Re: UTA: Server certificate management (Re: Last Call: <draft-ietf-uta-email-tls-certs-05.txt>)
Harald Alvestrand <harald@alvestrand.no> Thu, 03 December 2015 20:59 UTC
Return-Path: <harald@alvestrand.no>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 144471AC42A for <ietf@ietfa.amsl.com>; Thu, 3 Dec 2015 12:59:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rzX5iL6zf2It for <ietf@ietfa.amsl.com>; Thu, 3 Dec 2015 12:59:38 -0800 (PST)
Received: from mork.alvestrand.no (mork.alvestrand.no [IPv6:2001:700:1:2::117]) by ietfa.amsl.com (Postfix) with ESMTP id 5D9221AC42B for <ietf@ietf.org>; Thu, 3 Dec 2015 12:59:35 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mork.alvestrand.no (Postfix) with ESMTP id 695E47C5FDD for <ietf@ietf.org>; Thu, 3 Dec 2015 21:59:34 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at alvestrand.no
Received: from mork.alvestrand.no ([127.0.0.1]) by localhost (mork.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uROOgN0Bymrb for <ietf@ietf.org>; Thu, 3 Dec 2015 21:59:33 +0100 (CET)
Received: from [IPv6:2001:470:de0a:1:5116:5c4b:6224:39b3] (unknown [IPv6:2001:470:de0a:1:5116:5c4b:6224:39b3]) by mork.alvestrand.no (Postfix) with ESMTPSA id 6F9EF7C5FDB for <ietf@ietf.org>; Thu, 3 Dec 2015 21:59:33 +0100 (CET)
Subject: Re: UTA: Server certificate management (Re: Last Call: <draft-ietf-uta-email-tls-certs-05.txt>)
To: ietf@ietf.org
References: <20151203031053.33720.qmail@ary.lan> <56602D35.3080705@alvestrand.no> <20151203143301.GE18315@mournblade.imrryr.org>
From: Harald Alvestrand <harald@alvestrand.no>
X-Enigmail-Draft-Status: N1110
Message-ID: <5660AD34.5010208@alvestrand.no>
Date: Thu, 03 Dec 2015 21:59:32 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <20151203143301.GE18315@mournblade.imrryr.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/0I4VSdWFvgM3RuvN0Ctop0SAA6w>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2015 20:59:41 -0000
Den 03. des. 2015 15:33, skrev Viktor Dukhovni: > On Thu, Dec 03, 2015 at 12:53:25PM +0100, Harald Alvestrand wrote: > >> My objections to the draft would be alleviated if the abstract was >> changed to: >> >> This document describes an experimental TLS server identity verification >> procedure for SMTP Submission, IMAP, POP and ManageSieve clients that >> is appropriate for mail servers that host a small number of domains >> under a single administration. > > This scope reduction is I think much too drastic. Firstly, because > the RFC 6186 use-case is not the only one under consideration. > Indeed if we're concerned about applicability, the draft's text > for the most important use-case of explicitly specified service > end-points (the vast majority of current practice) does not face > any new operational barriers. > > While the client would now check for "SRV-ID" with the user email > domainpart in the server certificate, there is no obligation on > the server certificate to contain these, as the client will *also* > check for the DNS-ID of the explicitly specified server hostname. > >> Procedures that scale to servers that host a large number of domains are >> for further study. > > And so in this case, all is well, provided the users of said domains > all manually specify the provider's SMTP and IMAP servers. It is > only the attempt to support "zero conf" via 6186 + SRV-ID for the > source domain that runs into likely difficulties actually obtaining > such certificates, and lack of SNI signalling. OK, make the use of "domain name from user's email address" and RFC 6186 support an experimental feature, perhaps described in an appendix. What I want the document to call out is that there are known, important use cases for which RFC 6186 together with this draft *DOES NOT WORK*. Quoting RFC 2026 is always fun: A Proposed Standard should have no known technical omissions with respect to the requirements placed upon it. However, the IESG may waive this requirement in order to allow a specification to advance to the Proposed Standard state when it is considered to be useful and necessary (and timely) even with known technical omissions. The "technical omission" here is "using 6186 together with mail servers supporting a high number of domains is going to be painful, and this document doesn't say how to solve it". Fix that, or document it. > > The lack of SNI is easily addressed, by requiring clients that > implement RFC 6186 to use SNI (indeed they'll some day have no > choice but to do that anyway with TLS 1.3). I read the TLS draft. This is still a misrepresentation; TLS 1.3 won't force anyone to use it - the higher level protocol *can*, however, do that. I would absolutely support a revision to RFC 6186 that mandates use of SNI. > >> And in the security considerations section: >> >> Because of the lack of client identification of the target domain, > > See above, this is a completely avoidable obstacle. > >> the email server certificate described in this document has to contain >> the complete list of names that the client will be looking for. If >> RFC 6186 is in use, this means that the mail server certificate will hold >> a list of all domains served by this service. > > Hence the conclusion is not valid. > >> This reveals information about >> other customers of the service, which may not be a desirable result. > > And this too becomes moot. Yes, if 6186 support is taken out of the draft, the problem goes away. But at the moment, 6186 is in the draft. Pick your poison.
