Re: [secdir] [Uta] Secdir last call review of draft-ietf-uta-smtp-require-tls-07

Viktor Dukhovni <> Fri, 22 February 2019 22:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7442E130E85; Fri, 22 Feb 2019 14:32:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id e5ECjGxREnjr; Fri, 22 Feb 2019 14:32:02 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3540C130E83; Fri, 22 Feb 2019 14:31:59 -0800 (PST)
Received: by (Postfix, from userid 1001) id 0A2D32BA447; Fri, 22 Feb 2019 17:31:58 -0500 (EST)
Date: Fri, 22 Feb 2019 17:31:57 -0500
From: Viktor Dukhovni <>
Message-ID: <>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <>
Subject: Re: [secdir] [Uta] Secdir last call review of draft-ietf-uta-smtp-require-tls-07
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 22 Feb 2019 22:32:05 -0000

On Fri, Feb 22, 2019 at 10:43:34AM -0800, Yaron Sheffer wrote:

> I would have expected a parameter to be associated with REQUIRETLS to indicate
> whether DANE is required throughout the forwarding path, or MTA-STS, or either
> one will do.

Leaving the security mechanism unspecified was a deliberate choice
discussed in the WG.  The "REQUIRETLS = yes" case is fragile enough
as is, without the user imposing fine-grained constraints on the
security mechanisms available on all the MTAs along the delivery path.

> Although RFC 8461 takes care to not use the "opportunistic" word,
> it is in fact opportunistic to some degree (because an attacker can block the
> initial policy lookup with DNS) and so has different security properties than

Yes, and by theh way "opportunistic security" (RFC7435) does not
mean "weak" or "unauthenticated", it just means not required a-priori
at the origin, and so applied on a case by case basis based on
discovered peer capabilities.  In the case of DANE the policy
discovery mechanism is resistant to downgrades at first contact,
and in the case of MTA-STS it is not.  And yet, despite my obvious
enthusiasm for DANE, I don't think it is (at least in the near-term)
realistic for users to require DANE along the entire path beyond
what might happen naturally because some of the receiving systems
publish TLSA records and the sending system supports DANE.

> I am sure you've already beaten this horse to death, but if you have not,
> I think this is a real issue.

Yes, this was discussed.

> The thing is, if ever we have widespread deployment of DANE (which I do NOT expect),

It is not about to happen for HTTPS any time soon, but much progress
has happened in that direction on the SMTP front.  Out of over 9.3
million DNSSEC domains surveyed (out of an estimated ~10 million
world-wide total), there are 1.07 million DANE-enabled domains.
Momentum is building in Northern Europe, but the U.S. has the
second highest number of DANE MX hosts by GeoIP after Germany.

Also mx[1-4] are DNSSEC signed, and could easily have
TLSA records which makes DANE possible for over 500k DNSSEC-signed
domains MX-hosted by Google, if they update their MX RRset to point
to these hostnames (signed aliases for the usual Google MX hosts).
I would not surprised to see Google actually publish the TLSA records
some time in the next 12 months.

> this mechanism will not be as secure as it could have been.  

It won't be secure at all, if it never gets used, and making
it overly specific reduces the already marginal usability.

* Sec. 2 security requirements: the session must
> employ TLS: does this include pre-negotiation of TLS before starting SMTP, or
> only session upgrade with STARTTLS?  This is common in Submission, I'm not sure
> about MTA-to-MTA use.

(MTA-to-MTA) SMTP *only* uses STARTTLS.  "Implicit TLS" is only for

> * RequireTLS header field: I believe that the REQUIRETLS
> parameter MUST NOT be used when the header field is there, why not mention it?

This is certainly a reasonably observation.

> * If we define a case where MTA-STS policy is to be ignored (when using
> RequireTLS: No), shouldn't this document be marked as Updates RFC 8461?

IMHO that's just local policy.