IETF Logo Mail Archive

Re: [secdir] [Uta] Secdir last call review of draft-ietf-uta-smtp-tlsrpt-17

Tim Hollebeek <tim.hollebeek@digicert.com> Sun, 18 March 2018 14:57 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB4BC126CC7; Sun, 18 Mar 2018 07:57:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RyF8z1-4KnzS; Sun, 18 Mar 2018 07:57:28 -0700 (PDT)
Received: from mail1.bemta8.messagelabs.com (mail1.bemta8.messagelabs.com [216.82.243.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A4B3126E01; Sun, 18 Mar 2018 07:57:27 -0700 (PDT)
Received: from [216.82.242.46] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-11.bemta-8.messagelabs.com id 11/0B-09478-65E7EAA5; Sun, 18 Mar 2018 14:57:26 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WTfUgTYRzH99zdtlO8OKfmr6mUg8iEiRXVzP6 I6I00ekfypbrl5UbbtLtVBq6k6E2pBLVME7WWho1RamlKUoKKS6S0FxE1Ncu3pGVUlKHtduvt n+PD7/N9fs/veXiOxBVjMiXJpptZzsQYVDJvontBja969wl7fGSlc77mRt4bQvOyohXTvL9XQ micZYOExtF8Gq2RbnpY2CffZLV+x7Zh8VK9SZuavl+q6+k7j6Xd3JHe+Ggaz0TDsVnImyTojx ic+tpLZCEvUkHnY/DCelAQCnoAwY/vmXJByOhIePWoFRPYn94O08/6pEIIpwsQFBd34oLwo2P A0d5CiKFYOFdU6qqTLl4Kzd17hDJBL4S6iw3uPhSdCO22z1Jx43WQNdvh3suLXg9DrVVuRvRc +OawufM4HQg9wyVuBtofBp8/lYkcAGNvZ6RiPhGKPzd56qHws/eDJx8CnSXZSJgZ6FdycM524 aJQgzM/38NboOXnFCaGOhG8y60hRBEOztoyDx+CiQvjSOQk6Lefx8UFVhy6q697RDDMfCzwdL osg0Lba0w8ZzLkVQrzCWIag3xbI56Dwgv/OZ/IJQjKn4YUuu/JF9quDRNiXQ31jY9xkedD7eR 1D0dDwY8nMpFDIS97UC7ycpho/oRKEVmJwniWO8py6mUrIrScPkVnNjJ6g3pJpCbCyPI8k8Ia GC0fcSDVWIVcT+2kRILq0JfyhCY0j8RUAVRftS1eMUebmnxcx/C6fdwRA8s3oWCSVAHlb7HHK 3w5NoVNP6g3uN7rbw2kj8qfashwaYpPY4y8PkVUDhRFvrg6chYnu0cnXN+6vIpsXEGYUk2sMp CKFPrRwgLdEdOfdr//gE4UovSjkEQiUfiksZxRb/7fj6NAEqn8qDChi4/eZP6z67hrIMw1UOw tmzCQmfmrlJlIVudMGOqY3uizatQ62VZkDtn1bKp/JGfG4pDYc6ey+jeU596xL46O02ok0UFD h7deydkZE7dys1fu1Iqqdu9J7lzHbOKigIw1qij57Zhtq8fuDwTZlR2hwQx7abKmOcjSPnCGW vvYN1RV33W3y/I+ovhY8vqkjL0PFAFmS/+qgo0qgtcxS8Jxjmd+AZvnyEz8AwAA
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-9.tower-96.messagelabs.com!1521385044!100173914!1
X-Originating-IP: [216.32.180.17]
X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass
X-StarScan-Received:
X-StarScan-Version: 9.9.15; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 21829 invoked from network); 18 Mar 2018 14:57:25 -0000
Received: from mail-sn1nam02lp0017.outbound.protection.outlook.com (HELO NAM02-SN1-obe.outbound.protection.outlook.com) (216.32.180.17) by server-9.tower-96.messagelabs.com with AES256-GCM-SHA384 encrypted SMTP; 18 Mar 2018 14:57:25 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=kDx8REyhpJesdRHJkPWJD/wCh6oTZasgFDi1uj8YRBg=; b=kOvi9xhw14HE25Mhwr9UMO0JHMsM1DPRLv3+g1JQPyFWt13IuClkMQazzlnxwySlyl5UklkMLtRfdMXvb8MywR0aBb22FgQZQ6xebzEyEXvgqPEVIKaxjhKs8PfJZ4oxJ2hjGKRxOu0+rHCiMLKVpNT9bVl5QMgS7LXt/hIlu5M=
Received: from MWHPR14MB1376.namprd14.prod.outlook.com (10.173.232.139) by MWHPR14MB1614.namprd14.prod.outlook.com (10.171.146.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.588.14; Sun, 18 Mar 2018 14:57:22 +0000
Received: from MWHPR14MB1376.namprd14.prod.outlook.com ([fe80::7929:3f48:4a4f:1e32]) by MWHPR14MB1376.namprd14.prod.outlook.com ([fe80::7929:3f48:4a4f:1e32%18]) with mapi id 15.20.0588.016; Sun, 18 Mar 2018 14:57:13 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Phillip Hallam-Baker <hallam@gmail.com>, "secdir@ietf.org" <secdir@ietf.org>
CC: "uta@ietf.org" <uta@ietf.org>, "draft-ietf-uta-smtp-tlsrpt.all@ietf.org" <draft-ietf-uta-smtp-tlsrpt.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Thread-Topic: [Uta] Secdir last call review of draft-ietf-uta-smtp-tlsrpt-17
Thread-Index: AQHTtxU/J7ta80iTZE2K9MRt2rqgUKPWIP3Q
Date: Sun, 18 Mar 2018 14:57:13 +0000
