IETF Logo Mail Archive

Re: [saag] IETF 93 Agenda Request - Key Discovery

"John R Levine" <johnl@taugh.com> Thu, 23 July 2015 16:41 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 855091A8877 for <saag@ietfa.amsl.com>; Thu, 23 Jul 2015 09:41:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.137
X-Spam-Level:
X-Spam-Status: No, score=-1.137 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WzICjJ69Wt8h for <saag@ietfa.amsl.com>; Thu, 23 Jul 2015 09:41:55 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A9421ACE1E for <saag@ietf.org>; Thu, 23 Jul 2015 09:40:58 -0700 (PDT)
Received: (qmail 6264 invoked from network); 23 Jul 2015 16:41:13 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=1877.55b11929.k1507; bh=5kolDVCval3Erk1PuKh4aCFP9Qhiip8RzU419JDWNWE=; b=MY571kSG+hxXHqPBMLxLym0HlkBf7fIcadUvpbMdiW9My9lRtZegLDGaJSXarC+Zo7JVSJ1UqnBVhwdTKoFaAybRyn4vXjaX2lohFzeUphJUWuMLyAjcEsWGpvUKJX0RpGYbxFTJotVAF3MAU/4zBXebg4xkWQuUc4hKhNh2vp4ENyXJCQauvNGuZwpo6RqhK4p7rCPtpoU94R9onB8pwQLI1LHw2P3P+T4Xcb9Ac91YkMJP1QCOhG5Cm7HigyiT
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=1877.55b11929.k1507; bh=5kolDVCval3Erk1PuKh4aCFP9Qhiip8RzU419JDWNWE=; b=YMAakatIt7nASATF7KTOGCqxgFzrX4F5x5M4RdUkvsQuaNYZyQNrqpDkYfdSaSqrft5UUHXX8ptAuAQE/Fq5FIDnqaXgJnTlLNnqncIJipj54JvCHKQ1eDrXqrxUz5vKL4oKjR2g2qVPy08cS5W4/WhwpCmJ+3neFNOcbuuFvmZgwV4c6QzVR5w8QiLykkfnJnJayUkcfpcCBnXkZWPxAyxNIS8MN1aVG74mKF9EnClv8Vnsx1DxTWpLjBAwjz59
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.0/X.509/SHA1) via TCP6; 23 Jul 2015 16:41:13 -0000
Date: Thu, 23 Jul 2015 12:40:56 -0400
Message-ID: <alpine.OSX.2.11.1507231202590.61857@ary.lan>
From: John R Levine <johnl@taugh.com>
To: Richard Barnes <rlb@ipv.sx>
In-Reply-To: <CAL02cgR2oTx0xypXAZKBONyxSDgGb_jNJZWGeqbF-7NVpdxxSg@mail.gmail.com>
References: <20150723150446.GT4347@mournblade.imrryr.org> <20150723153131.67097.qmail@ary.lan> <CAL02cgR2oTx0xypXAZKBONyxSDgGb_jNJZWGeqbF-7NVpdxxSg@mail.gmail.com>
User-Agent: Alpine 2.11 (OSX 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/zTjyyBFxRRvXiTO2Gft_CY3tmdY>
Cc: IETF SAAG <saag@ietf.org>
Subject: Re: [saag] IETF 93 Agenda Request - Key Discovery
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2015 16:41:56 -0000

> needs to be the REMOTE MTA.  If it reaches that remote MTA through its
> local MTA, that's a problem, since now either (1) the MUA has to trust
> the local MTA for all of its keys or (2) the remote MTA needs to sign
> its address/key bindings.  Both of which are gross.

Yes, but webfinger is just as bad.

One of my clients is an ad agency in Montreal.  I host their mail at 
Tucows, their web site is at some hosting provider in Toronto with whom I 
have had no contact beyond what's needed to point A records at them.  It 
is not unusual for a domain's mail and web to be handed this separately.

If it were easy to use encrypted e-mail, I expect they would, e.g., mail 
to a client about a campaign for an unannounced product.

So where do you do your webfingering for say, marie@flacks.biz?  It's not 
going to be https://flacks.biz, they don't know anything about the mail. 
So you need some way to publish the location of the server, presumably a 
SRV record.  Even if you assume that an MUA behind a corporate firewall 
won't filter out SRV record requests, unless you believe in DNSSEC 
everywhere, you can't trust the SRV more than anything else, so the 
responses from webfinger need to be signed just like the ones from the MTA 
do.

I presume JOSE is the way to do that, but you'd know better than I would.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.

v2.23.0 | Report a Bug | By Email