Re: [perpass] Fwd: New Version Notification for draft-fenton-smtp-require-tls-01.txt

Yakov Shafranovich <yakov@shaftek.biz> Wed, 17 February 2016 22:14 UTC

Return-Path: <yakov@impossibledreams.net>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C49661B3024 for <perpass@ietfa.amsl.com>; Wed, 17 Feb 2016 14:14:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Jg6TZPVhT3c for <perpass@ietfa.amsl.com>; Wed, 17 Feb 2016 14:14:20 -0800 (PST)
Received: from mail-ob0-x232.google.com (mail-ob0-x232.google.com [IPv6:2607:f8b0:4003:c01::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C3B91B3023 for <perpass@ietf.org>; Wed, 17 Feb 2016 14:14:20 -0800 (PST)
Received: by mail-ob0-x232.google.com with SMTP id xk3so37563498obc.2 for <perpass@ietf.org>; Wed, 17 Feb 2016 14:14:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shaftek-biz.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=LCp6+ko9c5NQjswKWRnSgn0tKMj3FdbCr8cek/tJoI4=; b=BU8om4nN3NPEeRbnywsV3kbpnvf71J0RgfVzBx3ihLN7eAx5r+oYXWJuu6Jtu0uHgN xcxDV9x0bFXcuouQ9Zlcry670h+C/NDANwqZwt5mHldxJm/rbV4gFCVtam8EA8AoW+Nu p0Ny6IwlRhLhN/Tyv+8ClYQPsLhujD/5Rx7ZMOEhMrlImMJ8BV/6LA9eqJvTYY69SHBU akF4JL1N9NpkhQOf8QCrjNAKu7a2CyXN/B5UXgg7sWbbmHbC6Xhy7v0unIPkPjWole8R BAzZbzzUFRSO5C1gtoKsVOgLByyA+PQsKJfBK8KqbDmkfdIraZBixDJ/frlDu7clT0HZ AHwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=LCp6+ko9c5NQjswKWRnSgn0tKMj3FdbCr8cek/tJoI4=; b=GtJI9+a5LsxnGw+lN/JximvEI1MRkEQ4o8yo0m6ZH+03hCVYN1OUzprmKVOtfTuLYZ 580JPkGgSTTFHNoPCgylY0MS8yrMs28+J9QybYcwzcIpZxMvQLLcj9ngx4p5JhhzDRmu ViFEWVCN7khvxRBJYev1nvz9BY3/hpwK/9hSHRG5iaVz5s0vfJ+z07dVDbMja4rv0JCX tUMGxufEBtDzzB5jqJ5L4DmseRK8Co41pQrOpgOxzvQKVcWIeAoZ1kzyxXPnAdbRinj4 aBCAusq1LevMht4pqFHB0N/MzVkS5jXQKCtZuv2bguXjYmmlIYHnH3IJ77+VITD451E7 G1OQ==
X-Gm-Message-State: AG10YOQpWI9OIwL6pW8qV9iVoMlKy5AQcQwE3f/5eSEbMkflmKHBVk8O83dJdXUyJT/QU+FLryJydZoHNOAm7zS3
X-Received: by 10.202.178.135 with SMTP id b129mr3107391oif.139.1455747259546; Wed, 17 Feb 2016 14:14:19 -0800 (PST)
MIME-Version: 1.0
Received: by 10.202.187.69 with HTTP; Wed, 17 Feb 2016 14:13:40 -0800 (PST)
In-Reply-To: <56C0DBC0.2070506@bluepopcorn.net>
References: <20160213233657.2473.73478.idtracker@ietfa.amsl.com> <56C0DBC0.2070506@bluepopcorn.net>
From: Yakov Shafranovich <yakov@shaftek.biz>
Date: Wed, 17 Feb 2016 17:13:40 -0500
Message-ID: <CAF5Urx-SUviahM5v0mZ7Z4dD1hWrSjGpfS9A4L=2KeoEa2TGCw@mail.gmail.com>
To: Jim Fenton <fenton@bluepopcorn.net>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/perpass/PKBO3jpdRVGI3WamV9XD030cGwM>
Cc: perpass list <perpass@ietf.org>
Subject: Re: [perpass] Fwd: New Version Notification for draft-fenton-smtp-require-tls-01.txt
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Feb 2016 22:15:50 -0000

