Re: [Gen-art] [Uta] Genart last call review of draft-ietf-uta-smtp-tlsrpt-17
"Brotman, Alexander" <Alexander_Brotman@comcast.com> Wed, 14 March 2018 11:21 UTC
Return-Path: <Alexander_Brotman@comcast.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1B25126CD8; Wed, 14 Mar 2018 04:21:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.011
X-Spam-Level:
X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5 tests=[SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yUpVdkqFMVsM; Wed, 14 Mar 2018 04:21:25 -0700 (PDT)
Received: from vaadcmhout02.cable.comcast.com (vaadcmhout02.cable.comcast.com [96.114.28.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F4221242EA; Wed, 14 Mar 2018 04:21:25 -0700 (PDT)
X-AuditID: 60721c4c-bfbff7000000248e-65-5aa905b47f93
Received: from VAADCEX45.cable.comcast.com (vaadcmhoutvip.cable.comcast.com [96.115.73.56]) (using TLS with cipher AES256-SHA256 (256/256 bits)) (Client did not present a certificate) by vaadcmhout02.cable.comcast.com (SMTP Gateway) with SMTP id 4B.75.09358.4B509AA5; Wed, 14 Mar 2018 07:21:24 -0400 (EDT)
Received: from COPDCEX23.cable.comcast.com (147.191.124.154) by VAADCEX45.cable.comcast.com (147.191.103.222) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Wed, 14 Mar 2018 07:21:23 -0400
Received: from COPDCEX19.cable.comcast.com (147.191.124.150) by COPDCEX23.cable.comcast.com (147.191.124.154) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Wed, 14 Mar 2018 05:21:22 -0600
Received: from COPDCEX19.cable.comcast.com ([fe80::3aea:a7ff:fe36:8380]) by COPDCEX19.cable.comcast.com ([fe80::3aea:a7ff:fe36:8380%19]) with mapi id 15.00.1365.000; Wed, 14 Mar 2018 05:21:22 -0600
From: "Brotman, Alexander" <Alexander_Brotman@comcast.com>
To: "Joel M. Halpern" <jmh@joelhalpern.com>, Viktor Dukhovni <ietf-dane@dukhovni.org>
CC: "gen-art@ietf.org" <gen-art@ietf.org>, "uta@ietf.org" <uta@ietf.org>, "draft-ietf-uta-smtp-tlsrpt.all@ietf.org" <draft-ietf-uta-smtp-tlsrpt.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Thread-Topic: [Uta] Genart last call review of draft-ietf-uta-smtp-tlsrpt-17
Thread-Index: AQHTtyy/XxGm8RCZGEuRPY2vGC5O96PHcqQAgAADxgCACCZ3AA==
Date: Wed, 14 Mar 2018 11:21:21 +0000
Message-ID: <f5a3f45961fa4f46bf8e8cd269936451@COPDCEX19.cable.comcast.com>
References: <152054808275.11187.13276762980596133506@ietfa.amsl.com> <0423F6BE-6CF5-4DBA-A241-56142268D067@dukhovni.org> <5960ef77-8310-0b05-6c89-46b35023f314@joelhalpern.com>
In-Reply-To: <5960ef77-8310-0b05-6c89-46b35023f314@joelhalpern.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [96.115.73.254]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Forward
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrFIsWRmVeSWpSXmKPExsWSUOxpobuFdWWUwcyLkhaLptxnsbj66jOL xcR7G9gsnm2cz2Lx8dQbJotTR5sZHdg8th9ZyO6xZMlPJo9zU74zBjBHcdmkpOZklqUW6dsl cGV8/VVa8E+korvrL3sD4w6RLkZODgkBE4kvP7+xdjFycQgJbGeS+PRzAROEc4hR4tDhNQjO jZUtjBDOSUaJaztamUD62QSsJN7+b2cGsUUEwiVOzG5kByliBum4/vUFK0hCWMBb4tjeUywQ RT4SF9umMELYThK7L04Aa2YRUJVYeX41WA2vgJfEt8l7mCG2bWaUONB6G2wQp4CzxOrHj8Aa GAXEJL6fWgN2BbOAuMStJ/OZID4SkFiy5zwzhC0q8fLxP1YI20Bi69J9LBC2osSveVfYuhg5 gHo1Jdbv0ocYoygxpfshO8QNghInZz4BKxcS0JLYe2MX1BhxicNHdrBOYJSahWTzLIRJs5BM moVk0gJGllWMPJZmeoaGJnpGFnrmZpsYQTFcJOOzg/HTNI9DjAIcjEo8vJcZVkYJsSaWFVfm AsOQg1lJhHerzIooId6UxMqq1KL8+KLSnNTiQ4zSHCxK4rzBjxZGCQmkJ5akZqemFqQWwWSZ ODilGhhnxr5MasgI97yxxfhz2VUV/pJSqWeJ2/au0ZK4J8RrNrvpetAnr80Nu6fOucZ/78Se Z5v90/c4pUz27tvYbxQkePDJgg9xOotC7sp9zXfozdTntrq81uC02k4hBs7YoIbTOw/dFrmw 2C560SmLrKzft0Kst1eXZ3DNuffv4WQuxVuvOAwcfzgqsRRnJBpqMRcVJwIAmlbYu90CAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/rVQuUow7-TeIbBAVDSVE4UczvxI>
Subject: Re: [Gen-art] [Uta] Genart last call review of draft-ietf-uta-smtp-tlsrpt-17
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Mar 2018 11:21:27 -0000
I don't see any reason a specific DKIM selector wouldn't be possible. We'll see if we can get some language added to address the clarifications you've requested. -- Alex Brotman Sr. Engineer, Anti-Abuse Comcast -----Original Message----- From: Joel M. Halpern [mailto:jmh@joelhalpern.com] Sent: Thursday, March 08, 2018 6:47 PM To: Viktor Dukhovni <ietf-dane@dukhovni.org> Cc: gen-art@ietf.org; uta@ietf.org; draft-ietf-uta-smtp-tlsrpt.all@ietf.org; ietf@ietf.org Subject: Re: [Uta] Genart last call review of draft-ietf-uta-smtp-tlsrpt-17 A reasonable perspective. Could that be added to the document? Yours, Joel On 3/8/18 6:33 PM, Viktor Dukhovni wrote: > > >> On Mar 8, 2018, at 5:28 PM, Joel Halpern <jmh@joelhalpern.com> wrote: >> >> It is surprising in Section 3 Bullet 4 that reporting via email requires >> that the report submitted use DKIM. Particularly while ignoring any >> security errors in communicating with the recipient domain. > > Actually, this is not surprising. The main security risk here is > report spam, that will drown the true signal in noise, making it > impossible to notice real validation failures or operate the service. > > Therefore, the report origin domain must be authenticated via DKIM. > I'd be tempted to go further and require a particular "selector" > prefix that is specifically chosen for "tlsrpt", so that with domains > such as "gmail", where anyone can get an email account, just being a > user on the sending system is not enough to be able to forge a DKIM authenticated report. > But that would create significant complications for the sender to make > it so, and so is probably not needed. > > In summary, when sending reports the party that needs to be > authenticated is the sender domain, while the receiving domain is > presumed operationally compromised, and so should be exempt from any authentication requirements. >
- [Gen-art] Genart last call review of draft-ietf-u… Joel Halpern
- Re: [Gen-art] [Uta] Genart last call review of dr… Viktor Dukhovni
- Re: [Gen-art] [Uta] Genart last call review of dr… Joel M. Halpern
- Re: [Gen-art] [Uta] Genart last call review of dr… Brotman, Alexander