IETF Logo Mail Archive

Re: [ietf-smtp] why are we reinventing mta-sts ?

Daniel Margolis <dmargolis@google.com> Mon, 07 October 2019 09:11 UTC

Return-Path: <dmargolis@google.com>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B229712008B for <ietf-smtp@ietfa.amsl.com>; Mon, 7 Oct 2019 02:11:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.5
X-Spam-Level:
X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yslMCa5Xef7s for <ietf-smtp@ietfa.amsl.com>; Mon, 7 Oct 2019 02:11:19 -0700 (PDT)
Received: from mail-vs1-xe34.google.com (mail-vs1-xe34.google.com [IPv6:2607:f8b0:4864:20::e34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E62312006F for <ietf-smtp@ietf.org>; Mon, 7 Oct 2019 02:11:19 -0700 (PDT)
Received: by mail-vs1-xe34.google.com with SMTP id w195so8375270vsw.11 for <ietf-smtp@ietf.org>; Mon, 07 Oct 2019 02:11:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Ehtgjt0UhMUZvMgDDB/RbtNtYbP4kUI+KKm5EWZK1js=; b=AhcR4CKpQXEqjiWklNtNJ9OAT/sxN57gq5c6VOP+8T11mhjjQJ8hrSL/mWPqZ5yAlY USra3FOwikvMlrHgKfZx2BhJmudsptJyqJYxVep2KngEftka+Verlm8dFNXX0kgEWa5H Q0xc2RwFApWF1ysSam+sehmuri6wLkPm50f713XMnZRrQHS8quX7o9npVCJQVQVt3Q/Q hqDPi4SP2CVZO/AtEaxEENc3PoLh/hz9CQtw+LoRUlG1eiKfAx2B4MX9Cq1UOlrSrFNM FUmJ5qIPOq2WM0nULeAbKinVNU16oh1UTpNG+vserQI5HcouTKDdMhDLmAfPhqpuwMl2 UI/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Ehtgjt0UhMUZvMgDDB/RbtNtYbP4kUI+KKm5EWZK1js=; b=EbasBdmMgDW8BZ/mT6VxD793eB/7IgHgRLQqH1fKJO+21Krw9N1KE0RJSL0yEncoui iX8796xjF7+wzqP51MG9KHr0Pv17+72BmWNBORSdGroOyxwCo477I7mXDoQfZB6o4ofx jILj7E1NSoQIsaXZa3Y2E6mWStPKp0AVl6qE6hsyT3W2ddUzgfy7FYSctgbeiQ6HSPXG 53l10/uwB9810074CMzDMxgNT60UWAQQRR/DUJsJNKP5SJyWKhVcewvmWRq0ffKFfc6Z aVPevGGAlwiWp8VI2qDSacRNPzZQQOqPPixiaBEEhrbEN7pQQaAhlNkotGmiqx2TesiF w+rg==
X-Gm-Message-State: APjAAAUuF5uZttvZ4ky0kJ2TOOE4mAyHqZz66Htnh7TvYevESoQF7s1M 6Mj8seEz/hn4Zc1UwshXT9onyCRLmGcFTUVuxbqPO8bsjineYQ==
X-Google-Smtp-Source: APXvYqxzGI6JrT8p2jihLC4SJYQUl7iWHNvjutuWI81X4oFEDXjE6kCTUtVu9NtVZ6xvUI8cZ/Exw07aoWcyWLW2tfo=
X-Received: by 2002:a67:fd6a:: with SMTP id h10mr14317358vsa.146.1570439478021; Mon, 07 Oct 2019 02:11:18 -0700 (PDT)
MIME-Version: 1.0
References: <20191007002348.GA23742@x2.esmtp.org> <20191007015616.BE113BB3D68@ary.qy>
In-Reply-To: <20191007015616.BE113BB3D68@ary.qy>
From: Daniel Margolis <dmargolis@google.com>
Date: Mon, 07 Oct 2019 11:11:06 +0200
Message-ID: <CANtKdUeC0NVfvVpbHtwd=OoO=BoT8KNWVx8BGF-GPZPU-zo6QA@mail.gmail.com>
To: John Levine <johnl@taugh.com>
Cc: ietf-smtp@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000439ffe05944e6fdc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/uCHvVLNI6ikbudJeLc4oZW7iKOo>
Subject: Re: [ietf-smtp] why are we reinventing mta-sts ?
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2019 09:11:22 -0000

I've only quickly skimmed the original thread, but it seems like the
argument is about this magic DNS prefix for MX records that would indicate
"this MX should offer STARTTLS", right?

As John says, the new proposal also requires DNSSEC, no? It seems like the
primary difference is that the new proposal is simpler by indicating only
that the server supports TLS, but not what identity it presents? Why is
that desirable?

On Mon, Oct 7, 2019 at 3:56 AM John Levine <johnl@taugh.com> wrote:

> In article <20191007002348.GA23742@x2.esmtp.org> you write:
> >> What's wrong with MTS-STS defined in RFC 8461?
> >
> >It requires an HTTPS server, thus adding an extra service and moving
> >the "trust" problem to CAs (AFAICT).
>
> I was there when we were defining MTA-STS and the people involved,
> who work for companies that probably handle the majority of all of
> the mail in the world, did not want it to depend on DNSSEC for
> deployment reasons.
>
> See sections 2 and 10 of RFC 8461.
>
> If you like DNSSEC, you can publish a DANE TLSA record for your SMTP
> server, and systems like Comcast that pay attention to DNSSEC will use
> it to check that you support TLS and have the right cert.
>
>
>
>
>
> _______________________________________________
> ietf-smtp mailing list
> ietf-smtp@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf-smtp
>


-- 
How's my emailing? http://go/dan-email-slo

v2.23.0 | Report a Bug | By Email