Some minor comments:

Section 1:
"It also requires that the SMTP server advertise
   that it also supports REQUIRETLS, in effect promising that it will
   honor the requirement to require STARTTLS and REQUIRETLS for all
   onward transmissions of messages specifying that requirement."
"

The part about "promising" does not seem to go together with the
optional parameter in section 2 about onward transmission.

Section 3.1 - tagging:
I am wondering if an email header should be defined to carry this
data, which would also allow for auditing by the receiver. Sort of
similar to the SPF/DKIM headers used today.

Section 3.4 - delivery:
It is unclear what "delivery" means here, especially considering that
SMTP may relay messages to another server, perhaps reference RFC 5598?
Also, the parts in section 1 and the optional parameter in section 2
should play together with this, perhaps by requiring TLS in IMAP, etc.
or not. Either way, this may need clarification.

Section 5:
What are the actual added codes? I believe 5.7.10 already exists.

Section 6:
Maybe reference RFC 4949 for terminology?

One other comment - perhaps some sort of limiting digital signatures
for headers only like DKIM can be employed by the receiving MTA to
certify that the receipt and transmission was effective? I am thinking
along the lines of Received headers or DKIM headers, which would allow
traceability.

Yakov








On Sun, Feb 14, 2016 at 2:55 PM, Jim Fenton <fenton@bluepopcorn.net>; wrote:
> Hi,
>
> I thought I would point out this draft on the perpass list, because its
> primary purpose is to give email senders some degree of control over whether
> their messages are sent between MTAs using TLS -- and therefore how
> susceptible messages are to pervasive passive surveillance.
>
> Discussion of this draft has thus far been on the ietf-smtp list.
>
> -Jim
>
>
> -------- Forwarded Message --------
> Subject: New Version Notification for draft-fenton-smtp-require-tls-01.txt
> Date: Sat, 13 Feb 2016 15:36:57 -0800
> From: internet-drafts@ietf.org
> To: Jim Fenton <fenton@bluepopcorn.net>;
>
>
> A new version of I-D, draft-fenton-smtp-require-tls-01.txt
> has been successfully submitted by Jim Fenton and posted to the
> IETF repository.
>
> Name:		draft-fenton-smtp-require-tls
> Revision:	01
> Title:		SMTP Require TLS Option
> Document date:	2016-02-13
> Group:		Individual Submission
> Pages:		10
> URL:
> https://www.ietf.org/internet-drafts/draft-fenton-smtp-require-tls-01.txt
> Status:
> https://datatracker.ietf.org/doc/draft-fenton-smtp-require-tls/
> Htmlized:       https://tools.ietf.org/html/draft-fenton-smtp-require-tls-01
> Diff:
> https://www.ietf.org/rfcdiff?url2=draft-fenton-smtp-require-tls-01
>
> Abstract:
>    The SMTP STARTTLS option, used in negotiating transport-level
>    encryption of SMTP connections, is not as useful from a security
>    standpoint as it might be because of its opportunistic nature;
>    message delivery is prioritized over security.  This document
>    describes a complementary SMTP service extension, REQUIRETLS.  If the
>    REQUIRETLS option is used when sending a message, it causes message
>    delivery to fail if a TLS connection with the required security
>    characteristics cannot be completed with the next hop MTA or if that
>    MTA does not also advertise that it supports REQUIRETLS.  Message
>    originators may therefore expect transport security to be used for
>    messages sent with this option.
>
>
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
>
>
> _______________________________________________
> perpass mailing list
> perpass@ietf.org
> https://www.ietf.org/mailman/listinfo/perpass
>