Re: [apps-discuss] WG adoption for draft-martin-authentication-results-tls ?
Franck Martin <franck@peachymango.org> Tue, 11 November 2014 00:03 UTC
Return-Path: <franck@peachymango.org>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC6921AC445 for <apps-discuss@ietfa.amsl.com>; Mon, 10 Nov 2014 16:03:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ToUEFO9hrFNC for <apps-discuss@ietfa.amsl.com>; Mon, 10 Nov 2014 16:03:43 -0800 (PST)
Received: from mx-out-1.zmailcloud.com (01.zmailcloud.com [192.198.85.104]) by ietfa.amsl.com (Postfix) with ESMTP id 448421A6EE9 for <apps-discuss@ietf.org>; Mon, 10 Nov 2014 16:03:41 -0800 (PST)
Received: from smtp.01.com (smtp.01.com [10.10.0.43]) by mx-out-1.zmailcloud.com (Postfix) with ESMTP id 2618D564D24; Mon, 10 Nov 2014 18:03:34 -0600 (CST)
Received: from localhost (localhost [127.0.0.1]) by smtp-out-1.01.com (Postfix) with ESMTP id 156BFA05CE; Mon, 10 Nov 2014 18:03:34 -0600 (CST)
X-Virus-Scanned: amavisd-new at smtp-out-1.01.com
Received: from smtp.01.com ([127.0.0.1]) by localhost (smtp-out-1.01.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m3rLTlpEeBIe; Mon, 10 Nov 2014 18:03:33 -0600 (CST)
Received: from smtp.01.com (localhost [127.0.0.1]) by smtp-out-1.01.com (Postfix) with ESMTP id A39A2A05D6; Mon, 10 Nov 2014 18:03:33 -0600 (CST)
DKIM-Filter: OpenDKIM Filter v2.8.4 smtp-out-1.01.com A39A2A05D6
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=peachymango.org; s=61F775A4-4A7F-11E4-A6BB-61E3068E35F6; t=1415664213; bh=t9BN48VwAkhppF7qsSiKh6VG1+ItBOvrIZ4t2tzQUuY=; h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type; b=fT29JLCdowoT0N86NhR0LcXmtrDxWqq67CrIU1iwEMery1rGi3YnOGPqwGls2Jj6C bx0Fd6dD8yjaEUmQQXxQS1XtUIrD0ZO2SlupmSmjaZCZLUDmv6wQrT05jWU3PWJNSD iG82++OFhsPHuOMz8XfQJnWS5idSYEwXTE30w2gY=
Received: from localhost (localhost [127.0.0.1]) by smtp-out-1.01.com (Postfix) with ESMTP id 83657A05D1; Mon, 10 Nov 2014 18:03:33 -0600 (CST)
X-Virus-Scanned: amavisd-new at smtp-out-1.01.com
Received: from smtp.01.com ([127.0.0.1]) by localhost (smtp-out-1.01.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id HUu4INSXSnwU; Mon, 10 Nov 2014 18:03:33 -0600 (CST)
Received: from mail-2.01.com (mail.01.com [10.10.0.41]) by smtp-out-1.01.com (Postfix) with ESMTP id 4CA6BA05CE; Mon, 10 Nov 2014 18:03:33 -0600 (CST)
Date: Mon, 10 Nov 2014 18:03:33 -0600
From: Franck Martin <franck@peachymango.org>
To: "Murray S. Kucherawy" <superuser@gmail.com>
Message-ID: <216663621.27915.1415664213150.JavaMail.zimbra@peachymango.org>
In-Reply-To: <WM!9819902a40bec9a7acc0b55037d8fb78dd2ac55b280513ca7b4372ce87961187ac4de72f8a42a8cc76a11e93208e70db!@asav-1.01.com>
References: <44757941.49835.1413922063168.JavaMail.zimbra@peachymango.org> <8C22D80F14C7500B7BEFCAC1@96B2F16665FF96BAE59E9B90> <CAL0qLwaSv4H2VdbBfvYJCgCsb6MX6feGnTP1NjM0PzLmMoO+fQ@mail.gmail.com> <WM!9819902a40bec9a7acc0b55037d8fb78dd2ac55b280513ca7b4372ce87961187ac4de72f8a42a8cc76a11e93208e70db!@asav-1.01.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_27914_1889869319.1415664213150"
X-Originating-IP: [69.28.149.129]
X-Mailer: Zimbra 8.0.5_GA_5839 (ZimbraWebClient - FF33 (Mac)/8.0.5_GA_5839)
Thread-Topic: WG adoption for draft-martin-authentication-results-tls ?
Thread-Index: cENyDh8CYMQxkD07qm6NcwmucxAJPg==
Archived-At: http://mailarchive.ietf.org/arch/msg/apps-discuss/Kel_OgFfpTdir3op3agPRyNTFbs
Cc: IETF Apps Discuss <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] WG adoption for draft-martin-authentication-results-tls ?