Message-ID: <MWHPR14MB13760F56E019CC950C815F4E83D50@MWHPR14MB1376.namprd14.prod.outlook.com>
References: <152053794569.13938.10396254284390037265@ietfa.amsl.com>
In-Reply-To: <152053794569.13938.10396254284390037265@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [31.133.135.16]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR14MB1614; 6:m6QGnaMBmCC2Rf/7Le2N5QpcC6nEtF2FXMG+2eYz82vSbRBDsvifcazikYbI2n5V9Owex9focze9HzljQElcPkw/pa7Inuvbvu0PaYF3bWVhjkSj9nEbLNd9xyT789Eb6Mo3l2rTHbj4fHGQRju13CP6cdOUjTn4lmmg0kbD6yu3g8bDk2OCzS2uV+zmKT3QaBAOmHJzULNQ1xqyyURJlbxGaWY+47c3rv8DKSBRYTrS3WqMjFUTssi8489pVf4d8iif74D/WgnxqwGR3XiGRzxFGascZhVEqFxybB9c8oAJcHWpHP87Rwa1oIJUiCuNWg2gdSkSVxYYIJ8k5zmNDXwo+6lLjlII9rZ28K2cuCHS91bLoRqF6gwajSKXqINp; 5:ZFs/fSYyVYkfB432BKn6Jh10GVbvcmUT5Dnuj2MCj49Qnl/anukiuYLsuroQSIBP7+qLJLMfCS4qUD3alUruHwDGCXP5+8Z9VSYZRfi9mv7EYo7MnB1eIdg98vslNhpia8LYjLt0Zjwyx1gfcFvzWSH7VsjMhHShBzeGsYaEryw=; 24:loKkXcDKv0UK8ulte+yyV0s04s7nTWZlCbdcnc+Lp/Yqxo8aXXGLsyAdxb4lgYaO6/r3VnDtAWQqeXZ4mMZlrpGZr24UB38NS/6uNJajoRM=; 7:C+MJ88EDM/2oe8jRHu3I479wJHAw2PBVe+KY3NS63ebIJJq9m7WVOcodL7AFH3hDg7NiSc6bPxc1nQBrBCxJ0UZtlqA3Mik7CN7kZ9xh/sPyCnp/pjrb5aSyhNytnTuBaQMmDvLfs9w6ihXrbnYMO6ggTQGgGztpVn+oPMOBPIofArBW6lW4ue7H3a4rLm3vsen05MBdjd5gjkj++HBWgysASvu6YQmMPsZW4Ztgx8scBvfor65tvTfx5XH156wZ
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: cca9dfe1-eaff-441b-78cf-08d58ce088a5
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(49563074)(7193020); SRVR:MWHPR14MB1614;
x-ms-traffictypediagnostic: MWHPR14MB1614:
x-microsoft-antispam-prvs: <MWHPR14MB16146CB89F6C8BB3FCCB5F7283D50@MWHPR14MB1614.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(211171220733660);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(3002001)(3231221)(944501300)(52105095)(10201501046)(6041310)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123560045)(20161123558120)(6072148)(201708071742011); SRVR:MWHPR14MB1614; BCL:0; PCL:0; RULEID:; SRVR:MWHPR14MB1614;
x-forefront-prvs: 06157D541C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(346002)(39850400004)(396003)(376002)(39380400002)(13464003)(189003)(199004)(97736004)(33656002)(561944003)(4326008)(2950100002)(3846002)(66066001)(81156014)(229853002)(39060400002)(8936002)(81166006)(6116002)(106356001)(55016002)(6436002)(25786009)(8676002)(105586002)(2900100001)(5250100002)(2501003)(53936002)(102836004)(74316002)(305945005)(7736002)(5660300001)(76176011)(54906003)(110136005)(26005)(186003)(99936001)(6506007)(53546011)(99286004)(68736007)(14454004)(3280700002)(478600001)(3660700001)(86362001)(6246003)(59450400001)(966005)(2906002)(316002)(7696005)(6306002)(9686003); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR14MB1614; H:MWHPR14MB1376.namprd14.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: Rva6SBCgZ0ieRjP0IZFCL74yo/JPr10AYq2NHRvzA4Ll0dynrA0eSBnCSHpFwl6+TAtcItRp9gyzM21MFdzatflDeuveY1a5iUE9kC41QR+MnQAhKs9d8UZIoZUl+Y8gwcaA8D+K645Irhal/aGF5A1AaCVz2L9QHZKL9QmUy+rXHb3M67heBUoPneReUOSTNT8W6Tm+pR+knu37ttZyXwB83+KdtaKSdvMoL5uwi/3eL0ow3SpgrI9EVD5JgHI6BeUnvxi6ChAAIgHPhf/V0x5HJ5ANX9/gjH/RCi39RwiP5fpfrVQwoSu4YzYbBUjD/Z2AKldSzE8N2Es0ecjDAw==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_039C_01D3BEC9.63910A30"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cca9dfe1-eaff-441b-78cf-08d58ce088a5
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Mar 2018 14:57:13.4026 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR14MB1614
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/jO4Y4pVVPRH8JqWAJAgSnwYwwOI>
Subject: Re: [secdir] [Uta] Secdir last call review of draft-ietf-uta-smtp-tlsrpt-17
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Mar 2018 14:57:31 -0000

