IETF Logo Mail Archive

Re: [dane] Request DANE ALPS discussion time at IETF 95

Sean Leonard <dev+ietf@seantek.com> Tue, 08 March 2016 06:17 UTC

Return-Path: <dev+ietf@seantek.com>
X-Original-To: dane@ietfc.amsl.com
Delivered-To: dane@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 3E0101CE058 for <dane@ietfc.amsl.com>; Mon, 7 Mar 2016 22:17:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.41]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XB0g5lB5w9W5 for <dane@ietfc.amsl.com>; Mon, 7 Mar 2016 22:17:43 -0800 (PST)
Received: from mxout-07.mxes.net (mxout-07.mxes.net [216.86.168.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfc.amsl.com (Postfix) with ESMTPS id E770D1CE057 for <dane@ietf.org>; Mon, 7 Mar 2016 22:17:42 -0800 (PST)
Received: from [192.168.123.7] (unknown [75.83.2.34]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 3214722E1F3; Tue, 8 Mar 2016 01:17:36 -0500 (EST)
To: John Levine <johnl@taugh.com>, dane@ietf.org
References: <20160307125450.1161.qmail@ary.lan>
From: Sean Leonard <dev+ietf@seantek.com>
Message-ID: <56DE6E26.8090101@seantek.com>
Date: Mon, 07 Mar 2016 22:16:06 -0800
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <20160307125450.1161.qmail@ary.lan>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/3OSEQcaigAP3mlDWXAow15jA-Bw>
Subject: Re: [dane] Request DANE ALPS discussion time at IETF 95
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Mar 2016 06:17:44 -0000

On 3/7/2016 4:54 AM, John Levine wrote:
> In article <56DD1DB7.7050305@seantek.com> you write:
>> Hello:
>>
>> As the chairs graciously requested and got a meeting slot in Buenos
>> Aires, I would like to request DANE ALPS (Alternative Local-Part
>> Synthesis) discussion time at IETF 95.
> This draft belongs in ietf-smtp or maybe appsarea, not DANE.  It's an
> interesting idea, but since it changes the rules about who interprets
> local-parts, it's an update to RFC 5321.
>
> Also, it's an issue that affects people in a lot of places other than DANE.
> Pkix has been having somewhat similar discussions about the names in X.509
> certificates.

As the document itself states (repeatedly), the DANE ALPS proposal is 
very specific to DANE. It does not affect how the mail infrastructure 
interprets local-parts, because to do otherwise would anger the Mail 
Gods. We are leaving the issue alone. Local-Part is and remains left to 
the interpretation of the receiving MTA.

The point of DANE ALPS is to reduce the burden of maintaining a 
bajillion variations of records, for operating a DANE/DNSSEC-enabled 
zone. Consider a case where the owners want *all* messages sent to 
e-mail addresses in a domain to use the same key. Perhaps that key is a 
master encryption key for policy reasons, that will be decrypted by some 
gateway. Another case is where one user maintains the whole domain: 
*@ietf.taugh.com e-mail addresses should all be encrypted to the same 
key and read (ultimately) by the same user, even if the messages get 
fanned out into different mailboxes on the back end. In such cases, is 
it desirable for the DANE/DNSSEC-enabled zone to maintain a bajillion 
different records with the same key info, or just to maintain one 
record, and have a mechanism to point queries to that specific record? 
The latter is simply more efficient (and more easily auditable).

Now, a possible outcome of the WG presentation/meeting is that the 
proposal has broader application than just DANE. In that case, expanding 
or moving it elsewhere would be fine. But we need to have that discussion.

Yes, it came up in PKIX recently...there is a broader question about how 
to determine e-mail address equivalence, when the two inputs are not 
bit-for-bit identical. This is an industry-wide problem. However, the 
DANE ALPS solution is about alternate queries of the DNS zone between a 
DNS client and a DNS server, not equivalence. It is specific to the way 
that DANE operates and is not intended to be a published general 
statement about how the domain's MTA fans out mail.

draft-osterweil-dmarc-dane-names also tries to address the matter using 
DMARC records. However, it goes a step further by saying 
"canonicalization policy"--which implies that it is promulgating 
interpretations of the local-part that might cause a disturbance in the 
(Mail Gods') Force. See:
http://mailarchive.ietf.org/arch/msg/dane/gWhYXtSyNGh2D2uuDp99LWHzBSU

That approach should also be covered and discussed.

So now we have at least four different approaches: a) do nothing, b) 
draft-seantek-dane-alps, c) draft-levine-dns-mailbox (a collection of 
different approaches), d) draft-osterweil-dmarc-dane-names. Obviously 
the WG is struggling to do something here, hence, discussion.

Regards,

Sean

v2.23.0 | Report a Bug | By Email