IETF Logo Mail Archive

Re: [Uta] MTA-STS-03 review

Daniel Margolis <dmargolis@google.com> Mon, 27 March 2017 20:55 UTC

Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 431C9124234 for <uta@ietfa.amsl.com>; Mon, 27 Mar 2017 13:55:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KEgr35RW5zVH for <uta@ietfa.amsl.com>; Mon, 27 Mar 2017 13:55:10 -0700 (PDT)
Received: from mail-it0-x22e.google.com (mail-it0-x22e.google.com [IPv6:2607:f8b0:4001:c0b::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 460C4129636 for <uta@ietf.org>; Mon, 27 Mar 2017 13:55:09 -0700 (PDT)
Received: by mail-it0-x22e.google.com with SMTP id e75so34707226itd.1 for <uta@ietf.org>; Mon, 27 Mar 2017 13:55:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=Dw/NP9yRmwp6xcmigQ+1uUgOsccaTU8boP/A7FrR5W4=; b=qnN4e139kuUAoChYl0244zWvMTbukLSJGDS8YqqooBsyusU2ympBljGW9xES+78S05 s57ijjJz6TewmYqV7qZTybBIlU689ttM6mqSOLctMckvMJhzWgG1xSyj40j6RnxrIbnq LnL9is3UxZBxlnm+aOpEm1fOadGGm73xw/L9Sl1AYH7JLBvyp4NdQwjiwqcTr1zRlJL0 0RfWoUdDn9KSkcWkzsuWSK35ow5z1LHHeq9h2nvp8wQeA2zCrfq/Yi/78BxOQ98CfmuZ 7nkxDT5wD/LWgXo4s1xU/xeQF/3ojmb+8eXKMqR/u44QMCFmE1wtP+eQtdqIQ+7Ykt0k YRPA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=Dw/NP9yRmwp6xcmigQ+1uUgOsccaTU8boP/A7FrR5W4=; b=GyeZ1k0uYC7FZ8+mS3MtYFzhSBZB0cRjgVTSDuYyuJrF4gV4FBxdBZqc8xzsc7gIwl B8DQG6KtxYE613AMapzQrJ1MYkSn9HxihNmRZk3zfw/1NHg2eZS/bfmXfIfPUgovKhL1 ga9kdtSHqlI5IoGUyAhJJZObskKIkZZFNBBT9eT1I1RlneqQ5QqLhIGcauOp9wb+GgxM lc5NMA2dNyrnR16L+hFblL5Ri1UHEuEqACtXMw6u7U0gdtAH0GsOA1okQleY77f4uQEM F2pBWt2cfHrjx77YaXciSYzLzcX2THw339WVFRK4O0W6m1Yys1OB1Co327rlR6QmXgps zSPA==
X-Gm-Message-State: AFeK/H0wTgUaMw5zeYDcRgBIoPWi9sX0zCwXc13vdE0ALTmpo2jfovFp85iH49j/c2bMDLDJhITOIxE36wsF56Jl
X-Received: by 10.36.152.196 with SMTP id n187mr12475272itd.28.1490648107711; Mon, 27 Mar 2017 13:55:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.39.215 with HTTP; Mon, 27 Mar 2017 13:55:06 -0700 (PDT)
In-Reply-To: <92500952-2A50-4508-8686-03CDBF72485D@dukhovni.org>
References: <4C0807DA-4852-4DAC-80ED-8A25371CFFAA@dukhovni.org> <CANtKdUfOZYSr_SuGHdDHHgrF8J5VjEWwVw_7KC2xS5DrCKhu-w@mail.gmail.com> <20170326205218.GN11426@blitiri.com.ar> <92500952-2A50-4508-8686-03CDBF72485D@dukhovni.org>
From: Daniel Margolis <dmargolis@google.com>
Date: Mon, 27 Mar 2017 22:55:06 +0200
Message-ID: <CANtKdUfL+RT05KSqj5i4YeoRa=gHywNosou2VPF6acPDpRhG0g@mail.gmail.com>
To: uta@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="94eb2c05e9a2fcf127054bbc8ecd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/5tDh8jdP4_qfrAZ6HladXY_Zat4>
Subject: Re: [Uta] MTA-STS-03 review
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2017 20:55:13 -0000

re MXs:

Right, I think a nonstandard MX list is actually worse than the disease it
cures. ;) But you are right to point out that there are multiple approaches
that confer similar security advantages.

To the matching point, I share the concern about people having to write
their own cert matching code, but I think there are a few arguments for it:

1. I believe if we restrict wildcards to the "full" leftmost label (i.e. *.
example.com is valid, but mail*.example.com or mail.*.example.com are not)
and we do the same in the certs (which RFC6125 seems to allow us to
define), wildcard matching is a simple "x ends with y or y ends with x"
comparison, so is in fact trivial to implement.

2. It seems (and I suspect this was part of Viktor's motivation) to match
nicely with https://tools.ietf.org/html/rfc7672#section-3.2.2, which if I
read it correctly leaves the door open to a certificate matching the
nexthop domain rather than the MX hostname; by requiring MX hostname
matches in STS we would break that behavior.

I think #2 is a pretty compelling point.

(FWIW, the more I think of it, Viktor, the less compelling I find the other
point about MX candidate traversal being unchanged, since I'm not sure it's
really a huge difference to say "this host doesn't match the MX pattern;
try the next candidate" as opposed to "this host's certificate doesn't
match the MX pattern..." It seems like both cases are quite similar, though
maybe in some implementations the code structure implies one to be easier
than the other?)

re JSON:

I think when you've reached the point that JSON-vs-key-value-pairs is the
main point of contention it's probably not a *bad* sign. ;)

I had the same feeling as Albert about using something with pre-existing
library support, which was really the main argument for JSON--and I think
since we've already implied a dependency on some HTTPS lib an additional
JSON lib seems not *too* serious. At the same time, it's true that
Postfix's typical deployments may often be likely to be concerned about
each additional library dependency, which is less on my mind here at Google.

This seems mostly like an issue of aesthetics (which is not to say it's
unimportant, but it seems less fundamental than the design questions we've
discussed in the past). If there aren't really strong objections I'd
probably keep JSON since we already have both code and published policies
in that format, but if there are strong objections, I think it's a trivial
matter for the early adopters to change.

On Mon, Mar 27, 2017 at 3:01 AM, Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

>
> > On Mar 26, 2017, at 4:52 PM, Alberto Bertogli <albertito@blitiri.com.ar>
> wrote:
> >
> > There are lots of advantages of using JSON for this. It is well defined,
> > standard and there are lots of well tested and widely used
> > implementations.
> >
> > It is used widely, it's familiar to many people, and its shortcomings
> > (which are not few, admittedly) are well understood and documented.
>
> Sure JSON is used widely in all kinds of software, but NOT in MTAs,
> and STS is for MTAs.
>
> > It support rich types (such as lists), and common libraries already
> > handle difficult situations like non-ascii content, long integers,
> > multi-line strings, malformed/malicious input, etc.
>
> Sure in Perl, Python, Go, ... but Sendmail, Qmail, Postfix and Exim
> are in C, and already have code to handle ESMTP attr=value lists, and
> don't currently use JSON.  The extra features of JSON you mention are
> not needed for this specification, and over-engineering to use JSON
> is IMHO not useful.
>
> --
>         Viktor.
>
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://www.ietf.org/mailman/listinfo/uta
>

v2.23.0 | Report a Bug | By Email