IETF Logo Mail Archive

Re: [dane] Delivery of email if MX is not signed

"Patrik Fältström " <paf@frobbit.se> Sun, 23 August 2015 19:11 UTC

Return-Path: <paf@frobbit.se>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09F5F1B2A5E for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 12:11:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.261
X-Spam-Level:
X-Spam-Status: No, score=-1.261 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tdr7SkAoZCvv for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 12:10:56 -0700 (PDT)
Received: from mail.frobbit.se (mail.frobbit.se [IPv6:2a02:80:3ffe::176]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF50F1B2A5D for <dane@ietf.org>; Sun, 23 Aug 2015 12:10:56 -0700 (PDT)
Received: from [192.168.1.12] (frobbit.cust.teleservice.net [85.30.128.225]) by mail.frobbit.se (Postfix) with ESMTPSA id 2BE821FDE4; Sun, 23 Aug 2015 21:10:55 +0200 (CEST)
From: Patrik Fältström <paf@frobbit.se>
To: lst_hoe02@kwsoft.de
Date: Sun, 23 Aug 2015 21:10:54 +0200
Message-ID: <61FB75B0-F29A-4D70-9977-1546B81FCDFC@frobbit.se>
In-Reply-To: <20150823204623.Horde.i2QJGPg9ASEBX9mspfXLZc-@webmail.kwsoft.de>
References: <D976ACCE-8F15-448C-A5E4-B8D1FD329A8B@frobbit.se> <alpine.LFD.2.20.1508231343110.26943@bofh.nohats.ca> <F2977CCF-CE1E-46F1-A08E-4A6D77EA3A74@frobbit.se> <alpine.LFD.2.20.1508231411280.26943@bofh.nohats.ca> <C6382564-E6D5-4461-902A-6E12ED78296C@frobbit.se> <20150823204623.Horde.i2QJGPg9ASEBX9mspfXLZc-@webmail.kwsoft.de>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_0D28460E-C339-47CE-81A5-A545B67715CC_="; micalg="pgp-sha1"; protocol="application/pgp-signature"
X-Mailer: MailMate (1.9.2r5107)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/Mwny3TeYxzpryYsuSwIDKNeolKc>
Cc: dane@ietf.org
Subject: Re: [dane] Delivery of email if MX is not signed
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Aug 2015 19:11:04 -0000

On 23 Aug 2015, at 20:46, lst_hoe02@kwsoft.de wrote:

> You are https biased i guess. With an unsigned MX your secure chain is broken because the target you try to reach by an E-Mail address is directed to a target by an "unsecure" link. If the unsecure resolved target is then secured doesn't matter because you might be already on the wrong track.
>
> Security is only as strong as the weakest point in the chain.

Agree, but I think the cert for the TLS can be trusted in two ways: Either by looking at TLSA record or by looking at CA X.509 chain. I think they are equivalent and both have exactly the same weakness if the MX is unsigned.

I do not see why one of these two mechanisms should be "invalid" just because the MX is unsigned.

   Patrik

v2.23.0 | Report a Bug | By Email