Re: [apps-discuss] WG adoption for draft-martin-authentication-results-tls ?
Chris Newman <chris.newman@oracle.com> Tue, 11 November 2014 00:49 UTC
Return-Path: <chris.newman@oracle.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E7031AD371 for <apps-discuss@ietfa.amsl.com>; Mon, 10 Nov 2014 16:49:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.795
X-Spam-Level:
X-Spam-Status: No, score=-4.795 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t5kjfLkWMWy7 for <apps-discuss@ietfa.amsl.com>; Mon, 10 Nov 2014 16:49:12 -0800 (PST)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E7CC1AD36F for <apps-discuss@ietf.org>; Mon, 10 Nov 2014 16:49:11 -0800 (PST)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id sAB0nAk2016946 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <apps-discuss@ietf.org>; Tue, 11 Nov 2014 00:49:10 GMT
Received: from hermes-fe-2.easd.brm.oracle.com (hermes-fe-2.easd.brm.oracle.com [10.79.248.11]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sAB0n9OV028007 for <apps-discuss@ietf.org>; Tue, 11 Nov 2014 00:49:09 GMT
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-disposition: inline
Content-type: text/plain; CHARSET="US-ASCII"
Received: from [10.175.237.151] (dhcp-ukc1-twvpn-3-vpnpool-10-175-237-151.vpn.oracle.com [10.175.237.151]) by hermes-fe-2.easd.brm.oracle.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTPSA id <0NEU0025ENLSZS00@hermes-fe-2.easd.brm.oracle.com> for apps-discuss@ietf.org; Mon, 10 Nov 2014 16:49:09 -0800 (PST)
Date: Mon, 10 Nov 2014 14:49:05 -1000
From: Chris Newman <chris.newman@oracle.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
Message-id: <40083C4B3048495991CE736E@96B2F16665FF96BAE59E9B90>
In-reply-to: <CAL0qLwaSv4H2VdbBfvYJCgCsb6MX6feGnTP1NjM0PzLmMoO+fQ@mail.gmail.com>
References: <44757941.49835.1413922063168.JavaMail.zimbra@peachymango.org> <8C22D80F14C7500B7BEFCAC1@96B2F16665FF96BAE59E9B90> <CAL0qLwaSv4H2VdbBfvYJCgCsb6MX6feGnTP1NjM0PzLmMoO+fQ@mail.gmail.com>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Archived-At: http://mailarchive.ietf.org/arch/msg/apps-discuss/QKJccT_F6EfR4b1b_DwppIfX5Xo
Cc: IETF Apps Discuss <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] WG adoption for draft-martin-authentication-results-tls ?
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss/>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Nov 2014 00:49:14 -0000
--On November 10, 2014 12:16:16 -1000 "Murray S. Kucherawy" <superuser@gmail.com> wrote: > On Mon, Nov 10, 2014 at 7:09 AM, Chris Newman <chris.newman@oracle.com> > wrote: >> My view of this draft is it adds a lot of clutter to the wrong header and >> that >> information has little or no value. > > I disagree at least with the wrong header argument. We created > Authentication-Results because we need a place to collect information about > email authentication methods' results when the message enters an ADMD, > because Received fields can be reordered, scrubbed, malformed, etc. It > seems to be to be exactly the right place to do it. Point me to the standard that describes the client certificate authentication model for MTA to MTA SMTP relay, and I might agree. Absent that, there's no authentication model and thus no authentication information to record. RFC 3207 clearly defines any form of TLS authentication as a local matter, and thus any information about that authentication is of no relevance to the end-user's client because there is no model for interoperability. > However, it can only > record what the MTA at ADMD ingress saw, so if the STARTTLS information for > the entire handling chain is what's needed, this can't do it (but I also > imagine that can't be done reliably at all). Recording use of STARTTLS cipher suites on a hop-by-hop basis as trace information is quite helpful. It's not authentication information and not reliable, but it can identify weak points in the privacy chain where pressure can be applied to upgrade systems. It can also be correlated with MTA logs in the event a full privacy assessment is necessary. > Would you not want to know the identity of the client, if that's > available? I'm fairly certain that X.509 Subject/Issuer DNs with no defined relationship to SMTP relay are of no value to end-user clients. I'm skeptical they would be useful if a standardized relationship was defined. > At least in the case where the client is actually associated > with a particular sending ADMD (maybe with DANE), that might be useful > information. How would an end-user's client use this information? > The various details about what gets reported are certainly open for > discussion. I'm mostly arguing that there's something here worth looking > at, and that A-R is the right place to put it. An SMTP MTA relay client certificate authentication model could be quite useful. Once such a model existed it may make sense to put the results in an authentication-results header if it provided information that an end-user's mail client could act on in a constructive and useful way. But this proposal is like building the cart before anyone knows what a horse looks like. - Chris
- [apps-discuss] WG adoption for draft-martin-authe… Franck Martin
- Re: [apps-discuss] WG adoption for draft-martin-a… Chris Newman
- Re: [apps-discuss] WG adoption for draft-martin-a… Murray S. Kucherawy
- Re: [apps-discuss] WG adoption for draft-martin-a… Dave Crocker
- Re: [apps-discuss] WG adoption for draft-martin-a… Franck Martin
- Re: [apps-discuss] WG adoption for draft-martin-a… Chris Newman
- Re: [apps-discuss] WG adoption for draft-martin-a… Murray S. Kucherawy
- Re: [apps-discuss] WG adoption for draft-martin-a… Ned Freed
- Re: [apps-discuss] WG adoption for draft-martin-a… Arnt Gulbrandsen