Re: [dane] email canonicalization for SMIMEA owner names

Viktor Dukhovni <> Fri, 12 December 2014 00:31 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 3E1431A90C5 for <>; Thu, 11 Dec 2014 16:31:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id w5KNgW8qwbpu for <>; Thu, 11 Dec 2014 16:31:32 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 93EB51A90C0 for <>; Thu, 11 Dec 2014 16:31:32 -0800 (PST)
Received: by (Postfix, from userid 1034) id 23782282F8B; Fri, 12 Dec 2014 00:31:31 +0000 (UTC)
Date: Fri, 12 Dec 2014 00:31:31 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <20141211221456.GI3448@localhost> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Subject: Re: [dane] email canonicalization for SMIMEA owner names
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 12 Dec 2014 00:31:34 -0000

On Fri, Dec 12, 2014 at 11:09:53AM +1100, Mark Andrews wrote:

> We could just do this correctly and use SRV records to point to
> keyserver servers running over TLS.  The keyserver can do whatever
> local canonicalisations that are required.  The SMTP server could
> even be performing this role on a different port.  That way you
> only have to enter the canonicalisation rules once.
> This also gets rid of the complaints about being able to walk the
> zone.

Since this is the DANE working group, those would be DANE TLSA
authenticated servers, designated via a suitable SRV record.

The presence of the SRV record itself would signal adoption of the
protocol by the domain.

However, this makes the protocol much more complex.  Mail clients
that just do local submission and did not need a TLS stack, would
now need to implement HTTPS, and we'd end-up defining a rather
complex protocol layered over that.

DNS does scale better.

If we're really going to do this as a direct query to the remote
domain (and not a DNSSEC lookup), perhaps the right application
protocol is some sort of minimal SMTP over SSL on a port indicated
by the SRV record:

    <tcp connect>
    C/S: <TLS handshake>
    C: SMIMEA "Frank.Jr."
    S: 250-3 1 1 <blob1>
    S: 250 3 1 2 <blob2>
    <TCP disconnect>

HTTP seems like much too much baggage, and the above could actually
be an additional service operated as part of the MTA, (the email
administrator would not need to be either a DNS administrator or
a webmaster).  The SMTP server would know how/whether to case-fold
the address.