Re: [saag] IETF 93 Agenda Request - Key Discovery
Phil Hunt <phil.hunt@oracle.com> Thu, 23 July 2015 13:16 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE8291A1A67 for <saag@ietfa.amsl.com>; Thu, 23 Jul 2015 06:16:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AxD2hWcDWmc9 for <saag@ietfa.amsl.com>; Thu, 23 Jul 2015 06:16:00 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C97301A0273 for <saag@ietf.org>; Thu, 23 Jul 2015 06:15:56 -0700 (PDT)
Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id t6NDFuXE013449 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <saag@ietf.org>; Thu, 23 Jul 2015 13:15:56 GMT
Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userv0021.oracle.com (8.13.8/8.13.8) with ESMTP id t6NDFt4c003049 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <saag@ietf.org>; Thu, 23 Jul 2015 13:15:55 GMT
Received: from abhmp0015.oracle.com (abhmp0015.oracle.com [141.146.116.21]) by aserv0121.oracle.com (8.13.8/8.13.8) with ESMTP id t6NDFstT029741 for <saag@ietf.org>; Thu, 23 Jul 2015 13:15:55 GMT
Received: from [31.133.139.248] (/31.133.139.248) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 23 Jul 2015 06:15:54 -0700
From: Phil Hunt <phil.hunt@oracle.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
Message-Id: <D14EE2BF-6AAE-456C-A4C0-9AA96E80937B@oracle.com>
Date: Thu, 23 Jul 2015 15:15:49 +0200
References: <20150721222308.GU28047@mournblade.imrryr.org> <20150721231021.59110.qmail@ary.lan> <CAL02cgQ3aTwpt43YYWSL-pEGcA5v1a10BskuA7-U1YN1Jk+G2w@mail.gmail.com> <20150723130501.GO4347@mournblade.imrryr.org>
In-Reply-To: <20150723130501.GO4347@mournblade.imrryr.org>
To: "saag@ietf.org" <saag@ietf.org>
X-Mailer: iPhone Mail (12F70)
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/iYw88h-N1HvwHDxoDqs6FUD7F2I>
Subject: Re: [saag] IETF 93 Agenda Request - Key Discovery
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2015 13:16:02 -0000
Phil > On Jul 23, 2015, at 15:05, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > > On Thu, Jul 23, 2015 at 02:30:34PM +0200, Richard Barnes wrote: > >>> Agreed. It distributes mail information through mail servers, rather >>> than hoping one can keep mail servers and web servers synchronized. >>> >>> It's not perfect but the problems are fixable. >> >> I'm kind of astonished that people still think that extending email >> protocols is a good idea for things like this. For example: >> >> "BASE64 is used to avoid the need for the server to produce JSON text >> which conforms to SMTP line-length restrictions." > > SMTP line length restrictions are primarily a constraint on the > command side of the protocol. The new command could be defined to > return lines of arbitrary length, but in practice it is much simpler > to in fact base64 encode the output. > >> Why, in 2015, would we continue to choose modalities that come with >> these arcane restrictions? > > Because email servers understand the email address namespace and > canonicalization rules. Because email clients, already talk to > MSAs, which are well positioned to find the remote MX hosts. The > MSA might even cache the responses for sufficiently "popular" email > addresses. > > MX hosts already have code for connection and request rate limits, > which can be extended to apply to these new queries. > > Also for first-contact keys, the MX host would typically return > the mail server's public key, not the recipient's so it can continue > to offer spam and malware protection to the target user. Real > end-to-end keys would often only be returned by the user in a reply. > > Returning the MTA's key allows the MTA to return a public key > regardless of whether email address requested exists or not, just > return the same key for all inputs (there should also be one or > more per-user signature key digests along with that key, to verify > any end-to-end keys later sent by the user, which can be random > for non-existent users). > >> Let's use modern technology for this. What's needed here is >> request/response protocol that can carry JSON, not a store-and-forward >> protocol that carries an oddly constrained text format. WebFinger >> seems fine. > > The "store-and-forward" bit is irrelevant here, requests are not > for multiple recipients, nor are there keys for mailing lists. > Therefore, the envelope never splits, and there's no need to > commit data to a queue to ensure reliable delivery to multiple > destinations. > > WebFinger requires email server operators to also deploy HTTP > WebFinger servers, or email servers to support an additional request > protocol. Neither seems necessary. I wonder of this is true (not wanting http) for those supporting the oauth sasl extension. > > -- > Viktor. > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag
- [saag] IETF 93 Agenda Request - Key Discovery ⌘ Matt Miller
- Re: [saag] IETF 93 Agenda Request - Key Discovery Viktor Dukhovni
- Re: [saag] IETF 93 Agenda Request - Key Discovery Phillip Hallam-Baker
- Re: [saag] IETF 93 Agenda Request - Key Discovery Viktor Dukhovni
- Re: [saag] IETF 93 Agenda Request - Key Discovery John Levine
- Re: [saag] IETF 93 Agenda Request - Key Discovery Viktor Dukhovni
- Re: [saag] IETF 93 Agenda Request - Key Discovery John Levine
- Re: [saag] IETF 93 Agenda Request - Key Discovery ⌘ Matt Miller
- Re: [saag] IETF 93 Agenda Request - Key Discovery Viktor Dukhovni
- Re: [saag] IETF 93 Agenda Request - Key Discovery Richard Barnes
- Re: [saag] IETF 93 Agenda Request - Key Discovery Richard Barnes
- Re: [saag] IETF 93 Agenda Request - Key Discovery Russ Housley
- Re: [saag] IETF 93 Agenda Request - Key Discovery 🔓Dan Wing
- Re: [saag] IETF 93 Agenda Request - Key Discovery Richard Barnes
- Re: [saag] IETF 93 Agenda Request - Key Discovery Viktor Dukhovni
- Re: [saag] IETF 93 Agenda Request - Key Discovery Phil Hunt
- Re: [saag] IETF 93 Agenda Request - Key Discovery Viktor Dukhovni
- Re: [saag] IETF 93 Agenda Request - Key Discovery Richard Barnes
- Re: [saag] IETF 93 Agenda Request - Key Discovery ⌘ Matt Miller
- Re: [saag] IETF 93 Agenda Request - Key Discovery Viktor Dukhovni
- Re: [saag] SASL for mail, was IETF 93 Agenda Requ… John Levine
- Re: [saag] IETF 93 Agenda Request - Key Discovery Richard Barnes
- Re: [saag] IETF 93 Agenda Request - Key Discovery Viktor Dukhovni
- Re: [saag] IETF 93 Agenda Request - Key Discovery John R Levine
- Re: [saag] IETF 93 Agenda Request - Key Discovery Benjamin Kaduk
- Re: [saag] IETF 93 Agenda Request - Key Discovery Viktor Dukhovni
- Re: [saag] IETF 93 Agenda Request - Key Discovery Chris Newman