[dane] Review of DANE SMTP draft

Alexey Melnikov <alexey.melnikov@isode.com> Thu, 06 March 2014 13:40 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78D9F1A0335 for <dane@ietfa.amsl.com>; Thu, 6 Mar 2014 05:40:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.546
X-Spam-Level:
X-Spam-Status: No, score=-2.546 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cF1RI_R4YptQ for <dane@ietfa.amsl.com>; Thu, 6 Mar 2014 05:40:07 -0800 (PST)
Received: from statler.isode.com (statler.isode.com [62.3.217.254]) by ietfa.amsl.com (Postfix) with ESMTP id 117891A032A for <dane@ietf.org>; Thu, 6 Mar 2014 05:40:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1394113201; d=isode.com; s=selector; i=@isode.com; bh=3jHfnL5sE0TRSDWgBrrp6osRmFIIV19Oq7mWaZf36Yo=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=aAwx76hf1EQvXb28atTuY2pvvIf2TtdhvkLM5lR8F2Br+C4GBEE6els0XqIulYY9aqXb/l Xky4kfaU3CPheG5OWVekLHdYbmNqIUCK4RfUR1Q/2fwQ4UwRvYsq3gv7ciYUy+zhPtTBqg JJMOuOQ62kN2Nsy/woDWm25oMBXl2F0=;
Received: from [31.133.164.146] (dhcp-a492.meeting.ietf.org [31.133.164.146]) by statler.isode.com (submission channel) via TCP with ESMTPSA id <Uxh6sQBvgUjy@statler.isode.com>; Thu, 6 Mar 2014 13:40:01 +0000
X-SMTP-Protocol-Errors: PIPELINING
From: Alexey Melnikov <alexey.melnikov@isode.com>
Date: Thu, 6 Mar 2014 13:44:17 +0000
Message-Id: <C28AB0DE-0391-4EA3-8312-DC2D2F7FD167@isode.com>
To: "dane@ietf.org" <dane@ietf.org>
X-Mailer: iPad Mail (11B651)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=Apple-Mail-52AC0691-792B-4C33-BF29-93BA2AA5BC18
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/BXmjP0ftxpY1nAUAfI8L_FRKaUo
Subject: [dane] Review of DANE SMTP draft
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Mar 2014 13:40:09 -0000

Hi,
I have a possibly slightly cryptic review notes. Feel free to ask for clarifications.

In the terminology section: what about no MX record case (A or AAAA only)?

In 1.3.1: why mention SMTP URIs? How would introduction of such URIs help with securing SMTP? I suggest you just mention that there is no signalling of "secure" SMTP.

In 2.2: Network address instead of MX hostname - I think this deserves an example.

In 2.2.3 (page 17, 3rd from the last para): and possibly other places: TLS server certificate matching rules should be fully specified. Use RFC 6125 (for example look at draft-melnikov-email-tls-certs-01) or specify the rules directly.

Page 22, 3rd para: please add reference for the SNI TLS extension (a Normative reference, because you use normative language when referencing the extension) and various versions of TLS.

In 2.3.3: it is not clear whether the client needs to check that for every record covered by the WORSE hash there is a corresponding record covered by the BETTER hash.

In Section 3, last para: add "or bounced", as this can be more serious than just being delayed.

In 4.2, last para: did you mean "SHOULD"?

I've heard Not checking expiration dates in certificate - I don't think this was mentioned in the document.

Best Regards,
Alexey