So, the CABF discussion was similar, but different (I am a master of the
obvious).  I'll summarize a bit for those who weren't there, since that's
most of the people reading this.

This proposal is about Alice providing more information to Bob about
problems
she is experiencing sending secure messages to Bob.

The CABF discussion was about how Phillip retrieves information from and
provides feedback to Charlie, where Charlie is a trust provider for Alice
and
Bob, and Phillip is some random guy on the internet, whose name has been
chosen at random.  This may or may not be related to actual errors
encountered,
it was more of a problem reporting address discovery mechanism (at least,
that's what motivated the discussion, and it diverged from there).

It probably is worth thinking about these problems more in general and
trying
to group them into use cases.  CAA iodef is another example, and closer to
the CABF case, since Alice/Bob (whoever is the server, or both for mutual
auth) is indicating she/he wants information about failures from Charlie.

But yeah, the bigger discussion should not block attempts to solve specific
instances of the problem.  There are lots of them.  There are probably other
similar issues in other protocols that I'm less familiar with.

-Tim

> -----Original Message-----
> From: Uta [mailto:uta-bounces@ietf.org] On Behalf Of Phillip Hallam-Baker
> Sent: Thursday, March 8, 2018 7:39 PM
> To: secdir@ietf.org
> Cc: uta@ietf.org; draft-ietf-uta-smtp-tlsrpt.all@ietf.org; ietf@ietf.org
> Subject: [Uta] Secdir last call review of draft-ietf-uta-smtp-tlsrpt-17
> 
> Reviewer: Phillip Hallam-Baker
> Review result: Has Issues
> 
> I have reviewed this document as part of the security directorate's
ongoing
> effort to review all IETF documents being processed by the IESG.
> These comments were written primarily for the benefit of the security area
> directors. Document editors and WG chairs should treat these comments just
> like any other last call comments.
> 
> General comments:
> 
> Five minutes after I received the review request, a very similar proposal
was
> made in CABForum for reporting PKIX cert issues.
> 
> The Security Considerations section proposes use of DNSSEC, what happens
if
> that is misconfigured? Well it should be reported.
> 
> The logic of this proposal is that something like it become a standard
> deliverable for a certain class of service specification. I don't think we
should
> delay this and meta-think it. But we should anticipate it being joined by
others
> like it sharing syntax, DDoS mitigation, etc.
> 
> Specific issues
> 
> The DNS prefix _smtp-tlsrpt is defined. This is not mentioned in the IANA
> considerations. It is a code point being defined in a protocol that is
outside the
> scope of UTA and therefore MUST have an IANA assignment and is a DNS code
> point which is shared space and therefore MUST have an assignment.
> 
> If no IANA registry exists, one should be created.
> 
> In general, the approach should be consistent with the following:
> 
> [RFC6763] S. Cheshire and M. Krochmal "DNS-Based Service Discovery" RFC
> 6763 DOI 10.17487/RFC6763 February 2013
> 
> It might well be appropriate to create a separate IANA prefix registry
'report'.
> That is probably easier since this prefix does not fit well with the
existing ones.
> 
> _smtp-tlsrpt._report
> 
> 
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://www.ietf.org/mailman/listinfo/uta

v2.23.0 | Report a Bug | By Email