IETF Logo Mail Archive

Re: [dane] Barry Leiba's Discuss on draft-ietf-dane-smtp-with-dane-17: (with DISCUSS and COMMENT)

Paul Wouters <paul@nohats.ca> Tue, 26 May 2015 01:40 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5503B1AD0CC; Mon, 25 May 2015 18:40:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6R6NKC5v0lYp; Mon, 25 May 2015 18:40:14 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A4B61AD0C8; Mon, 25 May 2015 18:40:14 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3lwdJr2WT8z1Hm; Tue, 26 May 2015 03:40:12 +0200 (CEST)
Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=Bcks/nzq
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id NzJhwTthXYDL; Tue, 26 May 2015 03:40:11 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 26 May 2015 03:40:11 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 5B51480042; Mon, 25 May 2015 21:40:09 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1432604409; bh=WVcBXUWyiOFFMSD/43d215u1ErT2XTZ0p/7RGEeEVNU=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=Bcks/nzqApK5SOx0TfHyvFOx61Q+/OXGrUFpC/7Bn8YGm1PBzmXfBiOLN60pJPb88 JmiSAFqhs+m5jJEMQfbCstjdE0ghqC8WMZ04jZMv0SJmrza7/yMc753+YUN5z4YF6a k8pRF7nds5xRt8SJGhRHMdrBgJYkSyS1lqhAgwzQ=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.15.1/8.15.1/Submit) with ESMTP id t4Q1e9aN014174; Mon, 25 May 2015 21:40:09 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Mon, 25 May 2015 21:40:09 -0400
From: Paul Wouters <paul@nohats.ca>
To: Mark Andrews <marka@isc.org>
In-Reply-To: <20150526013313.55BD02F51464@rock.dv.isc.org>
Message-ID: <alpine.LFD.2.11.1505252136530.5996@bofh.nohats.ca>
References: <20150524204121.31745.72546.idtracker@ietfa.amsl.com> <20150525020430.GK17272@mournblade.imrryr.org> <841AFD92-8615-43BF-98B4-48770FA72235@ogud.com> <20150526000338.D70AC2F50D87@rock.dv.isc.org> <alpine.LFD.2.11.1505252020130.5996@bofh.nohats.ca> <20150526013313.55BD02F51464@rock.dv.isc.org>
User-Agent: Alpine 2.11 (LFD 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/rR-W-KTcNihJB7wQ7qFs5wH0ZEY>
Cc: draft-ietf-dane-smtp-with-dane@ietf.org, The IESG <iesg@ietf.org>, dane WG list <dane@ietf.org>
Subject: Re: [dane] Barry Leiba's Discuss on draft-ietf-dane-smtp-with-dane-17: (with DISCUSS and COMMENT)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 01:40:16 -0000

On Tue, 26 May 2015, Mark Andrews wrote:

> If the A/AAAA result is secure you do the TLSA lookup.
>
>>>  You can't prove
>>> whether the server was supposed to offer STARTTLS or not.
>>
>> Yes you can? The presence of TLSA means you MUST do STARTTLS,
>> and not downgrade to plaintext. Sure, it can be spoofed but
>> you're not posting anything signed with DNSSEC, you're not
>> losing any security here?
>
> If the answer is INSECURE you can't prove the TLSA exists.  The
> MUST only applies if you get a SECURE response to the TLSA record
> which will not happen if the A/AAAA response is insecure.

I forgot the whole level of indirection looking up the TLSA at the
mail server names instead of the domain zone itself. I never liked
these but I understand why it's the least worst solution.

Thanks Mark and Viktor for explaining it to me, again....  :)

Paul

v2.23.0 | Report a Bug | By Email