Re: [dane] Delivery of email if MX is not signed
"Patrik Fältström " <paf@frobbit.se> Mon, 24 August 2015 02:51 UTC
Return-Path: <paf@frobbit.se>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 996DA1B30A8 for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 19:51:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.261
X-Spam-Level:
X-Spam-Status: No, score=-1.261 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o6lGxuxl1vSS for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 19:51:22 -0700 (PDT)
Received: from mail.frobbit.se (mail.frobbit.se [IPv6:2a02:80:3ffe::176]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E4F11B30A7 for <dane@ietf.org>; Sun, 23 Aug 2015 19:51:22 -0700 (PDT)
Received: from [192.168.1.12] (frobbit.cust.teleservice.net [85.30.128.225]) by mail.frobbit.se (Postfix) with ESMTPSA id D35772074C; Mon, 24 Aug 2015 04:51:19 +0200 (CEST)
From: Patrik Fältström <paf@frobbit.se>
To: Paul Wouters <paul@nohats.ca>
Date: Mon, 24 Aug 2015 04:51:19 +0200
Message-ID: <F03DF898-2E5D-491B-8315-03F4E0F53323@frobbit.se>
In-Reply-To: <alpine.LFD.2.20.1508231528300.8057@bofh.nohats.ca>
References: <D976ACCE-8F15-448C-A5E4-B8D1FD329A8B@frobbit.se> <alpine.LFD.2.20.1508231343110.26943@bofh.nohats.ca> <F2977CCF-CE1E-46F1-A08E-4A6D77EA3A74@frobbit.se> <alpine.LFD.2.20.1508231411280.26943@bofh.nohats.ca> <C6382564-E6D5-4461-902A-6E12ED78296C@frobbit.se> <20150823185057.GJ5112@x28.adm.denic.de> <0E722F2F-510C-4060-86C2-41190F724DBA@frobbit.se> <alpine.LFD.2.20.1508231528300.8057@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_3A0EDC3E-E5D5-4EFC-91E1-C863C16B3763_="; micalg="pgp-sha1"; protocol="application/pgp-signature"
X-Mailer: MailMate (1.9.2r5107)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/4x-KXToWCACt_oYi0JLpOpOFC0o>
Cc: dane WG list <dane@ietf.org>
Subject: Re: [dane] Delivery of email if MX is not signed
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2015 02:51:23 -0000
On 23 Aug 2015, at 21:33, Paul Wouters wrote: > So we have: > > - unsigned domain -> deliver without authentication, allow any TLS credential > - signed domain with unsined mx target -> deliver without authentication, allow any TLS credential > - signed domain with signed mx target -> deliver only if authentication succeeded. > > You seem to want something like: > > - unsigned domain with signed mx target -> deliver if authentication > succeeds - despite possible spoofed MX record I more and more think I understand what I am asking for and what I want. My apologies if what I now write seems to be different from what I wrote earlier. I want the validation of the cert used for the TLS connection to use the same rules for trust regardless of whether DANE is used (i.e. signed and properly validated TLSA record for the peer) or if X.509 cert/PKI from some CA is in use. What I read in the draft, and what I read in the paper Jan wrote after testing Postfix and what I read here in the responses I get is that DANE is trusted LESS than X.509 certs. And I think that is wrong. I.e. we have two cases: 1. X.509 1.1 Unsigned MX 1.2 cert validated from some CA that is trusted 2. DANE 2.1 Unsigned MX 2.2 cert validated via signed TLSA with DNSSEC chain of trust to some TA I think they should be equivalent. If they are, also in the implementation in postfix, then just tell me and I'll shut up. Patrik
- [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed lst_hoe02
- Re: [dane] Delivery of email if MX is not signed lst_hoe02
- Re: [dane] Delivery of email if MX is not signed Peter Koch
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] DANE for MX host via insecure MX RR? (… Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] DANE for MX host via insecure MX RR? Michael Ströder
- Re: [dane] DANE for MX host via insecure MX RR? Viktor Dukhovni
- Re: [dane] DANE for MX host via insecure MX RR? Michael Ströder
- Re: [dane] DANE for MX host via insecure MX RR? Viktor Dukhovni
- Re: [dane] DANE for MX host via insecure MX RR? Michael Ströder