IETF Logo Mail Archive

Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard

Sam Hartman <hartmans-ietf@mit.edu> Fri, 27 February 2015 14:00 UTC

Return-Path: <hartmans@mit.edu>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 895B71A924A for <ietf@ietfa.amsl.com>; Fri, 27 Feb 2015 06:00:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.935
X-Spam-Level:
X-Spam-Status: No, score=-0.935 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JtEn059fkJYp for <ietf@ietfa.amsl.com>; Fri, 27 Feb 2015 06:00:29 -0800 (PST)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EB121A88F6 for <ietf@ietf.org>; Fri, 27 Feb 2015 06:00:28 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 0C61A2060E; Fri, 27 Feb 2015 08:59:48 -0500 (EST)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V4tlCU8f4129; Fri, 27 Feb 2015 08:59:47 -0500 (EST)
Received: from carter-zimmerman.suchdamage.org (c-50-177-26-195.hsd1.ma.comcast.net [50.177.26.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Fri, 27 Feb 2015 08:59:47 -0500 (EST)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 062D087131; Fri, 27 Feb 2015 09:00:25 -0500 (EST)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Patrik Fältström <paf@frobbit.se>
Subject: Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard
References: <54C9DA42.5040901@cisco.com> <9EB44D8A-278B-42FC-A542-1C182AD43128@netnod.se> <A74A30F4D1214630918FD4CA@JcK-HP8200.jck.com> <20150223153757.GI1260@mournblade.imrryr.org> <20150223155241.GJ1260@mournblade.imrryr.org> <tsl8ufoh9ko.fsf@mit.edu> <2DF7230C-D1D8-4B21-9003-B336108A38CB@vpnc.org> <20150224172649.GX1260@mournblade.imrryr.org> <tslvbircj0d.fsf@mit.edu> <0325DF3F-17F3-4400-BDEA-EDB5334BF35C@frobbit.se> <20150225180227.GT1260@mournblade.imrryr.org> <tsla901akgu.fsf@mit.edu> <16ABF6B9-F113-4A1F-8816-EE041CCF4C4B@frobbit.se>
Date: Fri, 27 Feb 2015 09:00:24 -0500
In-Reply-To: <16ABF6B9-F113-4A1F-8816-EE041CCF4C4B@frobbit.se> ("Patrik Fältström"'s message of "Fri, 27 Feb 2015 08:09:22 +0100")
Message-ID: <tslbnkf5u9z.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/b94YuXIMHICHDWV8YCmn5Eytewk>
X-Mailman-Approved-At: Fri, 27 Feb 2015 08:12:19 -0800
Cc: Sam Hartman <hartmans-ietf@mit.edu>, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Feb 2015 14:00:34 -0000

>>>>> "Patrik" == Patrik Fältström <paf@frobbit.se> writes:

    >> On 25 feb 2015, at 19:56, Sam Hartman <hartmans-ietf@mit.edu> wrote:
    >> 
    >> I disagree that SRV or MX introduces similar complexity into
    >> standards.

    Patrik> Sam, I feel I need to understand this.

    Patrik> For MX, you have to start with a URI like this:

    Patrik> mailto:paf@frobbit.se

I'm sorry,  I don't understand how a URI is involved in MX processing.
I don't think any of the specs are written in terms of URIsand I find
thinking of MX processing in terms of URIs to be confusing.

For email, we've never really had wide-scale deployment of TLS that does
certificate validation.
Across the Internet, starttls tends to provide something similar to
opportunistic security.
Within an organization where specific certificates are being validated
to specific anchors, I'd be mildly surprised if MX processing was a
significant part of the configuration.

I suspect there's not much uniformity about whether you check the
queried domain or the resulting domain for the certificate, and I
suspect that you'll probably need MTA-specific configuration to get cert
validation to be particularly useful with SMTP.  If I were writing an
MTA, I'd expect the cert to match what went into the MX query, not what
came out.  However, I'd have a variety of configuration options all
defaulting to not checking the certificate at all.

v2.23.0 | Report a Bug | By Email