Re: [dane] Proposed DMARC component to signal SMIME policy
Scott Rose <scottr.nist@gmail.com> Wed, 23 October 2013 18:32 UTC
Return-Path: <scottr.nist@gmail.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB83C11E81E9 for <dane@ietfa.amsl.com>; Wed, 23 Oct 2013 11:32:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8zo7qrXpEKi7 for <dane@ietfa.amsl.com>; Wed, 23 Oct 2013 11:31:59 -0700 (PDT)
Received: from wsget1.nist.gov (wsget1.nist.gov [129.6.13.150]) by ietfa.amsl.com (Postfix) with ESMTP id EF24511E814F for <dane@ietf.org>; Wed, 23 Oct 2013 11:31:58 -0700 (PDT)
Received: from WSXGHUB1.xchange.nist.gov (129.6.18.96) by wsget1.nist.gov (129.6.13.150) with Microsoft SMTP Server (TLS) id 14.3.158.1; Wed, 23 Oct 2013 14:31:45 -0400
Received: from postmark.nist.gov (129.6.16.94) by WSXGHUB1.xchange.nist.gov (129.6.18.96) with Microsoft SMTP Server (TLS) id 8.3.298.1; Wed, 23 Oct 2013 14:31:57 -0400
Received: from h222244.nist.gov (h222244.nist.gov [129.6.222.244]) by postmark.nist.gov (8.13.8/8.13.1) with ESMTP id r9NIVlob011518 for <dane@ietf.org>; Wed, 23 Oct 2013 14:31:47 -0400
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0 (Apple Message framework v1283)
From: Scott Rose <scottr.nist@gmail.com>
In-Reply-To: <20131022182133.GJ2976@mournblade.imrryr.org>
Date: Wed, 23 Oct 2013 14:31:47 -0400
Content-Transfer-Encoding: quoted-printable
Message-ID: <A63C6584-0DAA-4296-8ACC-2473B18187FE@gmail.com>
References: <C91A24C7-CDC6-4C4B-82DC-8E43255DE67C@gmail.com> <20131022182133.GJ2976@mournblade.imrryr.org>
To: dane@ietf.org
X-Mailer: Apple Mail (2.1283)
X-NIST-MailScanner-Information:
Subject: Re: [dane] Proposed DMARC component to signal SMIME policy
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Oct 2013 18:32:05 -0000
On Oct 22, 2013, at 2:21 PM, Viktor Dukhovni wrote: > On Tue, Oct 22, 2013 at 01:56:25PM -0400, Scott Rose wrote: > >> We submitted an Internet-Draft on using a new DNS RRType to signal >> that all email coming from the domain will be signed (proposed type >> is called SMIMELOCK). So that when a client receives an email that >> lacks a SMIME signature from a domain with the SMIMELOCK RR, it >> could be marked as suspect. The draft is at: >> https://datatracker.ietf.org/doc/draft-srose-smimelock/ > > Since the intended target of this record is the MUA, how do you > propose to deal with "saved" email (that is email that did not > "just arrive")? What happens when a message is first retrieved by > the MUA from an IMAP server long after it is delivered to the > mailbox? > > Does the policy apply to the: > > - Envelope sender domain? > > - RFC2822.From domain? > > - RFC2822.Sender domain? > > - DKIM signer domain? > > What is the interaction with "Resent-From" and/or "Resent-Sender"? > > What is the treatment of mail sent to a public list (and modified > by the list adding a footer, ...)? > Admittedly we're still working on it. I envision it mostly being used for domains that do transactional email, where one person sends it. It would only be used on receipt of mail, so no check should be done on saved mail. The policy would apply (most likely) to the RFC2822 From domain, since that is the entity likely to be the one vouching for the message by the signature. > I think the value of this effort will be marginal at best. There > are I think too many corner cases to make the "all" value practically > reliable. There's not much point in "partial" or "none". > "Partial" is only useful in advertising a interim state before going to "all". "none" doesn't mean much, but could be interpreted as the domain does not issue mail certs, so any signatures seen are from certs issued someone else (not the domain holder). How the MUA interprets that is local policy. > Problem areas: > > Outsourced email marketing, > Outsourced Benefits providers, > Public mailing lists, > Resent mail, > Stored mail, > ... > Admittedly, outsourced marketing is a problem. The main driver is entities (mostly governments, but others as well) are looking for a way to signal that all outgoing mail from a given domain will be signed. G2G and G2C are our main targets. Scott > -- > Viktor. > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane
- [dane] Proposed DMARC component to signal SMIME p… Scott Rose
- Re: [dane] Proposed DMARC component to signal SMI… Viktor Dukhovni
- Re: [dane] Proposed DMARC component to signal SMI… Lutz Donnerhacke
- Re: [dane] Proposed DMARC component to signal SMI… Scott Rose
- Re: [dane] Proposed DMARC component to signal SMI… Scott Rose
- [dane] Meetup at IETF 88 Paul M
- Re: [dane] Meetup at IETF 88 Paul Wouters