key usage in the certificate can be wrong. 8

Email services running over TLS - proposals Options 1: Extend DNS verifier to specify protocol and possibly port number E.g. _993._imaps._acmechallenge.example.com Pros: sysadmins running email services usually have DNS control over the corresponding domain (e.g. to set MX, SRV, DKIM and DMARC TXT records) Cons: in some domains people controlling DNS and people controlling email services are different groups of people 9

Email services running over TLS - proposals Option 2: Define extensions to SMTP/IMAP to advertise proof of control over the corresponding SMTP/IMAP service Pros: no need to change/add DNS records Cons: either need to restart SMTP/IMAP service to publish proof of control over domain or might need to redesign the server to be able to publish such proof without restarting 10

S/MIME Goal: be able to get a certificate associated with an email address, which is suitable for S/MIME signing and/or encrypting Need a new Identifier Type (email address) and email specific challenge type Need some kind of proof of control over the email address: so some kind of challenge (email message sent to the email address) and response (reply email using a more or less standard email client), similar to what happens when subscribing to a mailing list? If an attacker can control DNS, it can reroute email. Assuming that an email owner doesn t control DNS seem to be acceptable risk. Is being able to just read email a sufficient proof of control? 11

Thank You Comments? Questions? Offers to help out with this work? Hackathon? Talk to me offline or email me at alexey.melnikov@isode.com 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback