Re: STARTTLS & EHLO: Errata text?
ned+ietf-smtp@mrochek.com Fri, 30 January 2009 00:47 UTC
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0U0lc4L049139 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 29 Jan 2009 17:47:39 -0700 (MST) (envelope-from owner-ietf-smtp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0U0lcqm049138; Thu, 29 Jan 2009 17:47:38 -0700 (MST) (envelope-from owner-ietf-smtp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smtp@mail.imc.org using -f
Received: from mauve.mrochek.com (mauve.mrochek.com [66.59.230.40]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0U0lbjR049132 for <ietf-smtp@imc.org>; Thu, 29 Jan 2009 17:47:38 -0700 (MST) (envelope-from ned+ietf-smtp@mrochek.com)
Received: from dkim-sign.mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01N4VIFGEPG000UHPG@mauve.mrochek.com> for ietf-smtp@imc.org; Thu, 29 Jan 2009 16:47:33 -0800 (PST)
Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01N4V61WVB4G00007A@mauve.mrochek.com> (original mail from NED@mauve.mrochek.com) for ietf-smtp@imc.org; Thu, 29 Jan 2009 16:47:28 -0800 (PST)
Date: Thu, 29 Jan 2009 16:27:10 -0800
From: ned+ietf-smtp@mrochek.com
Subject: Re: STARTTLS & EHLO: Errata text?
In-reply-to: "Your message dated Thu, 29 Jan 2009 23:46:36 +0000" <49823FDC.4000006@isode.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Cc: ned+ietf-smtp@mrochek.com, SM <sm@resistor.net>, Tony Hansen <tony@att.com>, ietf-smtp@imc.org
Message-id: <01N4VIFDX4K000007A@mauve.mrochek.com>
MIME-version: 1.0
Content-type: TEXT/PLAIN; format="flowed"
Content-transfer-encoding: 7bit
References: <497DE492.4080506@pscs.co.uk> <497DED29.70402@att.com> <497ED420.30708@pscs.co.uk> <alpine.LSU.2.00.0901271403220.4546@hermes-2.csi.cam.ac.uk> <497F86CB.60904@att.com> <alpine.LSU.2.00.0901281434440.4546@hermes-2.csi.cam.ac.uk> <498088B8.9040404@pscs.co.uk> <alpine.LSU.2.00.0901291310080.4546@hermes-2.csi.cam.ac.uk> <4981C0D5.1010401@pscs.co.uk> <4981C6BD.2040900@att.com> <37F39FF37390694B69567838@PST.JCK.COM> <4981E1AB.9000002@att.com> <6.2.5.6.2.20090129094120.02f234a0@resistor.net> <01N4VB00O5UQ00007A@mauve.mrochek.com> <49823FDC.4000006@isode.com>
Sender: owner-ietf-smtp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smtp/mail-archive/>
List-ID: <ietf-smtp.imc.org>
List-Unsubscribe: <mailto:ietf-smtp-request@imc.org?body=unsubscribe>
> > The simplest fix to bring this text in line with reality is to change > > the MUST > > into a SHOULD. Beyond that lies a slippery slope where we attempt to > > categorize > > what sorts of information a server can or cannot retain. I really > > don't think > > we want to go there. > I would like suggest an alternative: how about saying > The server MUST NOT trust any information obtained > from the client, such as command verbs and their arguments, prior to > the TLS negotiation. > The client MUST NOT trust any information obtained from the server, > such as the list of SMTP service extensions, > prior to the TLS negotiation. > This avoid the whole issue of what the client/server must and must not > remember. Very clever - it focuses on the real issue and avoids the slippery slope. . I like it a lot. This is definitely the way to go. > > While this clarification exercise is all well and good, if we're > > actually going > > to issue a revision to RFC 3207 we should consider fixing its most > > serious flaw > > (IMO) - the lack of a domain parameter on the STARTTLS command, in > > order to > > allow a single SMTP server to provide "virtual hosting" support for > > multiple > > domains. > This is an interesting issue, because it affects pretty much any > application protocol that have STARTTLS command or similar. > While I agree that this functionality