Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-email-deep-09: (with COMMENT)
"Chris Newman" <chris.newman@oracle.com> Fri, 27 October 2017 18:03 UTC
Return-Path: <chris.newman@oracle.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C85A13F088; Fri, 27 Oct 2017 11:03:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.001
X-Spam-Level:
X-Spam-Status: No, score=-7.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ysdBkXl-s5eu; Fri, 27 Oct 2017 11:03:33 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52940138BE7; Fri, 27 Oct 2017 11:03:33 -0700 (PDT)
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v9RI3UWF013894 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 27 Oct 2017 18:03:30 GMT
Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id v9RI3S6l017950 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 27 Oct 2017 18:03:28 GMT
Received: from abhmp0017.oracle.com (abhmp0017.oracle.com [141.146.116.23]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id v9RI3RpZ005276; Fri, 27 Oct 2017 18:03:27 GMT
Received: from [10.145.239.223] (/10.145.239.223) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 27 Oct 2017 11:03:27 -0700
From: Chris Newman <chris.newman@oracle.com>
To: Keith Moore <moore@network-heretics.com>
Cc: Eric Rescorla <ekr@rtfm.com>, The IESG <iesg@ietf.org>, draft-ietf-uta-email-deep@ietf.org, uta-chairs@ietf.org, leifj@sunet.se, uta@ietf.org
Date: Fri, 27 Oct 2017 11:03:24 -0700
Message-ID: <D5ED7737-D201-41A2-B24D-661D10D19EE0@oracle.com>
In-Reply-To: <a67ef1d0-1637-fe48-9fb1-664ad8b3172d@network-heretics.com>
References: <150852235551.15416.1247335476327491501.idtracker@ietfa.amsl.com> <98fddd93-a0a8-efa3-ce2e-530449ae536c@network-heretics.com> <8B20BC5A-A60A-4A31-9345-E970B31BC2C3@oracle.com> <a67ef1d0-1637-fe48-9fb1-664ad8b3172d@network-heretics.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Mailer: MailMate (1.9.7r5425)
X-Source-IP: userv0022.oracle.com [156.151.31.74]
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/2YHcnyBJ5bI2DMx_3U2xBmTsgSA>
Subject: Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-email-deep-09: (with COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Oct 2017 18:03:34 -0000
On 26 Oct 2017, at 19:56, Keith Moore wrote: > On 10/26/2017 07:18 PM, Chris Newman wrote: > >>>> Line 304 >>>> preference to services supporting STARTTLS (if >>>> offered). (See >>>> also Section 4.5.) >>>> I note that 6186 is kind of unclear on what should go in SNI. It >>>> obviously >>>> needs to be what you are checking against (which 6186 gets right) >>>> but maybe >>>> it's worth clarifying in this document somewhere. >>> Hmm. I might need to come back to that one. Lots of layers >>> to sift through. Feel free to suggest text. >> >> I believe RFC 7817 handles this issue sufficiently. > > Not sure whether EKR was referring specifically to the use of SNI with > SRV records or not, but that's what I had assumed he meant. So far I > haven't found any specific advice for (a) what name the MUA should > specify in SNI, or (b) what names the server should recognize and have > certificates for. It's pretty clear that the server needs to have > a certificate for the name on the right hand side of the SRV record, > but should it also have a certificate for the name on the left hand > side? (e.g. _pop3s._tcp.example.com?) That would potentially make > SRV discovery more secure. > > But I think that's well beyond what the WG (and IESG) approved. So > I guess I'm inclined to leave the -10 text as it is now without > specifically addressing this issue. I just re-read the related text a bit more carefully. Although RFC 7817 adequately covers what subjectAltName identities mail servers need to support in certificates, it doesn't cover what goes in SNI (although it mentions SNI). Ditto for RFC 6186. This is annoying; the issue really should have been addressed in 7817 or 6125 :-( I suspect in practice that most MUAs use the post-SRV-lookup hostname in TLS SNI. And server support for that name form in SNI will be necessary to interoperate with MUAs that don't support RFC 6186 (or use an alternative autodiscovery mechanism in preference to RFC 6186). So the remaining question is would it be useful/helpful for a server to also support an SNI based on the SRV record or SRV-ID name? I don't think the answer to that question is important enough to justify a normative change to this document. To address this, I suggest we add a sentence to the end of section 4.4 (just before the sentence referencing 7817): -- Mail servers supporting SNI need to support the post-SRV hostname to interoperate with MUAs that have not implemented RFC 6186. -- I view that as a statement of fact rather than a normative change so I think it's kosher. Saying more on the topic would probably cross the normative change line so I'd prefer not to go there. - Chris
- [Uta] Eric Rescorla's Yes on draft-ietf-uta-email… Eric Rescorla
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Keith Moore
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Alexey Melnikov
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Eric Rescorla
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Keith Moore
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Chris Newman
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Keith Moore
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Eric Rescorla
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Keith Moore
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Eric Rescorla
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Chris Newman
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Eric Rescorla
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Eric Rescorla
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Chris Newman
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Keith Moore
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Keith Moore
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Chris Newman
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Alexey Melnikov