On 7/19/15, 10:57 AM, "Viktor Dukhovni" <[email protected]> wrote:
>On Sun, Jul 19, 2015 at 01:52:53PM +0000, Rose, Scott wrote: > >> First, if the _smimecert.<domain> is hosted by a service provider (i.e. >> not the domain owner), the service provider can see who may be receiving >> encrypted mail. > >Which they'll also learn by just looking at the zone data, if the >localparts are not hashed in the final spec. Has there been any recent discussion about using a non-hashed LHS encoding? I don¹t think there has so we probably don¹t want to bring that question into scope here. > >I'd be more concerned above passive monitoring, because with >submission over port 587 with TLS, and forward hops from the MSA >to the destination also increasingly over TLS, there is often at >present no cleartext exposure of the envelope recipients. > >With SMIMEA, passive monitoring of DNS queries will often reveal >the correspondent addresses. Obvious but worth a reminderŠpassive monitoring isn¹t a problem peculiar to the SMIMEA approach, it is an issue for all elements of the email flow that are not encrypted. > > >> and may also learn the source IP address and other potential >> information. > >That'll be less common, there will typically be iterative resolvers >between the user and the authoritative nameserver. > >> Of course, the hosting provider also knows the whole list >> of (hashed) cert holders in the domain as well. Pervasive monitoring >>may >> also discover this (source IP A is looking for a cert for person X in >> order to send them mail), but qname-minimization may mitigate this to a >> degree. > >Query minimization does not help here, it only hides the data from >operators of parent domain nameservers. Only encryption of DNS >traffic (ala DNScurve and at all zone cuts from the root down) >would help. > >> Second, clients looking to validate a digital signature using SMIMEA >> queries may also be signaling a read receipt. If the original sender >> knows the recursive servers of the recipient, The sender could get an >>idea >> as to when the receiver MUA validated the digital signature by observing >> SMIMEA queries to their domain. This isn't a showstopper IMHO as >>recipients >> with cached digital signature certs may not send queries. > >The cache lifetimes should be relatively short (not in excess of >the DNS TTLs of the TLSA RRs), so whenever there's a hiatus in >email flow between two correspondents (as opposed to a flurry of >immediate replies) it is quite likely that new conversations will >involve new DNS lookups. > >> SMIMEA RR queries may leak information about who >> is planning to send, or has receive S/MIME protected email messages. >>DNS >> privacy techniques such as qname-minimization may mitigate some of the >> leakage. > >Qname minimization does not help against passive monitoring, unless >that passive monitoring is in (only) in front of the root or >gTLD/ccTLD nameservers, rather than on path somewhere between author >and target domain. I think it is fair to say that QNM does help as it reduces the number of points at which a passive monitor can see traffic. It is an incremental improvement. > >-- > Viktor. > >_______________________________________________ >dane mailing list >[email protected] >https://www.ietf.org/mailman/listinfo/dane _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
