IETF Logo Mail Archive

Re: [dane] Request DANE ALPS (another attempt to canonicalize local parts)

"John R Levine" <johnl@taugh.com> Tue, 08 March 2016 08:32 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0B0C12D560 for <dane@ietfa.amsl.com>; Tue, 8 Mar 2016 00:32:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=kLy+XWzS; dkim=pass (1536-bit key) header.d=taugh.com header.b=OIfB+Z0d
Received: from mail.ietf.org ([127.0.0.1]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ooc-GfH3tVZe for <dane@ietfa.amsl.com>; Tue, 8 Mar 2016 00:32:09 -0800 (PST)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C898C12D564 for <dane@ietf.org>; Tue, 8 Mar 2016 00:32:08 -0800 (PST)
Received: (qmail 53190 invoked from network); 8 Mar 2016 08:32:07 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=cfc5.56de8e07.k1603; bh=XMqeDDzKk1VBI4QN5JJXlPs4+MPGBkJeQ55W3/qQokI=; b=kLy+XWzSVJjXbKKXrXrV8J/Hexjf62lmIDLX5QBrs2IJlNf+1vNCh7g/zGq48j18jaRazBu5f4uMbetd0b3Zav3ZqFgpPqC5SjfJWkaIibZm6Nc4Pn8eJrGcgpg+wR6g0oy8WyT6jxA/tzwciXUEwdU8U0PK6gv1ypTv9QlH3ew1Ey50x+6Tgu/ZxISytluy5FhYPrBwj8cPdTmCLdf/P6RTC03jndrdLi+/G+yKx80BRMYe9RmHLquLcpGSvPdz
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=cfc5.56de8e07.k1603; bh=XMqeDDzKk1VBI4QN5JJXlPs4+MPGBkJeQ55W3/qQokI=; b=OIfB+Z0dRrYaEUhT1ptINMk51AqptA0sEz5WbKaL60GlT7Xkpy1FgQi3HbsGf35ZQ3f60611F0AdJ0xcdEEJkJzR1Va/wiFw8SjTG8Br4hXwp9KNRmU/0hBEFgErFD/o/PEfj+u70OGVSU5LE8ZapXracGIVkcM6BzCmFe1nzczMXNE4HHwEf7wQFiHAN/vJLEa/xNWRP5HuLq1lrAcAABI/cpcgF5r/ZncAqk0VY7GhShlmEyfdwtACW6FdW8p7
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.0/X.509/SHA1) via TCP6; 08 Mar 2016 08:32:06 -0000
Date: Tue, 08 Mar 2016 09:32:05 +0100
Message-ID: <alpine.OSX.2.11.1603080926200.3525@ary.local>
From: John R Levine <johnl@taugh.com>
To: Sean Leonard <dev+ietf@seantek.com>
In-Reply-To: <56DE6E26.8090101@seantek.com>
References: <20160307125450.1161.qmail@ary.lan> <56DE6E26.8090101@seantek.com>
User-Agent: Alpine 2.11 (OSX 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/VLeVOwzsiywwPlNvdJS6r5UDDs8>
Cc: ietf-smtp@ietf.org, dane@ietf.org
Subject: Re: [dane] Request DANE ALPS (another attempt to canonicalize local parts)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Mar 2016 08:32:11 -0000

I think it's fair to say that doing an end run around the "Mail Gods" with 
yet another attempt to canonicalize local parts will not make them any 
less annoyed.  Hand waving claims that it's doing something else doesn't 
make it so.

I hope it's obvious why one approach to doing it in DANE and a different 
incompatble approach in PKIX would be a bad idea.

R's,
John

On Mon, 7 Mar 2016, Sean Leonard wrote:
> On 3/7/2016 4:54 AM, John Levine wrote:
>> In article <56DD1DB7.7050305@seantek.com> you write:
>>> Hello:
>>> 
>>> As the chairs graciously requested and got a meeting slot in Buenos
>>> Aires, I would like to request DANE ALPS (Alternative Local-Part
>>> Synthesis) discussion time at IETF 95.
>> This draft belongs in ietf-smtp or maybe appsarea, not DANE.  It's an
>> interesting idea, but since it changes the rules about who interprets
>> local-parts, it's an update to RFC 5321.
>> 
>> Also, it's an issue that affects people in a lot of places other than DANE.
>> Pkix has been having somewhat similar discussions about the names in X.509
>> certificates.
>
> As the document itself states (repeatedly), the DANE ALPS proposal is very 
> specific to DANE. It does not affect how the mail infrastructure interprets 
> local-parts, because to do otherwise would anger the Mail Gods. We are 
> leaving the issue alone. Local-Part is and remains left to the interpretation 
> of the receiving MTA.
>
> The point of DANE ALPS is to reduce the burden of maintaining a bajillion 
> variations of records, for operating a DANE/DNSSEC-enabled zone. Consider a 
> case where the owners want *all* messages sent to e-mail addresses in a 
> domain to use the same key. Perhaps that key is a master encryption key for 
> policy reasons, that will be decrypted by some gateway. Another case is where 
> one user maintains the whole domain: *@ietf.taugh.com e-mail addresses should 
> all be encrypted to the same key and read (ultimately) by the same user, even 
> if the messages get fanned out into different mailboxes on the back end. In 
> such cases, is it desirable for the DANE/DNSSEC-enabled zone to maintain a 
> bajillion different records with the same key info, or just to maintain one 
> record, and have a mechanism to point queries to that specific record? The 
> latter is simply more efficient (and more easily auditable).
>
> Now, a possible outcome of the WG presentation/meeting is that the proposal 
> has broader application than just DANE. In that case, expanding or moving it 
> elsewhere would be fine. But we need to have that discussion.
>
> Yes, it came up in PKIX recently...there is a broader question about how to 
> determine e-mail address equivalence, when the two inputs are not bit-for-bit 
> identical. This is an industry-wide problem. However, the DANE ALPS solution 
> is about alternate queries of the DNS zone between a DNS client and a DNS 
> server, not equivalence. It is specific to the way that DANE operates and is 
> not intended to be a published general statement about how the domain's MTA 
> fans out mail.
>
> draft-osterweil-dmarc-dane-names also tries to address the matter using DMARC 
> records. However, it goes a step further by saying "canonicalization 
> policy"--which implies that it is promulgating interpretations of the 
> local-part that might cause a disturbance in the (Mail Gods') Force. See:
> http://mailarchive.ietf.org/arch/msg/dane/gWhYXtSyNGh2D2uuDp99LWHzBSU
>
> That approach should also be covered and discussed.
>
> So now we have at least four different approaches: a) do nothing, b) 
> draft-seantek-dane-alps, c) draft-levine-dns-mailbox (a collection of 
> different approaches), d) draft-osterweil-dmarc-dane-names. Obviously the WG 
> is struggling to do something here, hence, discussion.
>
> Regards,
>
> Sean
>
>
>

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.

v2.23.0 | Report a Bug | By Email