Re: [dane] email canonicalization for SMIMEA owner names

Mark Andrews <marka@isc.org> Fri, 12 December 2014 00:41 UTC

Return-Path: <marka@isc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7D7F1A90C8 for <dane@ietfa.amsl.com>; Thu, 11 Dec 2014 16:41:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ImpPMFY2PlkF for <dane@ietfa.amsl.com>; Thu, 11 Dec 2014 16:41:36 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1894F1A8893 for <dane@ietf.org>; Thu, 11 Dec 2014 16:41:36 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.pao1.isc.org (Postfix) with ESMTP id C45A83493CE for <dane@ietf.org>; Fri, 12 Dec 2014 00:41:33 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 0669E16006A for <dane@ietf.org>; Fri, 12 Dec 2014 00:46:07 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id AC92B160069 for <dane@ietf.org>; Fri, 12 Dec 2014 00:46:06 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 09FDB254F4F4 for <dane@ietf.org>; Fri, 12 Dec 2014 11:41:31 +1100 (EST)
To: dane@ietf.org
From: Mark Andrews <marka@isc.org>
References: <95826148-4F06-4942-87A4-2F6601BA0F90@nist.gov> <20141211221456.GI3448@localhost> <20141211235519.GO25666@mournblade.imrryr.org> <20141212000953.B0FE5254EAE8@rock.dv.isc.org> <20141212003130.GQ25666@mournblade.imrryr.org>
In-reply-to: Your message of "Fri, 12 Dec 2014 00:31:31 -0000." <20141212003130.GQ25666@mournblade.imrryr.org>
Date: Fri, 12 Dec 2014 11:41:30 +1100
Message-Id: <20141212004131.09FDB254F4F4@rock.dv.isc.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/48psQjv4kwGfOD01yizV6gGCouw
Subject: Re: [dane] email canonicalization for SMIMEA owner names
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Dec 2014 00:41:37 -0000

In message <20141212003130.GQ25666@mournblade.imrryr.org>, Viktor Dukhovni writes:
> On Fri, Dec 12, 2014 at 11:09:53AM +1100, Mark Andrews wrote:
> 
> > We could just do this correctly and use SRV records to point to
> > keyserver servers running over TLS.  The keyserver can do whatever
> > local canonicalisations that are required.  The SMTP server could
> > even be performing this role on a different port.  That way you
> > only have to enter the canonicalisation rules once.
> > 
> > This also gets rid of the complaints about being able to walk the
> > zone.
> 
> Since this is the DANE working group, those would be DANE TLSA
> authenticated servers, designated via a suitable SRV record.
> 
> The presence of the SRV record itself would signal adoption of the
> protocol by the domain.
> 
> However, this makes the protocol much more complex.  Mail clients
> that just do local submission and did not need a TLS stack, would
> now need to implement HTTPS, and we'd end-up defining a rather
> complex protocol layered over that.

If mail clients are doing SMIME the addition complexity of HTTPS
or TLS is not much.

> DNS does scale better.

No, it doesn't.  DNS scales equally well.
 
> If we're really going to do this as a direct query to the remote
> domain (and not a DNSSEC lookup), perhaps the right application
> protocol is some sort of minimal SMTP over SSL on a port indicated
> by the SRV record:
> 
>     <tcp connect>
>     C/S: <TLS handshake>
>     C: SMIMEA "Frank.Jr."@example.com
>     S: 250-3 1 1 <blob1>
>     S: 250 3 1 2 <blob2>
>     <TCP disconnect>

But not port 25.  That is blocked too often.
 
> HTTP seems like much too much baggage, and the above could actually
> be an additional service operated as part of the MTA, (the email
> administrator would not need to be either a DNS administrator or
> a webmaster).  The SMTP server would know how/whether to case-fold
> the address.
> 
> -- 
> 	Viktor.
> 
> _______________________________________________
> dane mailing list
> dane@ietf.org
> https://www.ietf.org/mailman/listinfo/dane
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org