Re: [secdir] SECDIR review of draft-melnikov-smtp-priority-09
Dave Crocker <dcrocker@bbiw.net> Mon, 12 March 2012 16:45 UTC
Return-Path: <dcrocker@bbiw.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8721C21F87C3; Mon, 12 Mar 2012 09:45:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.499
X-Spam-Level:
X-Spam-Status: No, score=-6.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ppTTP4y0+jS1; Mon, 12 Mar 2012 09:45:22 -0700 (PDT)
Received: from sbh17.songbird.com (sbh17.songbird.com [72.52.113.17]) by ietfa.amsl.com (Postfix) with ESMTP id C442921F87BF; Mon, 12 Mar 2012 09:45:22 -0700 (PDT)
Received: from [192.168.1.11] (adsl-67-127-58-62.dsl.pltn13.pacbell.net [67.127.58.62]) (authenticated bits=0) by sbh17.songbird.com (8.13.8/8.13.8) with ESMTP id q2CGjEcW021774 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 12 Mar 2012 09:45:20 -0700
Message-ID: <4F5E2806.7070808@bbiw.net>
Date: Mon, 12 Mar 2012 09:44:54 -0700
From: Dave Crocker <dcrocker@bbiw.net>
Organization: Brandenburg InternetWorking
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: Chris Lonvick <clonvick@cisco.com>
References: <Pine.GSO.4.63.1203111234320.12024@sjc-cde-021.cisco.com>
In-Reply-To: <Pine.GSO.4.63.1203111234320.12024@sjc-cde-021.cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (sbh17.songbird.com [72.52.113.17]); Mon, 12 Mar 2012 09:45:20 -0700 (PDT)
Cc: draft-melnikov-smtp-priority.all@tools.ietf.org, Murray Kucherawy <msk@cloudmark.com>, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] SECDIR review of draft-melnikov-smtp-priority-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Mar 2012 16:45:23 -0000
(copying Murray, in case he has further thoughts...) On 3/11/2012 6:05 PM, Chris Lonvick wrote: > I am concerned that this feature can disrupt the DKIM protection as noted in > section 11.1. I see the problem here and I can't offer any suggestions to fix > that. I think that the authors have done well to document this. Predictably, the DKIM reference caught my attention. I think the existing draft text in 11.1 is good. I think it entirely reasonable to leave it alone. That said, since the concern about broken DKIM signatures is raised it's worth at least considering adding more text. However I think there's a challenge in what that 'more' should be. In general, the world is moving in a direction that is likely to impose penalties when an origination DKIM signature is broken. (I'm not happy about that; I think it represents some problematic thinking about DKIM, but it is nonetheless the direction things are going.) The draft might suggest /not/ covering the MT-Priority: field with a signature. There is a common view that DKIM "protects" and or "validates" the fields it covers. Although DKIM obviously provides data integrity between the time of signing and validating, DKIM semantics do not offer anything like authentication of validation of the data that are signed. It only validates the authorization of the associated identifier (sdid, d=), with the message it is attached to. As such, having MT-Priority: be outside a signature probably isn't that onerous, unless there is a serious threat of in-transit header field modification attacks. Arguably, it's better to have the agent assigning priority be the one to sign. In the case of revising the priority, that's not the originator. This is only problematic for cases that demand origination signatures (usually translating into requiring the DKIM sdid (d=) value be the same as, for example, the rfc5322.From domain. There is private pursuit of a specification that allows intermediaries that break DKIM signatures to report that they were valid before being broken. For this mechanism to be useful, there needs to be transitive trust between the intermediary and the validating receiver. But, as I say, that's work in progress. Although it sounds appealing, I've no idea how useful it will actually prove to be. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net
- [secdir] SECDIR review of draft-melnikov-smtp-pri… Chris Lonvick
- Re: [secdir] SECDIR review of draft-melnikov-smtp… Dave Crocker
- Re: [secdir] SECDIR review of draft-melnikov-smtp… Murray S. Kucherawy