Re: [dane] email canonicalization for SMIMEA owner names

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 12 December 2014 00:55 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BFC81A90DB for <dane@ietfa.amsl.com>; Thu, 11 Dec 2014 16:55:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c8s3U4rS5nr0 for <dane@ietfa.amsl.com>; Thu, 11 Dec 2014 16:55:51 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6898C1A90C9 for <dane@ietf.org>; Thu, 11 Dec 2014 16:55:51 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 92980282F8B; Fri, 12 Dec 2014 00:55:50 +0000 (UTC)
Date: Fri, 12 Dec 2014 00:55:50 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20141212005550.GR25666@mournblade.imrryr.org>
References: <95826148-4F06-4942-87A4-2F6601BA0F90@nist.gov> <20141211221456.GI3448@localhost> <20141211235519.GO25666@mournblade.imrryr.org> <20141212000953.B0FE5254EAE8@rock.dv.isc.org> <20141212003130.GQ25666@mournblade.imrryr.org> <20141212004131.09FDB254F4F4@rock.dv.isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20141212004131.09FDB254F4F4@rock.dv.isc.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/Kt-X5gsR1QDu6XXKter9nj6pYSM
Subject: Re: [dane] email canonicalization for SMIMEA owner names
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Dec 2014 00:55:53 -0000

On Fri, Dec 12, 2014 at 11:41:30AM +1100, Mark Andrews wrote:

> > If we're really going to do this as a direct query to the remote
> > domain (and not a DNSSEC lookup), perhaps the right application
> > protocol is some sort of minimal SMTP over SSL on a port indicated
> > by the SRV record:
> > 
> >     <tcp connect>
> >     C/S: <TLS handshake>
> >     C: SMIMEA "Frank.Jr."@example.com
> >     S: 250-3 1 1 <blob1>
> >     S: 250 3 1 2 <blob2>
> >     <TCP disconnect>
> 
> But not port 25.  That is blocked too often.

Absolutely, this would be an additional service on some other port,
indicated via SRV records, and authenticated via DANE TLSA records.

The downside of something other than HTTPS or DNS, is that while
less likely to be blocked for anti-spam reasons, this is likely to
be inaccessible to MUAs inside various firewalled environments.

Perhaps a sufficiently light-weight http encapsulation is right
after all, and MTA authors might be able to implement just enough
HTTPS to still support this as an MTA feature.

In Postfix this would be a separate program that runs out of
"master.cf", but uses the Postfix table facilities to get the data
out of any supported datastore (including LDAP!).

This however takes far away from any similarity to the SMIMEA draft
as it is today.  Is it really time to throw it all away and start
again?

-- 
	Viktor.