Re: [dane] WGLC: DANE-SRV & DANE-SMTP

Sean Turner <turners@ieca.com> Thu, 22 January 2015 21:23 UTC

Return-Path: <turners@ieca.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F0481B2A4E for <dane@ietfa.amsl.com>; Thu, 22 Jan 2015 13:23:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.567
X-Spam-Level:
X-Spam-Status: No, score=-0.567 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FSL_HELO_BARE_IP_2=1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2P8uo34gykQw for <dane@ietfa.amsl.com>; Thu, 22 Jan 2015 13:23:39 -0800 (PST)
Received: from gateway11.websitewelcome.com (gateway11.websitewelcome.com [67.18.94.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEB2A1B2A4B for <dane@ietf.org>; Thu, 22 Jan 2015 13:23:38 -0800 (PST)
Received: by gateway11.websitewelcome.com (Postfix, from userid 500) id 663128B6BF165; Thu, 22 Jan 2015 15:23:38 -0600 (CST)
Received: from gator3286.hostgator.com (gator3286.hostgator.com [198.57.247.250]) by gateway11.websitewelcome.com (Postfix) with ESMTP id 520D58B6BF142 for <dane@ietf.org>; Thu, 22 Jan 2015 15:23:38 -0600 (CST)
Received: from [96.231.226.60] (port=51273 helo=192.168.1.2) by gator3286.hostgator.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.82) (envelope-from <turners@ieca.com>) id 1YEPE1-0004wb-Op for dane@ietf.org; Thu, 22 Jan 2015 15:23:37 -0600
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Sean Turner <turners@ieca.com>
In-Reply-To: <0DAFC2A8-A1E2-46F4-BA52-E8261CB09159@ogud.com>
Date: Thu, 22 Jan 2015 16:23:36 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <9DEDC923-8B03-4AF7-82FF-60C96C614641@ieca.com>
References: <0DAFC2A8-A1E2-46F4-BA52-E8261CB09159@ogud.com>
To: "<dane@ietf.org>" <dane@ietf.org>
X-Mailer: Apple Mail (2.1878.6)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator3286.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source-IP: 96.231.226.60
X-Exim-ID: 1YEPE1-0004wb-Op
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (192.168.1.2) [96.231.226.60]:51273
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 1
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IzMjg2Lmhvc3RnYXRvci5jb20=
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/tX62NGqF61Qr2mSRLWmPrdURMSk>
Subject: Re: [dane] WGLC: DANE-SRV & DANE-SMTP
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jan 2015 21:23:42 -0000

On Nov 12, 2014, at 23:09, Olafur Gudmundsson <ogud@ogud.com> wrote:

> Dear wg members
> 
> This email message starts a three week WGLC ending on December 4’th at 23:59 UTC. 
> https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-13
> 
> These two document are specifying related uses of DANE. 
> Please review the documents carefully, in particular we want to make sure the documents have no 
> contradictions. 
> 

Apologies again for being late.  Here are my comments on the DANE SMTP draft.  Though pretty dense, I think this is a well written document that does a good job explaining why you might want to deploy this as well as how to deploy it.  Got one major (procedural thing) but the rest are editorial:

This is procedural but I guess it’s major:

Am I right that this draft is using the new definition for DANE-EE that is documented in draft-ietf-dane-ops?  Don’t we have to wait for it to update RFC 6698 or does this specification have to indicate that it updates RFC 6698?

Nits:

0) s1.1, delayed delivery: r/When an MTA is unable forward/When an MTA is to unable forward

1) s1.1, delayed delivery: Might be good to have a forward reference to “mandatory DANE TLS” in the later section or add it as a definition in s1.1.

2) s1.1: Couldn’t hurt to have informative references to DNS RR and RRSet.

3) s1.2: r/Certificate Authority/Certification Authority

4) s1.3.2: r/and requiring/and require

5) s1.3.3: What I think you’re trying to say here:

 Sending systems are in some cases explicitly configured to use TLS
 for mail sent to selected peer domains.   This requires sending MTAs
 to be configured with appropriate subject names or certificate
 content digests to expect in the presented server certificates.

is this:

 Sending systems are in some cases explicitly configured to use TLS
 for mail sent to selected peer domains, but this requires configuring
 sending MTAs with appropriate subject names or certificate
 content digests from their peer domains.

6) s2.1.3: I think if we’re going to have a “MUST NOT” for something it’s probably worth a pointer to the definition in RFC 4033 for "Security-Oblivious stub-resolvers” or add it to s1.1 and point to RFC 4033.

7) s2.2.1: The text about MAT delivery logs made me wonder where the rest of the normative behavior is for MTA delivery logs and whether this text is updating that text.

8) s3.1: Should this be "RECOMMEND":

  In summary, we recommend the use of either "DANE-EE(3) SPKI(1)
  SHA2-256(1)" or "DANE-TA(2) Cert(0) SHA2-256(1)" TLSA records
  depending on site needs.

9) s3.1: Maybe reword:

 The mandatory to support digest algorithm in [RFC6698] is
 SHA2-256(1)

to: 

 As specified in [RFC6698], the mandatory to implement digest
 algorithm is SHA2-256(1).

10) s3.2.3: r/must be entire/must be the entire