Re: [dane] WGLC: DANE-SMTP (final operational guidance tweaks?)

James Cloos <cloos@jhcloos.com> Sat, 28 February 2015 23:08 UTC

Return-Path: <cloos@jhcloos.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C78761A0055 for <dane@ietfa.amsl.com>; Sat, 28 Feb 2015 15:08:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wiM0ydZORIOi for <dane@ietfa.amsl.com>; Sat, 28 Feb 2015 15:08:46 -0800 (PST)
Received: from ore.jhcloos.com (ore.jhcloos.com [198.147.23.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01ABF1A0053 for <dane@ietf.org>; Sat, 28 Feb 2015 15:08:46 -0800 (PST)
Received: by ore.jhcloos.com (Postfix, from userid 10) id 2BBF01DDD9; Sat, 28 Feb 2015 23:08:45 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhcloos.com; s=ore14; t=1425164925; bh=Oq7kt891uhBLBe5S5zjVSzI3U9zC7VmOZbagbTuyEuI=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=YtwySKOAQdO4R0hx6y9Ko34/i7ZvFaQ0Xbf1Bx/uBRmvMTpzWHJENEuwwnFtwLOsi 8epLKxbVfN9UsBDAqYBzQ8t30A7t2ZBkCrVWxGE4W2NJkrgOkJIcfc+RQi/cWNKc2/ p1ucW4ibHZohYqYKDSbeaQoImCXwwcksBYSRMvSM=
Received: by carbon.jhcloos.org (Postfix, from userid 500) id DE0BA106F92D6; Sat, 28 Feb 2015 23:05:53 +0000 (UTC)
From: James Cloos <cloos@jhcloos.com>
To: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <20150228214827.GA1260@mournblade.imrryr.org> (Viktor Dukhovni's message of "Sat, 28 Feb 2015 21:48:27 +0000")
References: <20141209095813.GP285@mournblade.imrryr.org> <20150108011529.GU7322@mournblade.imrryr.org> <18B6C626-B27B-4EE9-A3E2-32CD43B195FA@ogud.com> <20150220220921.GH1260@mournblade.imrryr.org> <20150228214827.GA1260@mournblade.imrryr.org>
User-Agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux)
Face: iVBORw0KGgoAAAANSUhEUgAAABAAAAAQAgMAAABinRfyAAAACVBMVEX///8ZGXBQKKnCrDQ3 AAAAJElEQVQImWNgQAAXzwQg4SKASgAlXIEEiwsSIYBEcLaAtMEAADJnB+kKcKioAAAAAElFTkSu QmCC
Copyright: Copyright 2015 James Cloos
OpenPGP: 0x997A9F17ED7DAEA6; url=https://jhcloos.com/public_key/0x997A9F17ED7DAEA6.asc
OpenPGP-Fingerprint: E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6
Date: Sat, 28 Feb 2015 18:05:53 -0500
Message-ID: <m3lhjhzlf2.fsf@carbon.jhcloos.org>
Lines: 32
MIME-Version: 1.0
Content-Type: text/plain
X-Hashcash: 1:28:150228:ietf-dane@dukhovni.org::v0unjKBnqSNYY71V:00000000000000000000000000000000000000lwOPr
X-Hashcash: 1:28:150228:dane\@ietf.org\::TNI+2bCOZ2+lCwn4:08weSA
X-Hashcash: 1:28:150228:dane@ietf.org::jmZYMUtIgUJIC8se:0007ImmA
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/kCT6TG3eRL2DDGGeK8aqe1O6bmE>
Cc: "<dane@ietf.org>" <dane@ietf.org>
Subject: Re: [dane] WGLC: DANE-SMTP (final operational guidance tweaks?)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Feb 2015 23:08:47 -0000

>>>>> "VD" == Viktor Dukhovni <ietf-dane@dukhovni.org> writes:

VD>     * In Publisher Operational considerations again mention the need
VD>       to avoid PKIX-TA/PKIX-EE

Do mention that the reason is that most MXs do not configure the OS's CA
suite by default, and most operators leave that as is.  Ie, that it is
not a fundamental limitation of SMTP but rather a nearly ubiquitous
reality of how they are configured for port 25.

VD>     * In Publisher Operational considerations note that DANE TLSA and
VD>       MTAs that only offer STARTTLS selectively (e.g. to client that
VD>       pass greylisting) don't mix.

+inf on that!

VD>     * Note that some software cannot send root trust-anchors, if so
VD>       the server TLSA records need to list an intermediate CA or use
VD>       DANE-EE(3).

Also helpful.

VD>     * In section 3.1.3 note that the SHOULD NOT for PKIX-TA/PKIX-EE
VD>       applies only to MTA-to-MTA SMTP, and MUA-to-MSA is not in scope.

VD> Should I add these to -15 before IETF LC?

+1.

-JimC
-- 
James Cloos <cloos@jhcloos.com>         OpenPGP: 0x997A9F17ED7DAEA6