IETF Logo Mail Archive

Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP STS Draft)

Aaron Zauner <azet@azet.org> Thu, 05 May 2016 16:18 UTC

Return-Path: <azet@azet.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A34EB12D815 for <uta@ietfa.amsl.com>; Thu, 5 May 2016 09:18:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=azet.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8TlDjT-TXox9 for <uta@ietfa.amsl.com>; Thu, 5 May 2016 09:18:13 -0700 (PDT)
Received: from mail-pa0-x232.google.com (mail-pa0-x232.google.com [IPv6:2607:f8b0:400e:c03::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA1AF12D773 for <uta@ietf.org>; Thu, 5 May 2016 09:17:39 -0700 (PDT)
Received: by mail-pa0-x232.google.com with SMTP id xk12so37777691pac.0 for <uta@ietf.org>; Thu, 05 May 2016 09:17:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=azet.org; s=gmail; h=subject:mime-version:from:in-reply-to:date:cc:message-id:references :to; bh=qSHa4cGFLFE8ytZDrGTNm0TIWLuJQFrtsX/jVu+/MP4=; b=WUF17drbbR1uJHS/tKbC/WeK0FxWXLrgguHH/J+X5Dee/zooFynD5F/f1qBXsMpt+m VY/JQ8hIsjcforEsdhFFY2NuSgurVNfGYBBA5E/bbW+gJ5ksx+osqn1r5DuqqrF95mHY DVl37zjj9WPlGQGDZCV4PbRX7fMSo+4GclhPY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :message-id:references:to; bh=qSHa4cGFLFE8ytZDrGTNm0TIWLuJQFrtsX/jVu+/MP4=; b=Ym29YfZiLXroXGeU+YGOduqGKWhd8/sgR9di1mvtUQNlWoX4GH7CzDaWf1jFIqUku2 U3tBUO9gK+uc2yTunRDUCGvXt5I9ngI8CwIBmKV2MR7A6gtCm4aAKuR6HQEFehkS+gqL kmo/O39JRH5BW8iFtxpeekZix+O/GXRRet9C8vaS5RZsOGO5EM8C+Jw8DTlLZRE8yxfr 2rAqQ2FZshDe3ecsLrmh6U6iuhF12ECmgFlyp6UNboprBIpFlUP7R2oPiN+LpX2Dt0QJ rP0KL+iOUo1kcr7IEkOyKS8ebefrQl5avZxS3VGDvWU7ZDxBIuH0Kxmm6TgBRrtOqcfQ aAQQ==
X-Gm-Message-State: AOPr4FU/aTzhwYPUncuPZZHcSwWygMDKd5XDtwhTdX63orodGhP8+zVleID5zMoqiNTccw==
X-Received: by 10.66.1.135 with SMTP id 7mr21849768pam.106.1462465059409; Thu, 05 May 2016 09:17:39 -0700 (PDT)
Received: from [192.168.1.234] (ppp-49-237-254-226.revip6.asianet.co.th. [49.237.254.226]) by smtp.gmail.com with ESMTPSA id 199sm14803514pfc.15.2016.05.05.09.17.36 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 05 May 2016 09:17:38 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
Content-Type: multipart/signed; boundary="Apple-Mail=_C0FD9DE3-C69E-4E77-89A8-9BD024115B46"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.6b2
From: Aaron Zauner <azet@azet.org>
In-Reply-To: <alpine.OSX.2.11.1605051057310.39064@ary.lan>
Date: Thu, 05 May 2016 23:17:29 +0700
Message-Id: <5CAA2C26-D339-4BFE-8328-0B33E3652025@azet.org>
References: <20160505141746.27164.qmail@ary.lan> <BF2136BB-6406-4796-8575-6C42043F37FD@azet.org> <alpine.OSX.2.11.1605051057310.39064@ary.lan>
To: John R Levine <johnl@taugh.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/-23hDJoGYaEgnQOXSgg80KQq0XI>
Cc: uta@ietf.org
Subject: Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP STS Draft)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 May 2016 16:18:14 -0000

> On 05 May 2016, at 22:04, John R Levine <johnl@taugh.com> wrote:
> 
>>> People have beens mailing around vast numbers of DMARC reports, most
>>> of which have an application/gzip body.  If there have been attacks
>>> using DEFLATE bugs, nobody's gotten around to reporting them.
>> 
>> I'm not much worried about attacks on DEFLATE and SMTP traffic. But as I understand from the draft, there's also an option to report back via HTTPS. Here DEFLATE may become a security issue.
> 
> I don't see why.  HTTP has had gzip encoding since http/1.0 twenty years ago, but I only defined application/gzip for mail in 2012.  Your browser probably decodes deflated pages dozens of times a day.

Exactly. And this is an open security issue today. It's the reason why people needed to come up with 'first party cookies'.

https://github.com/dionyziz/rupture

> Also, remember the DMARC experience, that in practice nobody is interested in http reports if they can send mail.  You might ask around and see if you can find anyone who would send http reports if they had the option to do so. I implemented the http option from the DMARC draft (sort of, given that the draft language was a mess) and the number of attempts I saw was zero.

I think STS is quite different from DMARC if many respects, but I'm interested in the authors opinions on that - would they prefer mail delivery or https? does it depend on deployment/hosting environment etc.

Aaron

v2.23.0 | Report a Bug | By Email