Re: [dane] [internet-drafts@ietf.org] New Version Notification for draft-dukhovni-dane-ops-01.txt

Viktor Dukhovni <viktor1dane@dukhovni.org> Fri, 26 July 2013 21:36 UTC

Date: Fri, 26 Jul 2013 21:36:40 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20130726213640.GL29420@mournblade.imrryr.org>
References: <CABrd9STgfDX_qDQR4V+KpQrAXKvpe5Vdz_eBG3ngz4vS8Zqg3g@mail.gmail.com> <20130723145432.GT29420@mournblade.imrryr.org> <CABrd9SRi4ze5FNk-7N3LrhdsSmJjs0875USwKRTNBhHGYpAdeA@mail.gmail.com> <20130724142333.GC29420@mournblade.imrryr.org> <CABrd9SS7sHA8gAO_OzPdt3XV33EiyW+=xPgwLZkJ0u9PGnmeRQ@mail.gmail.com> <20130725221832.6BAE537AD193@drugs.dv.isc.org> <20130725223646.GH29420@mournblade.imrryr.org> <alpine.LFD.2.10.1307261023191.2721@bofh.nohats.ca> <20130726150253.GJ29420@mournblade.imrryr.org> <CAGZ8ZG1tL4pbZ+7M7Q4Rcr33y4fKGCDNhQ8g3Kw9Cwgcr-krzQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAGZ8ZG1tL4pbZ+7M7Q4Rcr33y4fKGCDNhQ8g3Kw9Cwgcr-krzQ@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] [internet-drafts@ietf.org] New Version Notification for draft-dukhovni-dane-ops-01.txt
Precedence: list
Reply-To: dane@ietf.org

On Fri, Jul 26, 2013 at 02:19:26PM -0700, Trevor Perrin wrote:

> > Until recently I was the postmaster of a site with O(100) such
> > manual TLS policies,  each one was a pain to setup (30minutes of
> > conf call with the peer site's email admins) and the resulting
> > static configurations were fragile.
> 
> That's pretty interesting, I didn't know there was SMTP manual pinning
> on that scale.  If you don't mind sharing, I'm curious:
>
>  - Can you configure TLS pins on common mail servers?

Postfix supports a "fingerprint" security level, but in most cases, the
manual security arrangements used PKIX with hand-crafted name checks.
So we did not often "pin" certificates with outside parties, such pins
were only used from time to time on SMTP links where we controlled the
certificates on both ends.

>  - Is this a common practice?
>  - Are there any efforts at aggregating and sharing pin lists,
> so they don't need pairwise phone calls?

Yes, there was an industry effort to aggregate TLS configuration
data, but it never went very far.  I am hoping DANE will obviate
the need for this, provided we can get people to adopt DNSSEC.

> FWIW, the way we saw cross-domain SMTP working for TACK was:  If the
> sending MTA indicates TACK support in its TLS ClientHello, the
> receiving MTA could return a "tack", and the sender could activate a
> pin between the TACK Signing Key and the email recipient's domain
> name.  (NOT the mailserver's name - this would be special cross-domain
> SMTP semantics).

I don't think this is practical for SMTP.  My focus is on DANE.

-- 
	Viktor.

[dane] [internet-drafts@ietf.org] New Version Not… Wes Hardaker
Re: [dane] [internet-drafts@ietf.org] New Version… Ben Laurie
Re: [dane] [internet-drafts@ietf.org] New Version… Seth David Schoen
Re: [dane] [internet-drafts@ietf.org] New Version… Viktor Dukhovni
Re: [dane] [internet-drafts@ietf.org] New Version… Viktor Dukhovni
Re: [dane] [internet-drafts@ietf.org] New Version… Ben Laurie
Re: [dane] [internet-drafts@ietf.org] New Version… Viktor Dukhovni
Re: [dane] [internet-drafts@ietf.org] New Version… Stephen Kent
Re: [dane] [internet-drafts@ietf.org] New Version… Ben Laurie
Re: [dane] [internet-drafts@ietf.org] New Version… Ben Laurie
Re: [dane] [internet-drafts@ietf.org] New Version… Viktor Dukhovni
Re: [dane] [internet-drafts@ietf.org] New Version… Ben Laurie
Re: [dane] [internet-drafts@ietf.org] New Version… Frederico A C Neves
Re: [dane] [internet-drafts@ietf.org] New Version… Ben Laurie
Re: [dane] [internet-drafts@ietf.org] New Version… Jeremy Rowley
Re: [dane] [internet-drafts@ietf.org] New Version… Viktor Dukhovni
Re: [dane] [internet-drafts@ietf.org] New Version… Viktor Dukhovni
Re: [dane] [internet-drafts@ietf.org] New Version… Jack Bates
Re: [dane] [internet-drafts@ietf.org] New Version… Viktor Dukhovni
Re: [dane] [internet-drafts@ietf.org] New Version… Wes Hardaker
Re: [dane] [internet-drafts@ietf.org] New Version… Ben Laurie
Re: [dane] [internet-drafts@ietf.org] New Version… Ben Laurie
Re: [dane] [internet-drafts@ietf.org] New Version… Stephen Farrell
Re: [dane] [internet-drafts@ietf.org] New Version… Viktor Dukhovni
Re: [dane] [internet-drafts@ietf.org] New Version… Viktor Dukhovni
Re: [dane] [internet-drafts@ietf.org] New Version… Ben Laurie
Re: [dane] [internet-drafts@ietf.org] New Version… Ben Laurie
Re: [dane] [internet-drafts@ietf.org] New Version… Viktor Dukhovni
Re: [dane] [internet-drafts@ietf.org] New Version… Mark Andrews
Re: [dane] [internet-drafts@ietf.org] New Version… Viktor Dukhovni
Re: [dane] [internet-drafts@ietf.org] New Version… Ben Laurie
Re: [dane] [internet-drafts@ietf.org] New Version… Paul Wouters
Re: [dane] [internet-drafts@ietf.org] New Version… Viktor Dukhovni
Re: [dane] [internet-drafts@ietf.org] New Version… Trevor Perrin
Re: [dane] [internet-drafts@ietf.org] New Version… Viktor Dukhovni
Re: [dane] [internet-drafts@ietf.org] New Version… Ondřej Surý
Re: [dane] [internet-drafts@ietf.org] New Version… Viktor Dukhovni