IETF Logo Mail Archive

Re: [dane] Second WGLC draft-ietf-dane-smime

"John Levine" <johnl@taugh.com> Thu, 17 November 2016 05:43 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F10431295DE for <dane@ietfa.amsl.com>; Wed, 16 Nov 2016 21:43:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.504
X-Spam-Level: *
X-Spam-Status: No, score=1.504 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_96_XX=3.405, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wMwI-itLCGb9 for <dane@ietfa.amsl.com>; Wed, 16 Nov 2016 21:43:25 -0800 (PST)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB23F129457 for <dane@ietf.org>; Wed, 16 Nov 2016 21:43:24 -0800 (PST)
Received: (qmail 61000 invoked from network); 17 Nov 2016 05:43:26 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 17 Nov 2016 05:43:26 -0000
Date: Wed, 09 Nov 2016 11:32:01 -0000
Message-ID: <20161109113201.21235.qmail@ary.lan>
From: John Levine <johnl@taugh.com>
To: dane@ietf.org
In-Reply-To: <1479102464.995918272@apps.rackspace.com>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/5uyO6k9o2XFbcqcBxOXl00BGwWU>
Subject: Re: [dane] Second WGLC draft-ietf-dane-smime
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2016 05:43:26 -0000

This draft is still a bad idea for all the reasons I described the
last time it came around.  Nothing has changed.

If you do publish it, I'd suggest much stronger language in the first
sentence of section 9 on security considerations.  The security model
for S/MIME certs has always been that the trust flows from the CA to
the user without involving the user's mail operator.  Now the domain
is the trust source for all of its users.  Sometimes that's
reasonable, sometimes not, and there's no way you can tell without
knowing information about the domain that's not in the DNS.

The fifth paragraph, on mail operator MITM attacks on user mail, is
also much too weak.  If the domain is a bank that is required by law
to archive its employee communications, MITM is reasonable.  If it's a
public mail operator that uses MITM to compile dossiers of user info
to sell to marketers, and to edit ads and web bugs into the messages
into mail before re-encrypting them, all without user permission, it's
not.  If the mail is from another user on the same system, it'll
re-sign the mail, too.  Of course, the mail operator will assure you
it's "required to be able to read everyone's encrypted email" by its
business plan.

R's,
John

v2.23.0 | Report a Bug | By Email