Re: [apps-discuss] WG adoption for draft-martin-authentication-results-tls ?
"Murray S. Kucherawy" <superuser@gmail.com> Mon, 10 November 2014 22:16 UTC
Return-Path: <superuser@gmail.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 994651A871D for <apps-discuss@ietfa.amsl.com>; Mon, 10 Nov 2014 14:16:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BMmdu_Fy4iKn for <apps-discuss@ietfa.amsl.com>; Mon, 10 Nov 2014 14:16:19 -0800 (PST)
Received: from mail-wi0-x22a.google.com (mail-wi0-x22a.google.com [IPv6:2a00:1450:400c:c05::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18A1B1A8720 for <apps-discuss@ietf.org>; Mon, 10 Nov 2014 14:16:19 -0800 (PST)
Received: by mail-wi0-f170.google.com with SMTP id r20so110875wiv.1 for <apps-discuss@ietf.org>; Mon, 10 Nov 2014 14:16:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=7m7UjQTRjGM4UbkZsEJpGmIB3x0klP9ZoYBofOqkOss=; b=y7jWTl7ZlDmK9ETZ0VoQ17LDRL03LHfEjHBiur4t1JcL1fkl7j4eN7wnySgwyk2vmr HpEoXZjMS80z5R8JN6PCcO/sv4Fa+G75d0CqI/qCXZpe5Elau5ERbfaVhv83YD1hlScx dkK5+fIfASIw9KwjUP/C1ZUC955vsA+c59YCythUinM/+0T8Uqgb2QfHTx8UORbdoXsU VkKM9S+N0ZJ+7K3WdEPTPynh+L5wXJLvbdPIKWx6ppXx9aoE8idxnQKMn2KMT6SlAxor zLwQnnw0uL3vtxvFJTzsBJoUzekqMkjgWZuzDiGv9Z4bK6ZgjO1zAS1v2NeHHqQ+Awjx JFNg==
MIME-Version: 1.0
X-Received: by 10.180.14.226 with SMTP id s2mr34130008wic.61.1415657776559; Mon, 10 Nov 2014 14:16:16 -0800 (PST)
Received: by 10.27.76.134 with HTTP; Mon, 10 Nov 2014 14:16:16 -0800 (PST)
In-Reply-To: <8C22D80F14C7500B7BEFCAC1@96B2F16665FF96BAE59E9B90>
References: <44757941.49835.1413922063168.JavaMail.zimbra@peachymango.org> <8C22D80F14C7500B7BEFCAC1@96B2F16665FF96BAE59E9B90>
Date: Mon, 10 Nov 2014 12:16:16 -1000
Message-ID: <CAL0qLwaSv4H2VdbBfvYJCgCsb6MX6feGnTP1NjM0PzLmMoO+fQ@mail.gmail.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
To: Chris Newman <chris.newman@oracle.com>
Content-Type: multipart/alternative; boundary="f46d04138c9fe53e60050788821f"
Archived-At: http://mailarchive.ietf.org/arch/msg/apps-discuss/vfccTqILOONdC6XjM4B6Cvx2UjM
Cc: IETF Apps Discuss <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] WG adoption for draft-martin-authentication-results-tls ?
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss/>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Nov 2014 22:16:23 -0000
On Mon, Nov 10, 2014 at 7:09 AM, Chris Newman <chris.newman@oracle.com> wrote: > My view of this draft is it adds a lot of clutter to the wrong header and > that > information has little or no value. > I disagree at least with the wrong header argument. We created Authentication-Results because we need a place to collect information about email authentication methods' results when the message enters an ADMD, because Received fields can be reordered, scrubbed, malformed, etc. It seems to be to be exactly the right place to do it. However, it can only record what the MTA at ADMD ingress saw, so if the STARTTLS information for the entire handling chain is what's needed, this can't do it (but I also imagine that can't be done reliably at all). The one useful piece of information is the negotiated cipher suite, but > that is > most useful if the information is provided on a hop-by-hop basis so it > belongs > in the Received header, IMHO. > Would you not want to know the identity of the client, if that's available? At least in the case where the client is actually associated with a particular sending ADMD (maybe with DANE), that might be useful information. You kind of answer this here: In my experience, client certificate authentication in SSL/TLS is very > uncommon > in all protocols. The general model for client certificate authentication > is > that the server has a CA that is used to sign all client certificates that > are > used with that server. That model doesn't work for SMTP relay (although > it's a > model I have implemented and works fine for SMTP Submission). For client > certificate authentication to work, the server has to request a client > certificate, the client has to have one configured and to use it to > authenticate the session. I'd like to see data on how many deployed SMTP > servers that support TLS request a client certificate. I know the servers I > work on do not request that by default. I also doubt most SSL/TLS > appliances > request client certificates by default. > As we move (slowly) toward authenticating and securing everything, is there no hope of this changing toward what Franck is envisioning? > I also do not view the server's opinion of the key strength of a TLS cipher > suite to have any value. The server's opinion can be wrong if the client > has a > bad SSL stack. The cipher suite that was used is a specific piece of > factual > data. If 10 weeks ago we used a cipher suite that was suddenly recognized > as > broken today, the cipher suite used information is quite valuable, but the > server's opinion of its effective key size or strength will be worthless. > The various details about what gets reported are certainly open for discussion. I'm mostly arguing that there's something here worth looking at, and that A-R is the right place to put it. > Finally, the draft does not state how this TLS information would be used. > I'm > opposed to adding all this clutter to headers unless there is some > plausible > utility. > Yes, a use case example would be good to include in any case. -MSK, just participatin'
- [apps-discuss] WG adoption for draft-martin-authe… Franck Martin
- Re: [apps-discuss] WG adoption for draft-martin-a… Chris Newman
- Re: [apps-discuss] WG adoption for draft-martin-a… Murray S. Kucherawy
- Re: [apps-discuss] WG adoption for draft-martin-a… Dave Crocker
- Re: [apps-discuss] WG adoption for draft-martin-a… Franck Martin
- Re: [apps-discuss] WG adoption for draft-martin-a… Chris Newman
- Re: [apps-discuss] WG adoption for draft-martin-a… Murray S. Kucherawy
- Re: [apps-discuss] WG adoption for draft-martin-a… Ned Freed
- Re: [apps-discuss] WG adoption for draft-martin-a… Arnt Gulbrandsen