IETF Logo Mail Archive

Re: [saag] IETF 93 Agenda Request - Key Discovery

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 23 July 2015 15:05 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 197B61A02BE for <saag@ietfa.amsl.com>; Thu, 23 Jul 2015 08:05:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jz8EylpZ0y9v for <saag@ietfa.amsl.com>; Thu, 23 Jul 2015 08:05:03 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 812E31A0178 for <saag@ietf.org>; Thu, 23 Jul 2015 08:04:54 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id E1D3E284B53; Thu, 23 Jul 2015 15:04:46 +0000 (UTC)
Date: Thu, 23 Jul 2015 15:04:46 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: saag@ietf.org
Message-ID: <20150723150446.GT4347@mournblade.imrryr.org>
References: <20150721222308.GU28047@mournblade.imrryr.org> <20150721231021.59110.qmail@ary.lan> <CAL02cgQ3aTwpt43YYWSL-pEGcA5v1a10BskuA7-U1YN1Jk+G2w@mail.gmail.com> <20150723130501.GO4347@mournblade.imrryr.org> <CAL02cgQVtTw5xHXM+XaY==FsPO4aMuwDxg-YyXGUp83HQaq8kg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAL02cgQVtTw5xHXM+XaY==FsPO4aMuwDxg-YyXGUp83HQaq8kg@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/chPEUaPZoskTxfM69eZ8x9tiy_w>
Subject: Re: [saag] IETF 93 Agenda Request - Key Discovery
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: saag@ietf.org
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2015 15:05:05 -0000

On Thu, Jul 23, 2015 at 04:38:14PM +0200, Richard Barnes wrote:

> I don't know why you think MXs or MTAs have any role in this at all.
> The major point of this stuff is to look up keys for e2e, so it's most
> likely to be implemented in MUAs, most of which either already have an
> HTTP stack (to support HTML email), or are web pages themselves.  If
> you want to add this to a web mail client, here's your implementation:

Because, MTAs implement all the optional case-folding, address
extensions, address canonicalization, ... logic that makes an email
address ultimately reach some user's mailbox.  They also provide
front-line abuse defense.

> function getKey(uri) {
>   var xhr = new XMLHttpRequest();
>   xhr.open("GET", makeWebfingerURL(uri), false);
>   xhr.send();
>   var jrd = JSON.parse(xhr.responseText);
>   return jrd.properties.keys;
> }

Of course, the request should be via HTTPS, and to really scale to
cover more domains, should support DANE auth, but all the client
API convenience in the world won't help if the request reaches a
server that can't provide the right answer, because the knowledge
of which email addresses are valid, what their canonical forms are,
etc., is in the MTA.

Also in the MTA are any keys for gateway-layer decryption of initial
contact email.  Many (corporate) gateways will choose to not expose
per-user keys to the outside, and will publish only the MTA's keys
to the outside world (regulatory compliance and corporate security
requirements).

> > WebFinger requires email server operators to also deploy HTTP
> > WebFinger servers, or email servers to support an additional request
> > protocol.  Neither seems necessary.
> 
> That is only necessary if you want to make keys discoverable for your
> users.  And it's probably easier than upgrading your MTA to support
> some new thing.

Deploying a later release of the MTA software is not notably onerous.

New data sources don't magically implement themselves without
software changes on the server side, even when new requests are
carried over an existing general-purpose protocol.  Even WebFinger
servers would need new server-side software to respond to to the
newly proposed request messages.

The domain owner would typically implement the address to keys
mapping as part of provisioning email addresses at the MTA, just
another lookup table that leverages existing logic to
normalize/canonicalize email addresses at which poitn the relevant
keys can be located.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email