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss/>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Nov 2014 00:03:49 -0000
----- Original Message ----- > From: "Murray S. Kucherawy" <superuser@gmail.com> > To: "Chris Newman" <chris.newman@oracle.com> > Cc: "Franck Martin" <franck@peachymango.org>, "IETF Apps Discuss" > <apps-discuss@ietf.org> > Sent: Monday, November 10, 2014 2:16:16 PM > Subject: Re: [apps-discuss] WG adoption for > draft-martin-authentication-results-tls ? > On Mon, Nov 10, 2014 at 7:09 AM, Chris Newman < chris.newman@oracle.com > > wrote: > > My view of this draft is it adds a lot of clutter to the wrong header and > > that > > > information has little or no value. > > I disagree at least with the wrong header argument. We created > Authentication-Results because we need a place to collect information about > email authentication methods' results when the message enters an ADMD, > because Received fields can be reordered, scrubbed, malformed, etc. It seems > to be to be exactly the right place to do it. However, it can only record > what the MTA at ADMD ingress saw, so if the STARTTLS information for the > entire handling chain is what's needed, this can't do it (but I also imagine > that can't be done reliably at all). > > The one useful piece of information is the negotiated cipher suite, but > > that > > is > > > most useful if the information is provided on a hop-by-hop basis so it > > belongs > > > in the Received header, IMHO. > > Would you not want to know the identity of the client, if that's available? > At least in the case where the client is actually associated with a > particular sending ADMD (maybe with DANE), that might be useful information. > You kind of answer this here: > > In my experience, client certificate authentication in SSL/TLS is very > > uncommon > > > in all protocols. The general model for client certificate authentication > > is > > > that the server has a CA that is used to sign all client certificates that > > are > > > used with that server. That model doesn't work for SMTP relay (although > > it's > > a > > > model I have implemented and works fine for SMTP Submission). For client > > > certificate authentication to work, the server has to request a client > > > certificate, the client has to have one configured and to use it to > > > authenticate the session. I'd like to see data on how many deployed SMTP > > > servers that support TLS request a client certificate. I know the servers I > > > work on do not request that by default. I also doubt most SSL/TLS > > appliances > > > request client certificates by default. > > As we move (slowly) toward authenticating and securing everything, is there > no hope of this changing toward what Franck is envisioning? > > I also do not view the server's opinion of the key strength of a TLS cipher > > > suite to have any value. The server's opinion can be wrong if the client > > has > > a > > > bad SSL stack. The cipher suite that was used is a specific piece of > > factual > > > data. If 10 weeks ago we used a cipher suite that was suddenly recognized > > as > > > broken today, the cipher suite used information is quite valuable, but the > > > server's opinion of its effective key size or strength will be worthless. > > The various details about what gets reported are certainly open for > discussion. I'm mostly arguing that there's something here worth looking at, > and that A-R is the right place to put it. > > Finally, the draft does not state how this TLS information would be used. > > I'm > > > opposed to adding all this clutter to headers unless there is some > > plausible > > > utility. > > Yes, a use case example would be good to include in any case. I think many questions about the usefulness of AR are answered in http://tools.ietf.org/html/rfc7001 remembers this is just an update of this RFC. Some example could be useful indeed. While this information should also be in Received Headers, I never succeeded to teach appropriately a tech support to read correctly received headers and not be tricked. It is way much easier to say read the AR header. Finally, SMTP servers work in dual mode (client+server) while HTTP servers works in sever mode only. The server certificate in SMTP is often used as the client certificate too. This is why you may see more client certificates with SMTP than with HTTP. Is the information useful, may be. I'm not sure all the fields described in the protocol are useful. As it is the early days, I just want them there, so implementation can pick what they think is useful, and if adopted by the workgroup some fields will be culled as we get better understanding and data. However one may envision that one day, TLS authentication may be used in policy protocols like DMARC.
- [apps-discuss] WG adoption for draft-martin-authe… Franck Martin
- Re: [apps-discuss] WG adoption for draft-martin-a… Chris Newman
- Re: [apps-discuss] WG adoption for draft-martin-a… Murray S. Kucherawy
- Re: [apps-discuss] WG adoption for draft-martin-a… Dave Crocker
- Re: [apps-discuss] WG adoption for draft-martin-a… Franck Martin
- Re: [apps-discuss] WG adoption for draft-martin-a… Chris Newman
- Re: [apps-discuss] WG adoption for draft-martin-a… Murray S. Kucherawy
- Re: [apps-discuss] WG adoption for draft-martin-a… Ned Freed
- Re: [apps-discuss] WG adoption for draft-martin-a… Arnt Gulbrandsen