Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 02 March 2015 18:45 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBC491A8886 for <ietf@ietfa.amsl.com>; Mon, 2 Mar 2015 10:45:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JSertT2eIPLU for <ietf@ietfa.amsl.com>; Mon, 2 Mar 2015 10:45:02 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5ADD71A700B for <ietf@ietf.org>; Mon, 2 Mar 2015 10:45:00 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 403A4282FC0; Mon, 2 Mar 2015 18:44:59 +0000 (UTC)
Date: Mon, 02 Mar 2015 18:44:59 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: ietf@ietf.org
Subject: Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard
Message-ID: <20150302184458.GD1260@mournblade.imrryr.org>
References: <20150223155241.GJ1260@mournblade.imrryr.org> <tsl8ufoh9ko.fsf@mit.edu> <20150224170209.GV1260@mournblade.imrryr.org> <54F03F38.9090601@cisco.com> <1ED9F633-40B1-4A90-85FE-14526C27A485@frobbit.se> <54F043F8.6090409@cisco.com> <20150228222733.51B432A92EE3@rock.dv.isc.org> <CAMm+Lwhn=D=nOG4Bt3xcgZWja4-L-RvzJ00CkhKNhs6GnsTXGw@mail.gmail.com> <20150301202727.GD1260@mournblade.imrryr.org> <706F94C2BF98394CCD4ABE3A@JcK-HP8200.jck.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <706F94C2BF98394CCD4ABE3A@JcK-HP8200.jck.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/vxZhl36LRzxccW9Wv53g_tdD46I>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: ietf@ietf.org
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Mar 2015 18:45:09 -0000

On Mon, Mar 02, 2015 at 01:35:29PM -0500, John C Klensin wrote:

> >> > but we can prevent downgrade attacks from succeeding.
> > 
> > If the MTA implements opportunistic DANE TLS, and usable TLSA
> > records *are* published, then it MUST use STARTTLS and
> > authenticate the peer via said TLSA records.
> > 
> > http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section-2.2
> 
> Victor,

[ Well known details elided. ]

> Neither DNSSEC nor DANE prevent or detect
> those attacks.  They may actually be harmful if they give the
> user a false sense of security.

Since the user is not around for MTA-to-MTA SMTP transmission there
is no opportunity for any false sense of security.  So I object to
a characterization of improved hop by hop transport security as
"harmful".  This is not the thread to deep dive into that.

-- 
	Viktor.