Re: [Uta] Review of draft-ietf-uta-mta-sts-04
Daniel Margolis <dmargolis@google.com> Sun, 23 April 2017 11:58 UTC
Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04AC7129438 for <uta@ietfa.amsl.com>; Sun, 23 Apr 2017 04:58:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ope7u25Z0FiY for <uta@ietfa.amsl.com>; Sun, 23 Apr 2017 04:58:29 -0700 (PDT)
Received: from mail-io0-x22a.google.com (mail-io0-x22a.google.com [IPv6:2607:f8b0:4001:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9353A1292F5 for <uta@ietf.org>; Sun, 23 Apr 2017 04:58:29 -0700 (PDT)
Received: by mail-io0-x22a.google.com with SMTP id k87so158060172ioi.0 for <uta@ietf.org>; Sun, 23 Apr 2017 04:58:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Sk5h7ORfwJNyTnKh7fFs5pbv67x797K70auZXH45Nhw=; b=mVZul7/84JCiOIPNzX6zGUjMHPpo6bDkjCqJC8D7kB8ejS/4oBumhDlXe8rGdebQsi /ZLcqjT2F7YZDyfYXfmRpjP5N5uvG8RF94TD3TS4fb1duGrqZXDpCanZ7jfdoUfJtT2y LuLEcUq4bsn5Z26f3hJJ/hFMAE7pP18tr4AYziTRveqQKH95C0jvLpdfdHqCckqOD3WF KUHiFADVrxYkTYlAd1jFLdKpdURjwgz/KfneFMT4I0d4PjDAD/rWzzbMXKGClydbOFT4 3hMv6zxrzopZNpV6LFaXWA2IiIUkNmRDoR0Pl2+WA5OvePVUg6Hv9hXKaEwICINOF0Q3 kj3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Sk5h7ORfwJNyTnKh7fFs5pbv67x797K70auZXH45Nhw=; b=Q93E/h1+rLTjdZq+gcv4HK3t9yUMDJUXglwTxmtGHK8QsKbQk0zA7/mBiYjrdVj8Dr MnfbZZZLKVX/WeHzayBoGj3OJhDXukrkWBtlb9ZKUFg41eKn0kRs2d+gKro3yONDiXDO 7umTZGDFfcBEawmlRhwBGaVn5nzU1oi8wceHDPMdK4HW9HOjt1fIv7PvIl/I7d4Nrq78 okCGAAigC1xAtQ+OZ4E1NvcO7YZ4RGfpIktp5Ew1yvY+IAbUSLRX8BkDOh7QsZQguZOH qENtgo3k6RUYAlBlDhQmOWFDe37OV+gan6x/0HjLMuI6P+JWKEk+3Od5cYCrGtuVC7Nl /zQw==
X-Gm-Message-State: AN3rC/7Ay8k90i5Wuj97rYa+5TFjuKSq7uXxBetCcCP+hD2YD28+FxhT HxtpGcKFj+/x0ig/JX8GHUTtCFJuDWe6xjk=
X-Received: by 10.107.142.198 with SMTP id q189mr1619048iod.49.1492948708485; Sun, 23 Apr 2017 04:58:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.111.11 with HTTP; Sun, 23 Apr 2017 04:58:27 -0700 (PDT)
In-Reply-To: <ba6b46ba-ad6b-2270-0113-3e8006ef5a8b@isode.com>
References: <ba6b46ba-ad6b-2270-0113-3e8006ef5a8b@isode.com>
From: Daniel Margolis <dmargolis@google.com>
Date: Sun, 23 Apr 2017 13:58:27 +0200
Message-ID: <CANtKdUdS3jv2jWKVprcSy=ZwrJtBBqz4MXL7_He75PNyv_c2-w@mail.gmail.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Cc: "uta@ietf.org" <uta@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="94eb2c05a35079bcdd054dd43597"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/2msAapqiS0pHODkdhyjbi7FCo08>
Subject: Re: [Uta] Review of draft-ietf-uta-mta-sts-04
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Apr 2017 11:58:32 -0000
Thanks. Comments inline, mostly ticking off changes. :) I have pushed all my changes in response to this to the git repo and they should appear in our next draft. On Wed, Apr 19, 2017 at 1:05 PM, Alexey Melnikov <alexey.melnikov@isode.com> wrote: > Hi, > Below is my early "AD review" of the document. I think it is in pretty > good shape and is ready for WG Last Call (I am Ok with the question of JSON > versa something else be settled during or after WGLC.) > > 1) In 1.1: > > o Policy Domain: The domain for which an MTA-STS Policy is defined. > This is the next-hop domain; when sending mail to > "alice@example.com" this would ordinarly be "example.com", but > this may be overriden by explicit routing rules (as described in > "Policy Selection for Smart Hosts"). > > Nit: This needs an internal section reference. > I think there was another place in the document when an internal section > number is not mentioned. > Done. Thanks. > > 2) In 3.1: > > sts-version = "v" *WSP "=" *WSP %x53 %x54 ; "STSv1" > %x53 %x76 %x31 > > Do you intend for this to be matched case-sensitively? > What you wrote above is that "v" is case-insensitive, but "STSv1" is. > Good point. I actually would have intended the field names to also be case-sensitive. (At any rate, the code I have is case sensitive.) I see no reason to tolerate mixed case here given we're requiring specific strings anyway. > > 3) Section 3.2 says that unrecognized fields are to be ignored, so you > need to update ABNF in 3.1 to make it clear. > > Current ABNF: > > sts-text-record = sts-version *WSP %x3B *WSP sts-id [%x3B] > > sts-version = "v" *WSP "=" *WSP %x53 %x54 ; "STSv1" > %x53 %x76 %x31 > > sts-id = "id" *WSP "=" *WSP 1*32(ALPHA / DIGIT) > > I suggest something like the following (this implies that position of the > first 2 fields is fixed, extensions at the end. If you prefer that any > fields are in any order (other than the version), I can update the ABNF): > Good point. Looking at SPF, DMARC, and DKIM, all three require the v= to be first in the record (which makes some sense, I suppose, to allow future versions to have different parsing syntaxes), so I suppose we can just keep it as you have it here. Thanks for that! > > sts-text-record = sts-version *WSP field-delim *WSP sts-id > [field-delim [sts-extensions]] > > field-delim = %x3B > > sts-version = "v" *WSP "=" *WSP %x53 %x54 ; "STSv1" > %x53 %x76 %x31 > > sts-id = "id" *WSP "=" *WSP 1*32(ALPHA / DIGIT) > > sts-extensions = sts-extension *(field-delim sts-extension) > [field-delim] > ; Extension fields at the end in any order > > sts-extension = sts-ext-name *WSP "=" *WSP sts-ext-value > > sts-ext-name = (ALPHA / DIGIT) *31(ALPHA / DIGIT / "_" / "-" / > ".") > > sts-ext-value = 1*(%x21-3A / %x3C / %x3E-7E) > ; like esmtp-value from RFC 5321, but doesn't > allow ";". > ; So basically any CHAR excluding "=", ";", SP, > and control > ; characters. > > 4) In 3.2: Should "SHOULD ignore unrecognized fields" be a MUST? I.e., why > would it not be Ok to ignore unrecognized fields? > It's a bug. Thanks. :) > > 5) In 3.3: RFC 6125 use needs more details, because you need to specify > answers to every question in section 3 of RFC 6125. > In particular you should say that when checking certificates, you only use > DNS-ID and CN-ID (SRV-ID and URI-ID are not used) and that you allow > wildcards in them. > Thanks, I've clarified this. > 6) Last para on page 7: this is also true in RFC 6125. > Correct. 7) In 5.1, last para: I think you mean that if there are too many failures > to deliver when using MTA-STS, regular SMTP rules for generating a bounce > apply? I think this needs rewording to say that. > Fixed, and included a reference to rfc5321's relevant section, to hopefully make clear we expect existing rules to apply. > > 8) If you want to allow for extensibility, you probably need an IANA > registry of fields allowed, so that developers can find them easily. I can > help with some text. > I'd appreciate any suggestions. Is there a need for that now, though? I would not want to overengineer this, either. :) > > 9) On page 13: I think pseudocode should make it clear that you retrieve > DNS-ID SAN. > Thanks, done. > > Best Regards, > Alexey > > P.S. I might have a couple of extra items, but I need to double check a > few things first. > > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta >
- [Uta] Review of draft-ietf-uta-mta-sts-04 Alexey Melnikov
- Re: [Uta] Review of draft-ietf-uta-mta-sts-04 Daniel Margolis
- Re: [Uta] Review of draft-ietf-uta-mta-sts-04 Janet Jones
- Re: [Uta] Review of draft-ietf-uta-mta-sts-04 Alexey Melnikov