Re: [dane] Comments on draft-ietf-dane-smtp-00
SM <sm@resistor.net> Sun, 03 February 2013 07:14 UTC
Return-Path: <sm@resistor.net>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1281521F86F4 for <dane@ietfa.amsl.com>; Sat, 2 Feb 2013 23:14:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.285
X-Spam-Level:
X-Spam-Status: No, score=-102.285 tagged_above=-999 required=5 tests=[AWL=-0.286, BAYES_00=-2.599, J_CHICKENPOX_44=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jYESkqJ+kyjj for <dane@ietfa.amsl.com>; Sat, 2 Feb 2013 23:14:22 -0800 (PST)
Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EBCC21F86AC for <dane@ietf.org>; Sat, 2 Feb 2013 23:14:21 -0800 (PST)
Received: from SUBMAN.resistor.net (IDENT:sm@localhost [127.0.0.1]) (authenticated bits=0) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id r137E7Ig011933; Sat, 2 Feb 2013 23:14:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1359875652; bh=yqhKS7qVUhDyHkmCta4hMUk/6/dn8xlC87xVHqgGeJs=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=j4Myjghh6UCJ8EMUs71K6C9dPRUsEOHEM9NyhQPuVTR4Pe8W0cVbzSJEEIWSNDDx/ zBr62sSNAELhYvctIebsvXoo1H1QCiIy1yt7kQ2MrkCV1Pu6S2RAqxjaFgLT/EAkYW aeN4N2eO+4cjcBnKVDx06ZXkRIlIXi5YIbciGs5w=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=resistor.net; s=mail; t=1359875652; i=@resistor.net; bh=yqhKS7qVUhDyHkmCta4hMUk/6/dn8xlC87xVHqgGeJs=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=kcFoLbpvP+1E28Vdd4C96V9Y/K3YxR5SrYeEaWwIIDmKtbj9uQLkAbA+p8koSv1dO YS6ZqggkwDeEOjLX3ruKMPmBLWdB9LNIPwMZMu7VEmus20YqD3Tk2X8QcXVDcYc3wz FXbRoawKiskVmhfpJc5ILGqucYPc+dvKWqUc8fxA=
Message-Id: <6.2.5.6.2.20130202160359.0a017788@resistor.net>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Sat, 02 Feb 2013 22:56:43 -0800
To: Tony Finch <dot@dotat.at>
From: SM <sm@resistor.net>
In-Reply-To: <alpine.LSU.2.00.1302022100070.32682@hermes-1.csi.cam.ac.uk >
References: <6.2.5.6.2.20130201225257.09a5bb70@elandnews.com> <alpine.LSU.2.00.1302022100070.32682@hermes-1.csi.cam.ac.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: dane@ietf.org
Subject: Re: [dane] Comments on draft-ietf-dane-smtp-00
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Feb 2013 07:14:24 -0000
Hi Tony, At 13:28 02-02-2013, Tony Finch wrote: >Note that the details of the Received: header are specified as part of >SMTP - RFC 5321 section 4.4. So although I am inclined to agree with your >conclusion, your reasoning is flawed :-) :-) >Wouldn't that be a downref (since RFC 5598 is informational) and therefore >wrong? Yes. It can be called out during the Last Call. RFC 5598 is already in the Downref registry. There shouldn't be any process issue if the reference is normative. >Would you be happier if I change this text to "A CNAME record (which might >be synthesized from a DNAME record) pointing to a successful result"? It's better to leave DNAME to 5321bis. The issue the draft tries to tackle is similar to what is in Section 3.7.2 of RFC 6531, i.e. in this case DNSSEC support. The text in Section 3.1 of the draft discussing about CNAME RRs can be interpreted in different ways. Although I read Section 5.1 of RFC 5321 again I cannot come up with suggested text for now. You already have the main idea in the draft. It's a matter of word-smithing it. Typo in Section 3.1: "successful". >In fact when I split this document into a generic DANE+SRV/MX document >plus a DANE+SMTP document, I plan to describe alias handling better, so >the above text will be revised more thoroughly than that. Alias handling was an issue for SMTP due to an incorrect interpretation of the specification. The discussion was previously controversial. >No, I think it's really important to get this right and pin down the >details, which is why section 7.4 exists. This is not such a problem for >SMTP because its certificate name checking does not currently exist; but >other SRV-based protocols (such as XMPP and RFC 6186 for MUAs) follow RFC >6125 rules where without DNSSEC they have to check the certificate subject >name against the service domain. With DNSSEC they can instead check the >certificate against the server host name, since DNSSEC has authenticated >the link from service domain to server host name. This is desirable for >multi-tenant services since it avoids the need for lots of certificates or >large certificates, and it is important for applications like SMTP where a >message can relate to multiple service domains. I covered the forwards / >backwards compatibility aspects of this a bit better in >draft-fanf-dane-mua and I'll fold the relevant parts into the generic >DNAE+SRV draft. It may end up being more work if the draft attempts to address all the details. Sorry for not being able to provide a clear answer. I will have to review some of the STARTTLS discussions and some other discussions before commenting further about the SMTP angle. I read draft-fanf-dane-mua previously. XMPP should be easier as there is draft-miller-xmpp-dnssec-prooftype-03. In Section 1: "We use DNSSEC to secure the association between a mail domain and its SMTP server host names, and between the host names and their certificates. Connections to servers are authenticated by their TLS certificates." Thinking about this, I would take a SMTP client to SMTP server approach instead of mail domain to SMTP server. The problem description is to secure the client to server connection. This means figuring out the secure delegation part (DNSSEC) and after that the TLS part. I can cover the Smarthost case by reusing some of the logic from secure delegation part. I better stop thinking. :-) Regards, -sm