is needed, I came to conclusion > that this change at the application layer is not needed, as there a TLS > extension for doing exactly that (RFC 4366, section 3.1). It might even > be supported by OpenSSL. > But lack of APIs for controlling this in TLS libraries might be a problem. My understanding is there's an API for it in NSS, but for various reasons it's effectively unusable. (Something about use of it not playing nice with how this stuff interfaces with the cert db.) This is not something I code myself so I don't know all the ins and outs of it, but what I do know is that the people who do deal with this say it's a nonstarter given the present state of play of existing TLS libraries. All things being equal I would much rather see this dealt with at the TLS layer. But that's not the current situation and I am unconvinced that it's going to change faster than we could get an extension deployed. Ned
- Re: STARTTLS & EHLO: Errata text? Hector Santos
- Re: STARTTLS & EHLO: Errata text? Tony Finch
- Re: STARTTLS & EHLO: Errata text? Hector Santos
- Re: STARTTLS & EHLO: Errata text? ned+ietf-smtp
- Re: STARTTLS & EHLO: Errata text? Tony Finch
- Re: STARTTLS & EHLO: Errata text? Tony Finch
- Re: STARTTLS & EHLO: Errata text? Tony Finch
- Re: STARTTLS & EHLO: Errata text? Russ Allbery
- Re: STARTTLS & EHLO: Errata text? ned+ietf-smtp
- Re: STARTTLS & EHLO: Errata text? SM
- Re: STARTTLS & EHLO: Errata text? Hector Santos
- Re: STARTTLS & EHLO: Errata text? John C Klensin
- Re: STARTTLS & EHLO: Errata text? Paul Smith
- Re: STARTTLS & EHLO: Errata text? Paul Smith
- Re: STARTTLS & EHLO Tony Hansen
- Re: STARTTLS & EHLO: Errata text? Russ Allbery
- Re: STARTTLS & EHLO: Errata text? Hector Santos
- Re: STARTTLS & EHLO: Errata text? ned+ietf-smtp
- Re: STARTTLS & EHLO: Errata text? John C Klensin
- Re: STARTTLS & EHLO: Errata text? Hector Santos
- Re: STARTTLS & EHLO: Errata text? ned+ietf-smtp
- Re: STARTTLS & EHLO: Errata text? Alexey Melnikov
- Re: STARTTLS & EHLO: Errata text? Alexey Melnikov
- Re: STARTTLS & EHLO: Errata text? SM
- Re: STARTTLS & EHLO: Errata text? ned+ietf-smtp
- Re: STARTTLS & EHLO: Errata text? Hector Santos
- Re: STARTTLS & EHLO: Errata text? Bill McQuillan
- Re: STARTTLS & EHLO: Errata text? John C Klensin
- Re: STARTTLS & EHLO: Errata text? SM
- Re: STARTTLS & EHLO: Errata text? Alexey Melnikov
- Re: STARTTLS & EHLO: Errata text? Tony Hansen
- Re: STARTTLS & EHLO John C Klensin
- Re: STARTTLS & EHLO Tony Hansen
- Re: STARTTLS & EHLO Paul Smith
- Re: STARTTLS & EHLO Tony Finch
- Re: STARTTLS & EHLO Hector Santos
- Re: STARTTLS & EHLO SM
- Re: STARTTLS & EHLO John C Klensin
- Re: STARTTLS & EHLO Tony Hansen
- Re: STARTTLS & EHLO Peter Bowyer
- Re: STARTTLS & EHLO Hector Santos
- Re: STARTTLS & EHLO Paul Smith
- Re: STARTTLS & EHLO Tony Finch
- Re: STARTTLS & EHLO Paul Smith
- Re: STARTTLS & EHLO John C Klensin
- Re: STARTTLS & EHLO Tony Hansen
- Re: STARTTLS & EHLO Tony Finch
- Re: STARTTLS & EHLO Alessandro Vesely
- Re: STARTTLS & EHLO Paul Smith
- Re: STARTTLS & EHLO Alexey Melnikov
- Re: STARTTLS & EHLO Tony Finch
- Re: STARTTLS & EHLO John C Klensin
- Re: STARTTLS & EHLO Tony Hansen
- STARTTLS & EHLO Paul Smith
- Re: STARTTLS & EHLO: Errata text? SM
- Re: STARTTLS & EHLO: Errata text? Hector Santos
- Re: STARTTLS & EHLO: Errata text? SM
- Re: STARTTLS & EHLO: Errata text? Hector Santos
- Re: STARTTLS & EHLO: Errata text? John C Klensin
- Re: STARTTLS & EHLO: Errata text? Tony Finch
- RFC 1123bis? Hector Santos
- Re: STARTTLS & EHLO: Errata text? John C Klensin
- Re: STARTTLS & EHLO: Errata text? Hector Santos
- Re: STARTTLS & EHLO: Errata text? John C Klensin
- Re: STARTTLS & EHLO: Errata text? Tony Finch
- Re: STARTTLS & EHLO: Errata text? SM