Re: [saag] IETF 93 Agenda Request - Key Discovery
Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 23 July 2015 15:05 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 197B61A02BE for <saag@ietfa.amsl.com>; Thu, 23 Jul 2015 08:05:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jz8EylpZ0y9v for <saag@ietfa.amsl.com>; Thu, 23 Jul 2015 08:05:03 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 812E31A0178 for <saag@ietf.org>; Thu, 23 Jul 2015 08:04:54 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id E1D3E284B53; Thu, 23 Jul 2015 15:04:46 +0000 (UTC)
Date: Thu, 23 Jul 2015 15:04:46 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: saag@ietf.org
Message-ID: <20150723150446.GT4347@mournblade.imrryr.org>
References: <20150721222308.GU28047@mournblade.imrryr.org> <20150721231021.59110.qmail@ary.lan> <CAL02cgQ3aTwpt43YYWSL-pEGcA5v1a10BskuA7-U1YN1Jk+G2w@mail.gmail.com> <20150723130501.GO4347@mournblade.imrryr.org> <CAL02cgQVtTw5xHXM+XaY==FsPO4aMuwDxg-YyXGUp83HQaq8kg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAL02cgQVtTw5xHXM+XaY==FsPO4aMuwDxg-YyXGUp83HQaq8kg@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/chPEUaPZoskTxfM69eZ8x9tiy_w>
Subject: Re: [saag] IETF 93 Agenda Request - Key Discovery
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: saag@ietf.org
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2015 15:05:05 -0000
On Thu, Jul 23, 2015 at 04:38:14PM +0200, Richard Barnes wrote: > I don't know why you think MXs or MTAs have any role in this at all. > The major point of this stuff is to look up keys for e2e, so it's most > likely to be implemented in MUAs, most of which either already have an > HTTP stack (to support HTML email), or are web pages themselves. If > you want to add this to a web mail client, here's your implementation: Because, MTAs implement all the optional case-folding, address extensions, address canonicalization, ... logic that makes an email address ultimately reach some user's mailbox. They also provide front-line abuse defense. > function getKey(uri) { > var xhr = new XMLHttpRequest(); > xhr.open("GET", makeWebfingerURL(uri), false); > xhr.send(); > var jrd = JSON.parse(xhr.responseText); > return jrd.properties.keys; > } Of course, the request should be via HTTPS, and to really scale to cover more domains, should support DANE auth, but all the client API convenience in the world won't help if the request reaches a server that can't provide the right answer, because the knowledge of which email addresses are valid, what their canonical forms are, etc., is in the MTA. Also in the MTA are any keys for gateway-layer decryption of initial contact email. Many (corporate) gateways will choose to not expose per-user keys to the outside, and will publish only the MTA's keys to the outside world (regulatory compliance and corporate security requirements). > > WebFinger requires email server operators to also deploy HTTP > > WebFinger servers, or email servers to support an additional request > > protocol. Neither seems necessary. > > That is only necessary if you want to make keys discoverable for your > users. And it's probably easier than upgrading your MTA to support > some new thing. Deploying a later release of the MTA software is not notably onerous. New data sources don't magically implement themselves without software changes on the server side, even when new requests are carried over an existing general-purpose protocol. Even WebFinger servers would need new server-side software to respond to to the newly proposed request messages. The domain owner would typically implement the address to keys mapping as part of provisioning email addresses at the MTA, just another lookup table that leverages existing logic to normalize/canonicalize email addresses at which poitn the relevant keys can be located. -- Viktor.
- [saag] IETF 93 Agenda Request - Key Discovery ⌘ Matt Miller
- Re: [saag] IETF 93 Agenda Request - Key Discovery Viktor Dukhovni
- Re: [saag] IETF 93 Agenda Request - Key Discovery Phillip Hallam-Baker
- Re: [saag] IETF 93 Agenda Request - Key Discovery Viktor Dukhovni
- Re: [saag] IETF 93 Agenda Request - Key Discovery John Levine
- Re: [saag] IETF 93 Agenda Request - Key Discovery Viktor Dukhovni
- Re: [saag] IETF 93 Agenda Request - Key Discovery John Levine
- Re: [saag] IETF 93 Agenda Request - Key Discovery ⌘ Matt Miller
- Re: [saag] IETF 93 Agenda Request - Key Discovery Viktor Dukhovni
- Re: [saag] IETF 93 Agenda Request - Key Discovery Richard Barnes
- Re: [saag] IETF 93 Agenda Request - Key Discovery Richard Barnes
- Re: [saag] IETF 93 Agenda Request - Key Discovery Russ Housley
- Re: [saag] IETF 93 Agenda Request - Key Discovery 🔓Dan Wing
- Re: [saag] IETF 93 Agenda Request - Key Discovery Richard Barnes
- Re: [saag] IETF 93 Agenda Request - Key Discovery Viktor Dukhovni
- Re: [saag] IETF 93 Agenda Request - Key Discovery Phil Hunt
- Re: [saag] IETF 93 Agenda Request - Key Discovery Viktor Dukhovni
- Re: [saag] IETF 93 Agenda Request - Key Discovery Richard Barnes
- Re: [saag] IETF 93 Agenda Request - Key Discovery ⌘ Matt Miller
- Re: [saag] IETF 93 Agenda Request - Key Discovery Viktor Dukhovni
- Re: [saag] SASL for mail, was IETF 93 Agenda Requ… John Levine
- Re: [saag] IETF 93 Agenda Request - Key Discovery Richard Barnes
- Re: [saag] IETF 93 Agenda Request - Key Discovery Viktor Dukhovni
- Re: [saag] IETF 93 Agenda Request - Key Discovery John R Levine
- Re: [saag] IETF 93 Agenda Request - Key Discovery Benjamin Kaduk
- Re: [saag] IETF 93 Agenda Request - Key Discovery Viktor Dukhovni
- Re: [saag] IETF 93 Agenda Request - Key Discovery Chris Newman