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Russ Housley
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Samir Srivastava
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Samir Srivastava
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Samir Srivastava
- SPAM: - Re: Last Call: <draft-ietf-uta-email-tls-… ComKal Networks
- Re: SPAM: - Re: Last Call: <draft-ietf-uta-email-… Samir Srivastava
- Re: SPAM: - Re: Last Call: <draft-ietf-uta-email-… Niels Dettenbach
- Re: SPAM: - Re: Last Call: <draft-ietf-uta-email-… Samir Srivastava
- Re: SPAM: - Re: Last Call: <draft-ietf-uta-email-… Samir Srivastava
- Re: SPAM: - Re: Last Call: <draft-ietf-uta-email-… Samir Srivastava
- Re: SPAM: - Re: Last Call: <draft-ietf-uta-email-… Randy Bush
- Re: SPAM: - Re: Last Call: <draft-ietf-uta-email-… Samir Srivastava
- Re: SPAM: - Re: Last Call: <draft-ietf-uta-email-… Randy Bush
- Re: SPAM: - Re: Last Call: <draft-ietf-uta-email-… Samir Srivastava
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Alexey Melnikov
- Re: SPAM: - Re: Last Call: <draft-ietf-uta-email-… Samir Srivastava
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Mike StJohns
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… John C Klensin
- Re: SPAM: - Re: Last Call: <draft-ietf-uta-email-… JORDI PALET MARTINEZ
- Re: SPAM: - Re: Last Call: <draft-ietf-uta-email-… Samir Srivastava
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Leif Johansson
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Russ Housley
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Viktor Dukhovni
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Viktor Dukhovni
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… JORDI PALET MARTINEZ
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… stephen.farrell
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Alexey Melnikov
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Julien ÉLIE
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Alessandro Vesely
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Alexey Melnikov
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Viktor Dukhovni
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… John C Klensin
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Viktor Dukhovni
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Alexey Melnikov
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Alexey Melnikov
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Alessandro Vesely
- UTA: Server certificate management (Re: Last Call… Harald Alvestrand
- Re: UTA: Server certificate management (Re: Last … John Levine
- Re: UTA: Server certificate management (Re: Last … Dave Cridland
- Re: UTA: Server certificate management (Re: Last … Viktor Dukhovni
- Re: UTA: Server certificate management (Re: Last … Harald Alvestrand
- Re: UTA: Server certificate management (Re: Last … Alexey Melnikov
- Re: UTA: Server certificate management (Re: Last … Alexey Melnikov
- Re: UTA: Server certificate management (Re: Last … John Levine
- Re: UTA: Server certificate management (Re: Last … Harald Alvestrand
- Re: UTA: Server certificate management (Re: Last … Harald Alvestrand
- Re: UTA: Server certificate management (Re: Last … Viktor Dukhovni
- Re: UTA: Server certificate management (Re: Last … John Levine
- Re: UTA: Server certificate management (Re: Last … Viktor Dukhovni
- Re: UTA: Server certificate management (Re: Last … John Levine
- Re: UTA: Server certificate management (Re: Last … Viktor Dukhovni
- Re: UTA: Server certificate management (Re: Last … John Levine
- Re: UTA: Server certificate management (Re: Last … Harald Alvestrand
- Re: UTA: Server certificate management (Re: Last … Viktor Dukhovni
- Re: UTA: Server certificate management (Re: Last … Harald Alvestrand
- Re: UTA: Server certificate management (Re: Last … John C Klensin
- Re: UTA: Server certificate management (Re: Last … John R Levine
- Re: UTA: Server certificate management (Re: Last … Mark Andrews
- Re: UTA: Server certificate management (Re: Last … Joe Hildebrand
- Re: UTA: Server certificate management (Re: Last … John R Levine
- Re: UTA: Server certificate management (Re: Last … John Levine
- Re: UTA: Server certificate management (Re: Last … Alexey Melnikov
- Re: UTA: Server certificate management (Re: Last … Alessandro Vesely